Legal & Compliance

Technical & Organizational Measures (TOMs)

SuperSend implements technical and organizational measures to protect personal data and ensure the security of our platform. This document outlines our security safeguards in accordance with GDPR Article 32.

Version: v2026-07
Last Updated: July 6, 2026

1. Encryption & Data Protection

  • Data in transit: TLS encryption for HTTPS, API, and database connections.
  • Data at rest: Google Cloud Platform default encryption for databases and object storage.
  • Application secrets stored in GCP Secret Manager.
  • Redis (GCP Memorystore) operates within private VPC networking.

2. Access Control

  • Role-based access control (RBAC) across systems and Kubernetes workloads.
  • Administrative access to production infrastructure and source control uses Google Workspace single sign-on with mandatory two-factor authentication (2-Step Verification).
  • Unique individual user accounts; shared administrative accounts are not used for production systems.
  • Service accounts limited to least-privilege permissions.

3. Application Security

  • Pull-request code review and dependency updates as part of the development process.
  • Security headers (e.g. HSTS, XSS protection) on the API via Helmet.
  • Application error monitoring via Sentry; centralized logging via Grafana/Loki.
  • Third-party penetration testing is not performed on a fixed schedule; it may be conducted for enterprise engagements upon request.

4. Business Continuity & Disaster Recovery

  • Daily automated backups of critical databases (GCP Cloud SQL) with 30-day retention.
  • Recovery Time Objective (RTO): < 4 hours (internal target).
  • Recovery Point Objective (RPO): < 24 hours (internal target).
  • Business continuity and disaster recovery measures are documented in this policy.

5. Vendor & Sub-processor Management

  • Sub-processors vetted for ISO 27001/SOC 2 and GDPR compliance where applicable.
  • Sub-processor register reviewed and updated when vendors change; customers notified at least 30 days before new sub-processors process their data, per applicable DPAs.
  • Public list available at supersend.io/legal/subprocessors.

6. Incident Response

  • Automated monitoring and alerting via Sentry, Grafana/Loki, and Prometheus metrics.
  • Escalation channels for high-severity incidents.
  • Customer notification within 72 hours of a confirmed data breach affecting their data, where legally required.
Last Updated July 6, 2026 | GDPR Compliance v2026-07

Cold email that lands. At any volume.

Dedicated servers, senders, warmup, and monitoring, all managed by SuperSend so the volume actually delivers.

Sending millions of cold emails a month for our customers