Security
What we implement today, what we are building toward, and how to contact us about security.
Last updated: 2026-05-27
Overview
SendRad is an early-stage product. We take security seriously and implement controls in code and infrastructure, but we are notGDPR-certified or SOC 2 Type II certified today. Badges on our site that say “in progress” mean we are building toward common industry practices, not that an audit has completed.
For privacy details, see our Privacy Policy. To report a security concern, contact hi@sendrad.com.
Controls we implement today
- Authentication: Supabase Auth with server-side session handling and secure cookie defaults in production.
- Database isolation: Postgres row-level security (RLS) on tenant tables; workspace membership checks on server actions and API routes.
- Webhook integrity: Verified signatures for Zernio and Polar webhooks before processing payloads.
- Secrets: API keys and tokens kept server-side; Google refresh tokens encrypted at rest when
TOKEN_ENCRYPTION_KEYis configured. - AI safety: Structured JSON outputs validated before sends; idempotency keys for agent runs and outbound messages to reduce duplicate replies.
- Rate limiting: Auth and sensitive endpoints throttled to reduce brute-force and abuse.
- Logging: Operational logs use correlation IDs; we avoid logging full message bodies or secrets.
GDPR readiness — where we are
GDPR is a compliance program, not a certificate. For a solo founder selling globally, a practical path looks like this:
- Done or in progress: public Privacy Policy and Terms, RLS, minimal analytics on marketing pages, signup consent pages, signup consent with versioned acceptance records.
- Next: records of processing (ROPA), data subject request playbook, retention/deletion schedule, breach response checklist, signed DPAs with key vendors, international transfer documentation.
- When you scale: lawyer review for EU/UK customers, DPA template for B2B buyers, optional EU data residency discussions with Supabase/Vercel.
Rough timeline for a small team: basic GDPR-ready documentation in weeks; mature program often 2–6+ months with legal help.
SOC 2 readiness — where we are
SOC 2 Type I is a point-in-time design review; Type II requires operating controls over months (often 3–12). Funded startups usually pursue SOC 2 when enterprise customers require it.
- Foundation (now): access control on production, secrets management, dependency updates, incident logging.
- Policies (next): written security policy, vendor review, onboarding/offboarding, change management, backup and restore tests.
- Audit path: Type I when policies + controls exist; Type II after evidence period with an auditor (typical cost: tens of thousands USD depending on scope).
For a pre-revenue solo founder, SOC 2 is usually not urgent until enterprise sales require it; focus first on Privacy Policy accuracy and secure product defaults.
Your responsibilities as a customer
You choose what data to connect, how agents are instructed, and whether AI is enabled. Use strong passwords, limit workspace access, comply with messaging platform rules, and obtain lawful consent from your leads.
Contact
Email: hi@sendrad.com
Contact form: sendrad.com/contact