SendBriefs

Trust & Security

Your clients trust you. We work to be worthy of that.

SendBriefs handles client data. Here’s our security posture, our compliance status, and the commitments we make in plain language. Anything missing? Email security@sendbriefs.com.

Posture

Compliance, certifications, and controls.

Six attestations and controls that map to what most enterprise procurement teams ask for. Need something specific? We’ll fill out your security questionnaire.

  • SOC 2 readiness

    On the roadmap

    CASA (Cloud App Security Assessment) is the immediate priority. SOC 2 Type II readiness follows via internal verification; third-party audit certification is scheduled after Series A funding. Sincere, sequenced work — not a marketing claim.

  • GDPR + UK GDPR

    Compliant

    DPAs available on request. Standard Contractual Clauses and EU-US Data Privacy Framework where applicable.

  • Encryption everywhere

    At rest + in transit

    AES-256 at rest, TLS 1.2+ in transit. Per-tenant encryption keys available on Enterprise.

  • SSO + MFA

    Available

    SAML 2.0 SSO on Agency Pro and Enterprise. MFA via TOTP or WebAuthn on every paid plan.

  • CCPA

    Compliant

    California consumers can request access, deletion, and opt-out via privacy@sendbriefs.com.

  • HIPAA

    Available on Enterprise

    BAA available for Enterprise customers with healthcare-vertical clients. Custom MSA required.

Commitments

Four promises, written down.

Things we will and will not do with your data, separate from any specific certification. Each is encoded in our operating procedures.

  • No model training on your data

    Your brief content, integration data, and client metadata are never used to train AI models — ours or anyone else’s.

  • Tenant-level isolation

    Postgres row-level security enforces workspace boundaries at the database layer. Cross-tenant access is architecturally prevented, not just policed.

  • Encrypted, dated backups

    Daily encrypted backups retained 35 days. Point-in-time recovery available within the retention window.

  • 72-hour breach notification

    Per GDPR Art. 33, we notify affected customers within 72 hours of a confirmed data breach — with full scope, root cause, and remediation timeline.

Operational transparency

Subprocessors, disclosure, and uptime — public by default.

Trust is something you give once and lose easily. We publish the things that let you verify our claims yourself.

  • Subprocessors

    A current, dated list of every third-party service that touches customer data — published at /legal/privacy. You will be notified at least 30 days before any addition.

  • Vulnerability disclosure

    Reports go to security@sendbriefs.com. Coordinated disclosure with a 90-day window. We pay bug bounties at our discretion and credit researchers on this page.

  • Uptime + incident history

    Public status page at sendbriefs.com/status. Target SLA is 99.9% on Agency Pro and Enterprise plans. Past incidents stay published indefinitely.

Procurement assist

Filling out a security questionnaire? We’ll respond inside 48 hours.

Send the form (CAIQ, SIG, custom — whatever your team uses) to security@sendbriefs.com and we’ll return it with sources and supporting docs.

Send the questionnaire

Ready to send your first brief?

Founders Circle pre-launch — 25 agencies, lifetime founder pricing, direct line to the team. Same security posture from day one.

Reserve my spot →Ask security