DDMARC
Security & Trust

Your security is our top priority

Enterprise-grade security practices protect your email authentication data. Learn about our security controls, compliance journey, and data protection measures.

AES-256
Encryption
99.9%
Uptime SLA
US & EU
Data Centers
30 days
Backup Retention
Security Principles

How we protect your data

Security is built into every layer of our platform, from infrastructure to application code.

Encryption Everywhere

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). We never store plaintext sensitive data.

  • TLS 1.3 for all connections
  • AES-256 encryption at rest
  • Encrypted database backups

Access Control

Strict role-based access control with principle of least privilege. All access is logged and audited.

  • Role-based permissions
  • Audit logging
  • Session management

Monitoring & Detection

24/7 infrastructure monitoring with automated threat detection and incident response procedures.

  • Real-time alerting
  • Anomaly detection
  • Incident response plan

Regular Security Testing

Continuous vulnerability scanning and periodic penetration testing by third-party security firms.

  • Automated vulnerability scans
  • Annual penetration tests
  • Bug bounty program
Compliance

Certifications & compliance

We're committed to meeting the highest security and privacy standards.

SOC 2 Type II

In Progress

DDMARC certification in progress. Our platform is built on PlatOps Security infrastructure, which is SOC 2 Type II certified.

Covers security, availability, and confidentiality controls.

ISO 27001

In Progress

DDMARC certification in progress. Powered by PlatOps Security ISO 27001 certified infrastructure and controls.

International standard for information security management.

GDPR Compliant

Compliant

Full compliance with EU General Data Protection Regulation requirements.

EU data residency option available. DPA available on request.

CCPA Compliant

Compliant

California Consumer Privacy Act compliance for US customers.

Data access and deletion requests honored within 45 days.

Infrastructure

Enterprise-grade infrastructure

Built on AWS with redundancy, security, and compliance at every layer.

AWS Infrastructure

Hosted on Amazon Web Services with multi-AZ redundancy for high availability and disaster recovery.

Data Residency Options

Choose US or EU data centers to meet your regulatory and compliance requirements.

Automated Backups

Daily encrypted backups with point-in-time recovery. 30-day backup retention.

99.9% Uptime SLA

Enterprise-grade reliability with automatic failover and zero-downtime deployments.

Data Handling

How we handle your data

Transparency about what we collect, store, and how long we keep it.

What data we collect

  • DMARC aggregate reports (RUA) sent by email providers
  • DMARC forensic reports (RUF) if you enable them
  • Account information (email, name, organization)
  • Usage analytics for product improvement

What data we DON'T collect

  • Email content or message bodies
  • Recipient lists or contact information
  • Passwords (we use OAuth and magic links)
  • Payment card numbers (handled by Stripe)

Data retention

  • Report data retained per your plan (7-365 days)
  • Account data retained while account is active
  • Backups purged after 30 days
  • Deleted data removed within 30 days

Request Security Documentation

Get access to our security whitepaper and compliance reports

We'll respond within 1-2 business days. By submitting, you agree to our Privacy Policy.

FAQ

Security questions answered

How is my DMARC data protected?

All DMARC reports are encrypted in transit and at rest. Access is restricted to your organization members only, with role-based permissions. We never share your data with third parties.

Can I request deletion of my data?

Yes. You can delete your account and all associated data at any time from your dashboard settings. For GDPR/CCPA requests, contact privacy@ddmarc.com and we'll process within 30 days.

Do you have a bug bounty program?

Yes. We welcome responsible security researchers to report vulnerabilities. Contact security@ddmarc.com for our bug bounty policy and scope.

How do you handle security incidents?

We have a documented incident response plan. In the event of a security incident affecting customer data, we will notify affected customers within 72 hours per GDPR requirements.

Can I get a copy of your SOC 2 report?

DDMARC's SOC 2 Type II certification is currently in progress. Our platform is built on PlatOps Security infrastructure, which is SOC 2 Type II certified. Once DDMARC's own certification is completed, reports will be available to customers and prospects under NDA. Use the form below to request access.

Report a Vulnerability

Found a security issue?

We take security seriously. If you've discovered a vulnerability, please report it responsibly.

security@ddmarc.comGeneral Inquiries