SEND-SECURELY.COM
Request a demo
Security

How we keep regulated data safe.

A summary of our architecture, encryption model, and operational security commitments. Customers can request the full security whitepaper, threat model, and most recent penetration test report under NDA.

Architecture

A multi-tenant data plane that behaves like a single tenant.

Tenant data is isolated at every layer — storage namespace, encryption key, network policy, and request-routing context. A tenant can never read, write, or even enumerate another tenant's objects, by construction.

  • Per-tenant KMS key wrapping
  • Per-tenant storage namespace and IAM policy
  • Workload-identity-based service mesh; no shared service accounts
  • Every request carries a signed tenant context that propagates end-to-end
Encryption

AES-256-GCM at rest, TLS 1.3 in transit, BYOK on every paid plan.

We use authenticated symmetric encryption everywhere. Keys are rotated automatically on a 90-day cadence; customer-managed keys can be rotated on your schedule via your KMS. We never persist unwrapped data keys.

  • AES-256-GCM for object encryption
  • TLS 1.3 only on public endpoints (TLS 1.2 deprecated 2026-Q1)
  • HSM-backed master keys (FIPS 140-3 cryptographic modules on Gov plan)
  • Customer-managed keys via AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault
Operational security

Production access is the exception, not the default.

No engineer has standing access to customer data. All production access is just-in-time, multi-party approved, time-bound, and recorded. Background-checked staff only; all access events are exported to your SIEM if you choose.

  • Just-in-time access with multi-party approval
  • Hardware-key-only SSH; no passwords anywhere in production
  • Session recording for every break-glass action
  • Quarterly access reviews; annual third-party penetration test
FAQ

Common security questions

What encryption do you use?
AES-256-GCM at rest and TLS 1.3 in transit. Every object is encrypted with a per-object data key, wrapped by a tenant key, wrapped by a master key held in an HSM. Customer-managed keys are available on every paid plan.
Do you have access to my plaintext?
Not when you use BYOK. With BYOK enabled, decryption requires a key release from your KMS — we never see plaintext or the unwrapped data key. Without BYOK, decryption happens transiently in our enclave and is never persisted.
What is your incident response process?
Severity-tiered runbooks with a documented 1-hour customer notification SLA for confirmed P1 incidents affecting customer data. All P0–P2 incidents trigger a post-incident report shared with affected customers within 10 business days.
Where can I find your SBOM?
We publish an SPDX-format SBOM for every release. Customers on Enterprise and Government plans can subscribe to webhook notifications when component CVEs are filed.
Do you support coordinated disclosure?
Yes — see security.txt for our PGP key and reporting policy. We commit to acknowledging reports within 2 business days and patching critical issues within 30 days.

Want the full security package?

Readiness package, penetration test summary, SBOM, and DPA — available under NDA on request.

Request security package Talk to sales