SOC 2 status.
Straight answer, because it's the first thing security teams ask: Nitrosend is not SOC 2 certified yet. Certification is in progress. This page explains exactly what that means, what's true today, and how to evaluate us in the meantime.
What is SOC 2?
SOC 2 is an independent audit framework defined by the AICPA. A Type II report verifies that a company's security controls don't just exist on paper but operate effectively over a sustained observation period, typically 3 to 12 months. That observation window is why no company founded recently can hold a Type II report on day one: the clock only starts once controls are in place and an auditor is watching.
Where we're up to
Nitrosend was founded in March 2026. We're working through SOC 2 Type II certification now, and we'll publish the report on this page when it's issued. We won't claim the badge before the auditor says so.
What's already true today:
- All of our cloud infrastructure is SOC 2 certified. AWS (hosting and email delivery), Stripe (payments), Cloudflare (edge security), and Vercel (frontend) each hold current SOC 2 reports, and AWS and Cloudflare hold ISO 27001 as well.
- The controls SOC 2 audits are how we already operate: encryption in transit and at rest, least-privilege production access, scoped and revocable API keys, audit logging, and continuous monitoring with real-time alerting.
- The platform is GDPR compliant and complies with the Australian Privacy Act 1988.
- Your data is never sold and never shared with third parties to train their AI models. Full detail on the security page.
Evaluating Nitrosend before the report lands
Most vendor risk processes can approve a supplier on the strength of a completed security questionnaire and a signed DPA. We turn both around quickly:
- Security questionnaires. Send yours to [email protected].
- Data Processing Agreement. Signed on request, covering GDPR and Australian Privacy Act obligations.
- Engineering access. For deeper diligence we'll put our engineers in front of your security team.
We're a startup backed by Archangel and East End Ventures, and our founding team previously built and ran SmartrMail, an ESP trusted by 28,000+ businesses. We've operated under customer security reviews for years. we know the drill, and we'd rather over-share than polish.
Frequently asked questions
When will Nitrosend be SOC 2 certified?
When the audit completes, and not a day before we can prove it. We'll publish the report here. If you want to be notified, email [email protected] and we'll let you know the moment it's issued.
Is a SOC 2 report legally required to use an email platform?
No law requires your ESP to hold SOC 2. It's a procurement standard, not a regulation. Your actual legal obligations (GDPR, Australian Privacy Act, Spam Act, CAN-SPAM) are covered: see GDPR compliance.
Who audits Nitrosend's infrastructure?
Our infrastructure providers are audited independently: AWS, Stripe, Cloudflare, and Vercel each publish SOC 2 reports available under NDA from those vendors.
Contact
Vendor reviews, questionnaires, or SOC 2 questions: [email protected]