Built so your security team can sleep.
Documents are sensitive by definition. We treat the workspace they live in the same way — encrypted, audited, isolated, and observable from minute one.
The paperwork your buyers expect.
SOC 2 Type II
Annual audit by an independent CPA firm covering security, availability, and confidentiality.
GDPR
Data Processing Agreement, EU data residency, DPO contact, subprocessor list.
HIPAA
Business Associate Agreement for healthcare customers, on Pro plans and up.
ISO 27001
In progress — target completion this calendar year. Roadmap available on request.
CCPA / CPRA
California-resident rights to access, delete, and opt out of sale of personal information.
21 CFR Part 11
FDA-compliant audit trails, e-signature manifests, and intent-to-sign attestations.
What's actually in the box.
Encryption
AES-256 at rest, TLS 1.3 in transit. Per-tenant key isolation on Enterprise.
Identity
SSO / SAML, SCIM provisioning, enforced MFA, IP allow-lists.
Infrastructure
Multi-AZ on AWS, RPO 5 minutes, RTO 1 hour, backups retained 35 days.
Data residency
Pick US or EU at workspace creation. Subprocessors disclosed and updated quarterly.
Access controls
Least-privilege engineering access, audited via internal AuthZ tooling, reviewed quarterly.
Audit logging
Every action — admin or user — written to an immutable log, exportable via API.
Found something? We want to hear about it.
We run a coordinated disclosure program with a 90-day response window. Send vulnerability reports to security@sendmint.com using our PGP key.
We don't threaten researchers. We pay bounties on validated reports. We credit you publicly if you'd like, and we keep things quiet if you wouldn't.
- Critical: $5,000–$15,000
- High: $1,500–$5,000
- Medium: $250–$1,500
- Low: $50–$250 or swag