Legal & Compliance

Technical & Organizational Measures (TOMs)

SuperSend implements comprehensive technical and organizational measures to protect personal data and ensure the security of our platform. This document outlines our security safeguards in accordance with GDPR Article 32.

Version: v2025-10
Last Updated: October 20, 2025

1. Encryption & Data Protection

  • Data in transit: TLS 1.3 for all connections (HTTPS, API, database).
  • Data at rest: AES-256 encryption for databases and file storage.
  • Database connections secured via TLS; Redis connections encrypted.
  • Encryption keys managed through Google Cloud KMS with automatic rotation.

2. Access Control

  • Role-based access control (RBAC) across systems and Kubernetes workloads.
  • Multi-factor authentication required for all privileged accounts.
  • Service accounts limited to least-privilege permissions.

3. Application Security

  • Regular vulnerability scans and code reviews.
  • Annual third-party penetration testing.
  • Web security headers (CSP, HSTS, XSS protection) enforced by default.
  • Continuous monitoring for anomalies and failed authentication attempts.

4. Business Continuity & Disaster Recovery

  • Daily automated backups (30-day retention).
  • Recovery Time Objective (RTO): < 4 hours.
  • Recovery Point Objective (RPO): < 24 hours.
  • Documented BC/DR plan reviewed annually.

5. Vendor & Sub-processor Management

  • Sub-processors vetted for ISO 27001/SOC 2 and GDPR compliance.
  • Annual vendor risk review and DPA verification.
  • Public list available at supersend.io/legal/subprocessors.

6. Incident Response

  • 24/7 monitoring and alerting for security events.
  • Dedicated escalation channels for high-severity incidents.
  • Customer notification within 72 hours of confirmed data breach.
Last Updated Oct 20 2025 — GDPR Compliance v2025-10

Ready to Scale Your Outreach?

Join thousands of teams using SuperSend to transform their cold email campaigns and drive more revenue.

Book a Demo