Security At The Grid: How We Do It And What It Means For Senders Sue Pomeroy July 7, 2017 Company // SUMMARIES ?> Oftentimes, the topic of information security happens behind the scenes–it’s something that’s just expected, so the only time it’s talked about is when it isn’t present or doesn’t work. In order to be the most trusted communications platform, our security program has to be on point, and we have to listen to what our customers need. SendGrid customers rely on us to provide security features and tools that ensure their email gets to customers, and that all information remains secure. In order to do so, our security engineering and compliance teams are dedicated to building tools and processes to protect the Grid from adversaries while ensuring that we continue to deliver features that our customers love and value. Although many of your questions about our various security features can be answered by our security page, we wanted to highlight a few security feature updates and information. Third Party Attestation SendGrid has engaged in a third party attestation of its security program and has obtained an SSAE-16 SOC2 Type 2 report. SSAE-16, a standard for attestation developed by the American Institute of CPAs (AICPA) and Service Organization Controls (SOC), provides customers with the information they need to assess risk with using a service organization Having a SOC2 report helps our customers meet their third party provider assessment needs–whether they operate in a regulated industry or not. This report is available to provide customers with the assurance that our security program is well-designed and operating effectively. Customers and prospective customers can request this report through our Sales or Customer Success organizations. Account Protection Other security features that specifically protect access to your SendGrid account include: Two-Factor Authentication. Passwords are so 1990. Two-factor authentication is a simple way to add an additional layer of protection to accessing your account by requiring a second form of verification before account access. API Keys with granular permissions enables customers to configure their SendGrid integration with least privilege. The more granular your privileges are, the more secure your account will be. IP Access Management will allow you to whitelist certain IPs to access your account. Using this feature enables our customers to restrict access to API, SMTP relay, or customer portal usage of their account to specific IP addresses within their environment. Secure account sharing via our Teammates feature helps our customers in large organizations accomplish least privilege with their SendGrid accounts. Assigning specific roles and permissions to members of your organization can help avoid inadvertent actions on your account and can provide a more clear separation of duties. Email Security Best Practices Wondering what you can do on your side to keep your accounts secure? The following best practices are a great place to start and all the of the following are highly recommended as an email sender: Securing your credentials: A common risk we see to customer accounts is posting integration code into a code repository that is public, when the integration code contains account credentials such as username/password, or an API key. When developing your integration, use environment variables instead of hard coding credentials. Setting up a domain whitelabel: Creating a domain whitelabel allows you to send email from your custom domain instead of sending with SendGrid’s, which helps grow your brand consistency and improve deliverability. Create a custom SPF record with a dedicated IP: Using a dedicated IP along with a custom Sender Policy Framework (SPF) record will help with getting your messages to the inbox while adding a layer of protection to prevent successful email spoofing. Security is always evolving and we continue to provide the most protection for our customers. For more on security at SendGrid, check out our security page.