Security you can put in a procurement review.
We treat every event as sensitive until proven otherwise. Encryption in transit and at rest, least-privilege access, and a principled consent model baked into the platform.
Data in transit
TLS 1.2+ on every endpoint. HSTS enforced. Certificates managed via Cloudflare with automated rotation.
Data at rest
AES-256 for stored secrets. Postgres volumes encrypted. Object storage (R2/S3) with per-bucket KMS keys.
Authentication
SuperTokens-backed auth with MFA, passkeys, and SSO. Scoped API keys with rotation and immediate revoke.
IP and PII handling
IPs hashed (SHA-256 truncated) by default. PII fields tagged and excluded from logs and analytics exports.
Consent first
Every event carries a consent allowlist. Downstream modules refuse to act on events that don't carry the required purpose.
Isolation
Every org is logically isolated. Row-level tenancy checks on every query. Separate DB for enterprise on request.
Compliance
We're building Sendora to meet the standards enterprise security teams expect. Current status and roadmap:
- GDPR / CCPA: native consent & DSAR workflows.
- SOC 2 Type II: in progress, report available under NDA for Enterprise plans.
- Data residency: US (default) and EU regions.
- Subprocessors: full list published with email notification on change.
Disclosure
Found something? Email security@sendoracloud.com with details and we'll respond within one business day. We credit responsible disclosures in our changelog.
Start in minutes. Scale without switching tools.
The free tier covers most side projects. Every module is turn-key and every SDK is first-party.