SpoofSentrySpoofSentry
Start Free Trial

Trust Center

Security, compliance, and data handling at SpoofSentry. We build enterprise-grade controls so you can trust us with your email security.

System Status
Real-time component health and uptime
Procurement Pack
DPA, security overview, and questionnaires
Report a Vulnerability
Responsible disclosure program

Security Controls

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest (GCP managed keys)
  • Fernet encryption for sensitive fields
  • Channel binding on database connections

Authentication

  • OIDC and SAML 2.0 SSO
  • SCIM 2.0 automated provisioning
  • MFA / TOTP with recovery codes
  • WebAuthn / passkey support
  • Magic link passwordless login
  • IP allowlist per tenant

Authorization

  • 91 RBAC permissions across 8 roles and 28 resource types
  • 90 row-level security (RLS) policies
  • API key scoping with rate limits
  • Privileged access management (PAM)
  • Two-person approval for critical actions

Audit & Monitoring

  • 440+ audit event types
  • Tamper-evident audit trail
  • SIEM integration (Splunk, Elastic, Sentinel, Datadog)
  • Real-time security event forwarding
  • Exportable audit logs for compliance

Tenant Isolation

  • Row-level security at database layer
  • Tenant-scoped API keys and sessions
  • Cross-tenant protection middleware
  • VPC-scoped network egress
  • Separate MSSP/customer RBAC roles

Infrastructure

  • Google Cloud Run (serverless, auto-scaling)
  • Cloudflare WAF with OWASP ruleset
  • DDoS protection at edge
  • Non-root containers with restricted writable paths (limited to /tmp)
  • Secret Manager for all credentials
  • Automated secret rotation monitoring

Compliance Frameworks

SpoofSentry generates compliance evidence bundles and control mappings for these frameworks. Enterprise customers can export evidence directly from the platform. These are internal evidence packages — independent third-party audit reports are listed separately where available.

1
SOC 2 Type II
SOC 2-aligned evidence available
2
ISO 27001
Control mappings available
3
NIST CSF
Control mappings available
4
PCI-DSS v4.0
Control mappings available
5
HIPAA
BAA available
6
CISA BOD 18-01
Control mappings available
7
NIS2
Control mappings available
8
NCSC CAF
Control mappings available
9
ASD Essential Eight
Control mappings available

Data Handling

Primary RegionUS (GCP us-central1, Neon us-east-1)
Data at RestAES-256 encrypted (Google-managed keys)
Data in TransitTLS 1.3 with channel binding
Retention (Free)7 days
Retention (Protect)30 days
Retention (Enforce)90 days
Retention (Enterprise)365 days
Data ExportFull account export via API (GDPR Art. 15/20)
Data DeletionAccount deletion with audit log preservation
BackupNeon 7-day PITR + GCS object versioning

Data Residency

SpoofSentry currently operates in the US region. The table below shows where each data class is stored and what is configurable.

Data ClassCurrent RegionConfigurable
Application database (PostgreSQL)US (Neon us-east-1)No
Compute & APIUS (GCP us-central1)No
Report & evidence storageUS (GCS us-central1)No
CDN & WAF edge cacheGlobal (Cloudflare)N/A — no PII cached
Payment dataUS (Stripe)No
Transactional emailAU / US (ZeptoMail)No
AI processing (optional)US (Anthropic)Opt-out available

Multi-region deployment is not currently available. For specific data residency requirements, contact [email protected].

Subprocessors

ProviderPurposeLocation
Google Cloud PlatformApplication hosting, compute, storageUS (us-central1)
NeonPostgreSQL databaseUS (us-east-1)
CloudflareCDN, DDoS protection, WAFGlobal edge
StripePayment processingUS
ZeptoMail (Zoho)Transactional email deliveryAU / US
AnthropicAI-powered sender classification (optional)US

Last updated: April 2026. Changes to this list are communicated to affected customers 30 days in advance.

Security Contact

To report a vulnerability or request security documentation:

[email protected]
Trust Center | SpoofSentry | SpoofSentry