Skip to content
DDMARC
Security & Trust Center

Built on SOC 2 + ISO 27001 certified infrastructure.

Enterprise-grade security practices protect your email authentication data. The controls, certifications, and data handling commitments below are how we earn that trust — spelled out, not euphemized.

AES-256
Encryption at rest
TLS 1.3
In transit
US · EU
Data residency
99.9%
Uptime SLA
Security principles

How we protect your data.

Security is built into every layer of our platform — infrastructure, application, and the engineer on call.

01

Encryption everywhere

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). We never store plaintext sensitive data.

  • TLS 1.3 for all connections
  • AES-256 encryption at rest
  • Encrypted database backups
02

Access control

Strict role-based access control with principle of least privilege. All access is logged and audited.

  • Role-based permissions
  • Audit logging
  • Session management
03

Monitoring & detection

24/7 infrastructure monitoring with automated threat detection and incident response procedures.

  • Real-time alerting
  • Anomaly detection
  • Incident response plan
04

Regular security testing

Continuous vulnerability scanning and periodic penetration testing by third-party security firms.

  • Automated vulnerability scans
  • Annual penetration tests
  • Bug bounty program
Compliance posture

Certifications, honestly labeled.

Status reflects DDMARC’s own audits. Parent infrastructure from PlatOps Security is independently certified.

DDMARC · compliance register
Continuously monitored · audited by PlatOps Security
Live

  • SOC 2 Type II

    In progress

    DDMARC certification in progress. Our platform is built on PlatOps Security infrastructure, which is SOC 2 Type II certified.

    Covers security, availability, and confidentiality controls.

  • ISO 27001

    In progress

    DDMARC certification in progress. Powered by PlatOps Security ISO 27001 certified infrastructure and controls.

    International standard for information security management.

  • GDPR

    Compliant

    Full compliance with EU General Data Protection Regulation requirements.

    EU data residency option available. DPA available on request.

  • CCPA

    Compliant

    California Consumer Privacy Act compliance for US customers.

    Data access and deletion requests honored within 45 days.

The infrastructure underneath

Boring, well-documented foundations.

Built on AWS with redundancy, security, and compliance at every layer — chosen for boring, well-documented reasons.

01

AWS infrastructure

Multi-AZ redundancy on Amazon Web Services for high availability and disaster recovery.

02

Data residency

Choose US or EU data centers to meet your regulatory and compliance requirements.

03

Automated backups

Daily encrypted backups with point-in-time recovery. 30-day backup retention.

04

99.9% uptime SLA

Enterprise-grade reliability with automatic failover and zero-downtime deployments.

Data handling

Three columns. No fine print.

What we keep, what we refuse, and for how long.

What we collect

  • DMARC aggregate reports (RUA) sent by email providers
  • DMARC forensic reports (RUF) if you enable them
  • Account information (email, name, organization)
  • Usage analytics for product improvement
×

What we never collect

  • Email content or message bodies
  • Recipient lists or contact information
  • Passwords (we use OAuth and magic links)
  • Payment card numbers (handled by Stripe)

How long we keep it

  • Report data retained per your plan (7–365 days)
  • Account data retained while account is active
  • Backups purged after 30 days
  • Deleted data removed within 30 days
Security documentation

Request the security packet

Whitepaper, audit summaries, and the Data Processing Agreement are available on request. We respond within 1–2 business days.

Documents requested

By submitting, you agree to our Privacy Policy.

FAQ

Security questions, answered.

The five questions our customers and auditors ask us most often.

How is my DMARC data protected?

All DMARC reports are encrypted in transit and at rest. Access is restricted to your organization members only, with role-based permissions. We never share your data with third parties.

Can I request deletion of my data?

Yes. You can delete your account and all associated data at any time from your dashboard settings. For GDPR/CCPA requests, contact privacy@ddmarc.com and we'll process within 30 days.

Do you have a bug bounty program?

Yes. We welcome responsible security researchers to report vulnerabilities. Contact security@ddmarc.com for our bug bounty policy and scope.

How do you handle security incidents?

We have a documented incident response plan. In the event of a security incident affecting customer data, we will notify affected customers within 72 hours per GDPR requirements.

Can I get a copy of your SOC 2 report?

DDMARC's SOC 2 Type II certification is currently in progress. Our platform is built on PlatOps Security infrastructure, which is SOC 2 Type II certified. Once DDMARC's own certification is completed, reports will be available to customers and prospects under NDA. Use the form below to request access.

Responsible disclosure

Found a security issue?

We take security seriously. If you have discovered a vulnerability, please report it responsibly — we acknowledge every credible report within one business day.

security@ddmarc.comGeneral inquiries

PGP key available on request · response time < 24h