Security & Compliance
Last updated: 3 January 2026
Our commitment
Sendlio, operated by Redlio Designs, is entrusted with your inboxes, your contact lists, and your outreach content. We treat that trust as a product feature. This page summarises the technical and organisational measures we apply to keep your data safe.
1. Infrastructure
The Service runs on hardened, auto-patched cloud infrastructure (AWS / equivalent) in audited regions. Production environments are isolated from development and staging. Systems sit behind a WAF and DDoS protection layer (Cloudflare). Workloads run in private subnets with egress whitelists and least-privilege IAM roles.
2. Encryption
All data is encrypted in transit with TLS 1.2+. All data at rest — including databases, object storage, and backups — is encrypted with AES-256. Mailbox credentials and OAuth refresh tokens are encrypted with envelope encryption using managed keys, and decrypted only at send time by the sending service.
3. Access control
Access to production systems is restricted to named engineers on a need-to-know basis, enforced with SSO + mandatory hardware / TOTP second factor. All administrative actions are logged. Access is reviewed quarterly and revoked within 24 hours of role change or departure.
4. Application security
We follow OWASP Top 10 guidelines, perform code review on every change, run automated static analysis and dependency scanning in CI, and run routine penetration tests. Critical vulnerabilities are remediated within 7 days of disclosure; high-severity within 30 days.
5. Data isolation
Every workspace is scoped with a tenant identifier enforced at the database, application, and API layer. We have no shared email-content tables across customers. Analytics aggregations run on de-identified data only.
6. Backups and disaster recovery
Databases are backed up continuously (point-in-time recovery, 30-day window). Backups are encrypted and stored in a separate region. RPO target: 15 minutes. RTO target: 4 hours. Backup restore is tested regularly.
7. Monitoring and incident response
We run 24/7 automated monitoring for availability, error rates, and anomalous access patterns. Our incident-response runbook covers triage, containment, eradication, recovery, and post-mortem. Customers affected by a personal-data breach are notified within 72 hours per our DPA.
8. Compliance
We process personal data in line with GDPR, UK GDPR, CCPA/CPRA, and India's DPDP Act. A signed DPA is available at /dpa. SOC 2 Type I is scoped for 2026; SOC 2 Type II in progress. We do not pursue spammer-adjacent certifications; our bar is regulated, trust-first business email.
9. Responsible disclosure
Think you found a vulnerability? We thank you. Email security@sendlio.com with a clear description and steps to reproduce. Please do not publicly disclose until we have had a reasonable chance to investigate and patch. We will acknowledge within 72 hours and keep you updated. We do not currently operate a paid bounty programme but we credit reporters with permission.
10. Contact
Security questions: security@sendlio.com. Postal: Redlio Designs, 12 Krishna Complex, Janta Fatak, Jamnagar, Gujarat, India – 361006.