SOC 2 status.

Last updated: 12 June 2026

Straight answer, because it's the first thing security teams ask: Nitrosend is not SOC 2 certified yet. Certification is in progress. This page explains exactly what that means, what's true today, and how to evaluate us in the meantime.

What is SOC 2?

SOC 2 is an independent audit framework defined by the AICPA. A Type II report verifies that a company's security controls don't just exist on paper but operate effectively over a sustained observation period, typically 3 to 12 months. That observation window is why no company founded recently can hold a Type II report on day one: the clock only starts once controls are in place and an auditor is watching.

Where we're up to

Nitrosend was founded in March 2026. We're working through SOC 2 Type II certification now, and we'll publish the report on this page when it's issued. We won't claim the badge before the auditor says so.

What's already true today:

Evaluating Nitrosend before the report lands

Most vendor risk processes can approve a supplier on the strength of a completed security questionnaire and a signed DPA. We turn both around quickly:

We're a startup backed by Archangel and East End Ventures, and our founding team previously built and ran SmartrMail, an ESP trusted by 28,000+ businesses. We've operated under customer security reviews for years. we know the drill, and we'd rather over-share than polish.

Frequently asked questions

When will Nitrosend be SOC 2 certified?

When the audit completes, and not a day before we can prove it. We'll publish the report here. If you want to be notified, email [email protected] and we'll let you know the moment it's issued.

Is a SOC 2 report legally required to use an email platform?

No law requires your ESP to hold SOC 2. It's a procurement standard, not a regulation. Your actual legal obligations (GDPR, Australian Privacy Act, Spam Act, CAN-SPAM) are covered: see GDPR compliance.

Who audits Nitrosend's infrastructure?

Our infrastructure providers are audited independently: AWS, Stripe, Cloudflare, and Vercel each publish SOC 2 reports available under NDA from those vendors.

Contact

Vendor reviews, questionnaires, or SOC 2 questions: [email protected]