Trust & Security
What we do with your trust, stated plainly.
No certifications we don't hold, no promises we can't keep. Here is exactly how your data is handled and what we have actually done, so your security and procurement teams can evaluate us from this page.
Where your data lives
Your data is processed in the United States, on infrastructure we run in SOC 2-certified datacenters (Google Cloud). We hold minimal personal data: delivery metadata, not message content. If you need a different region, the custom-infrastructure path builds inside your own environment.
We do not train AI on your data
Your content, recipients, delivery records, and support conversations are never used to train AI models, ours or anyone else’s. They exist to run and account for your sending, nothing more.
SOC 2 principles, honestly stated
Our infrastructure runs in SOC 2-certified datacenters, and we apply SOC 2 principles across our own stack, including how we choose providers: encryption in transit and at rest where applicable, least-privilege access, MFA, key management, and continuous monitoring. Egressif itself is not SOC 2 certified, and certification is not on our roadmap right now. We will not imply otherwise.
Independent penetration testing
Our systems have been penetration-tested by third parties. We treat security as something we keep earning, not a badge we display.
Reliability you can plan around
A resilient, multi-node cluster with automatic failover between paths. We design for around 99.99% availability. That is a target we hold ourselves to, not a blanket contractual SLA; specific service levels live in an Order or SOW when you need them in writing.
Incident response
Material security incidents affecting your services or data are reported without undue delay, and within 72 hours, with known scope and remediation. Then continued updates and a root-cause review. You will not learn about an incident affecting your data from a news article first.
Sub-processors
Our primary infrastructure provider is Google Cloud (US), which maintains its own certifications and sub-processors. We do not add our own sub-processors beyond what your setup opts into, for example an ESP you choose to keep in your routing. Ask and we will share specifics.
Privacy and data handling
We do not read message content and do not store message bodies for delivery. Where you use hosted mailboxes, their contents are stored only to provide the mailbox service, excluded from our operational tooling, with access gated and logged. You remain the controller of your data; it is deleted or exported per your terms.
Report a vulnerability
Email [email protected], or see /.well-known/security.txt (RFC 9116). Good-faith research gets a human response and safe harbor: we will not pursue researchers who report responsibly and avoid privacy violations or service disruption.
Plain about limits
What we are not, today.
Being trustworthy includes being clear about what we have not done. We are not SOC 2 or ISO 27001 certified, and that is not on the roadmap right now. We do not run a formal GDPR program or maintain a standard Data Processing Addendum, because we hold minimal personal data and our clients remain the controller and sender of their mail. We do not process PHI under standard terms and do not act as a Business Associate unless agreed in writing.
If your procurement needs something we do not offer today, tell us. You will get a straight answer about what we can and cannot sign, not a runaround. For requirements that genuinely exceed our standard posture, the custom-infrastructure path builds inside your own environment and compliance perimeter.
Send us your security questionnaire.
Tell us what your review needs. We answer plainly, including the things vendors usually dodge.