How Email on Acid Proves Our Commitment to Security and Privacy
Talking the talk and walking the walk are two very different things. In the digital world, there aren’t many topics that are more important than security, privacy, and compliance. They're not something you want to brag about unless you’re truly doing what it takes.
Sinch Email on Acid is proud to announce that we’ve taken steps to back up and prove our dedication to providing customers with a secure platform that focuses on data privacy, including GDPR compliance.
How’d we do it? Great question. It involves some industry audits and international certifications that evaluate our security programs, processes, and preparedness:
- ISO 27001 and ISO 27701
- SOC 2 Type I audit
No matter who you work with, these certifications and audits are a sign of a technology partner you can trust. To explain exactly why, let’s take a closer look at what goes into getting certified as well as passing security and compliance audits.
Table of content
What is ISO 27001?
There’s a good chance you’ve heard of ISO standards before. The International Standards Organization is a global, non-governmental organization that defines, develops, and publishes all sorts of standards.
That could include sustainability standards such as net zero emissions. A fairly well-known standard is ISO 9001, which certifies quality management processes.
ISO 27001 focuses on information security standards. We pursued and achieved this certification because it shows competence and indicates that a reliable information security program is in place. To be more specific, ISO 27001 certifies the following:
- Customers are being protected and informed through confidentiality, integrity, and the availability of attack data.
- That our program aligns with more than 140 controls to identify, investigate, and act on potential security incidents.
- That annual risk assessments are completed to ensure threats are handled properly.
For us to earn an ISO 27001 certification, independent auditors test our information security program against all those controls. That means we need to clearly identify risks, set clear objectives on what needs to be achieved with information security, and define the safeguards and mitigation efforts that will handle the risks.
Plus, ISO 27001 requires that we show how we regularly measure our information security controls and that we are continuously working to improve security.
What is ISO 27701?
ISO 27701 is in the same family of certifications as ISO 27001. The main difference is that an ISO 27701 certification adds data privacy into the mix along with information security. An important reason for this is to evaluate controls related to the European Union’s General Data Protection Regulation (GDPR).
While ISO 27701 is not a literal GDPR certification, it does show that Email on Acid and Mailgun Optimize have a privacy program in place that meets similar requirements to the regulation - and that we are continually working to improve data privacy.
Data privacy is crucial in the world of email. As a customer or user, not only do you want your personally identifiable information (PII) protected, but you also need to protect the data of your customers and subscribers. That includes their email addresses.
Dan Ross leads the team responsible for much of this and works directly with the auditors. He understands why GDPR is such a big deal to email senders.
“GDPR is known by most to be the most comprehensive privacy law in the world. Our products abide by this privacy law, and combined with our ISO 27701, Privacy Policy, and Data Processing Agreement, our customers can be sure that their data is treated appropriately.”
~ Dan Ross, Sr. Manager, Governance, Risk, and Compliance (GRC)
Even though GDPR only applies to the personal data of EU citizens, all Sinch Email brands treat data the same way. This means everyone is protected, and it helps prepare our platforms and our customers for future legislation, such as the proposed American Data Privacy and Protection Act (ADPPA).
The ISO 27701 certification is important because, as an email sender, you need to find GDPR-compliant technology partners. This is the proof.
What is a SOC 2 Type I audit?
The word “audit” never really sounds like fun, does it? Dan Ross can confirm that, when our brands undergo these audits, it gets intense and involves some very long days.
A SOC 2 Type I audit happens annually. It is a highly regulated audit, which results in a report that provides a professional opinion on the effectiveness of around 400 controls. (That’s a lot.) With SOC 2 Type I, auditors rigorously test those operational, security, availability, and confidentiality controls at a specific point in time.
There is also a SOC 2 Type II report, which follows the same controls, but takes place over a 12-month period rather than one point in time. Our sister brands, Mailgun and Mailjet, have already passed the SOC 2 Type II audit. In 2023, we’re working to achieve this for all Sinch Email products, including Email on Acid and Mailgun Optimize.
During a SOC 2 audit, the independent auditors will test things such as whether we’ve provided cybersecurity training to our employees. They’ll also find out if we are testing product code changes for security vulnerabilities before we push them live to our platforms.
What does all this mean to you?
Cybersecurity and data privacy compliance can get complicated – and honestly – a little bit scary too. We pursue these reports and certifications and make them available because we want our customers to have peace of mind.
When you work with Email on Acid, Mailgun Optimize, or any of the Sinch Email solutions, you can rest easy and know that you can trust us. We don’t just tell customers and prospects that we are secure and compliant. We get our programs tested so you can be confident we mean what we say.
If you’d like to learn more about our ISO certifications or the results of our SOC 2 Type I audit, you can request and download documentation at the Mailgun Security Portal. There, you’ll find a ton of information that could be especially helpful for those evaluating us as a potential technology partner.
Find out more about email security
Interested in learning more about cybersecurity and email? Our friends and colleagues at Sinch Mailgun published a comprehensive guide you can download for free. You’ll discover:
- How the email threat landscape is constantly changing and how it impacts your company.
- Advice on how to comply with privacy regulations such as GDPR, HIPAA, and the CCPA.
- Why email authentication is crucial to protecting your subscribers and your brand.
- Guidance on choosing technology partners who take security and privacy seriously.
Head over to Mailgun.com and get your copy of The Mailgun guide to email security and compliance.