Technical & Orginizational Measures

Version: v2025-10
Last Updated: October 20, 2025

This document summarizes the key technical and organizational measures SuperSend implements to protect customer data in accordance with GDPR Article 32, ISO 27001 principles, and industry best practices.

1. Infrastructure Security

• Hosted on Google Cloud Platform (us-east1) and AWS S3 (us-east-1).
• Private VPC networks; no public database access.
• All data encrypted at rest with AES-256 and in transit with TLS 1.3.
• Redis connections secured via TLS.

2. Access Control

• Role-based access control (RBAC) across systems and Kubernetes workloads.
• Multi-factor authentication required for all privileged accounts.
• Service accounts limited to least-privilege permissions.

3. Application Security

• Regular vulnerability scans and code reviews.
• Annual third-party penetration testing.
• Web security headers (CSP, HSTS, XSS protection) enforced by default.
• Continuous monitoring for anomalies and failed authentication attempts.

4. Business Continuity & Disaster Recovery

• Daily automated backups (30-day retention).
• Recovery Time Objective (RTO): < 4 hours.
• Recovery Point Objective (RPO): < 24 hours.
• Documented BC/DR plan reviewed annually.

5. Vendor & Sub-processor Management

• Sub-processors vetted for ISO 27001/SOC 2 and GDPR compliance.
• Annual vendor risk review and DPA verification.
• Public list available at supersend.io/legal/subprocessors.

6. Incident Response

• 24/7 monitoring and alerting for security events.
• Dedicated escalation channels for high-severity incidents.
• Customer notification within 72 hours of confirmed data breach.

_Last Updated Oct 20 2025 — GDPR Compliance v2025-10_