Protecting your information and the information of your customers is extremely important to us. We know you have questions about how we’re protecting that information, so what follows are details about some frequently requested information about SendGrid’s information security.
Data Centers
We use data centers around the world from top-notch data center providers to host our systems. They all have SOC2 Type 2 reports and provide all the physical security protection measures you would expect.
Misuse
We want to ensure that the email we send through our system is email that users want to receive, so we have a dedicated team to ensure we’re on the cutting edge of compliance and delivery. If we see accounts with signs of suspicious activity, we take immediate action.
AppSec
We understand that software security is very important. We continuously scan our applications for vulnerabilities, using a combination of static source code analysis and dynamic testing. We understand that password reuse is a killer, and offer two-factor authentication for added protection of your account. We also:
- Encrypt all your data in transit using TLS.
- Have an independent penetration test conducted on an annual basis.
If you identify a vulnerability in our site or services, here’s how to report it to us.
Operational Security
Access to our systems and your data is restricted only to those who need access in order to provide you awesome support.
We also have all the “people security” things you’d expect to see:
- Background checks for our employees
- Signed confidentiality agreements
- Termination/access removal processes
- Acceptable use agreements.
And we’ve earned the SOC 2 Type II certification, based on our rigorous controls to safeguard your data.
Security is the responsibility of everyone who works for us. We train our employees so that they can identify security risks and empower them to take action to prevent bad things from happening.
Business Continuity/Disaster Recovery
We have redundant, geographically separate data centers so that we can provide consistent services for you. In the event one of our data centers becomes unavailable, we can recover quickly so that you can still send email.
Privacy
You can view our privacy policy here, but we’ll say here that we believe in the confidentiality of your information. We never sell your recipient email addresses. We have a data retention policy, and we stick to it.
If you have more in-depth questions about our security program, let us know.
Additional Resources:
Vulnerability Disclosure Program
Ensuring the security and integrity of the Twilio platform is critical to the service we provide our customers. We are committed to delivering a secure product and greatly appreciate help from the community in responsibly identifying ways for us to improve. Our Vulnerability Disclosure Program is open to everyone—whether you're a customer, professional security researcher that does not meet the Bug Bounty Program requirements, or just someone who has discovered a potential issue. By responsibly reporting vulnerabilities in our applications or online services, you enable us to address them promptly and protect our community. While this program doesn't offer monetary rewards, your contribution is invaluable to us. If you find a vulnerability, please follow our submission guidelines to let us know.
Submit a vulnerability disclosure
Bug Bounty Program
For those interested in earning rewards for their security expertise, we offer a Bug Bounty Program through the Bugcrowd platform. This program invites experienced security researchers to identify and report vulnerabilities in our applications and internet-facing assets. Eligible findings may qualify for monetary bounties based on their severity and impact. By participating, you not only help us strengthen our security but also receive recognition and compensation for your valuable contributions. If you've discovered a vulnerability and wish to join our Bug Bounty Program, please read our bounty brief and submit your report here.