Security is a top priority at Sendcloud, because it is fundamental to the service we provide. Our mission is to make shipping as easy as possible. In doing so, security concerns should never be an issue. We are committed to securing your data and the data of your consumers that is processed via our platform. Sendcloud uses a variety of industry best practice technologies and services to ensure the confidentiality, integrity and availability of your data.
Security program & organization
Sendcloud has a dedicated Information Security team, whose daily job is to ensure proper protection of all data and organizational assets. We have been ISO 27001:2013 certified since January 2021. Our platform and our entire organization is in scope of this certification. Furthermore, we leverage other industry best practices, such as OWASP & NIST. As part of our ISO PDCA cycle, we have a Risk Management framework. Sendcloud actively works on finding, limiting and re-assessing our information security risks.
GDPR & Privacy
Physical access control
Sendcloud is hosted at Amazon Web Services. AWS is an industry leader in cloud computing services. You can learn more about their Information Security Controls and Perimeter Security on their website. No Sendcloud employees have physical access to AWS storage locations. Internally, we have also enforced several security measures at their offices in Eindhoven (NL) and Munich (DE), including restricting office access with access tags/keys, alarm systems and camera systems. These systems have been put in place even though Sendcloud has no local server or storage capabilities in either of our offices.
Logical access control
Sendcloud leverages a centrally managed Identity & Access Management solution in combination with SSO login & SCIM provisioning wherever possible. Employees that depend on systems that only support email & password login use an encrypted password manager. This means that all access to tools & systems is regulated. All access is protected with strict password rules and multifactor authentication. Access is granted based on Role Based Access Controls which are directly synced from our HR system and can provision and deprovision accounts in real-time.
Screening & training
All Sendcloud employees are properly screened before employment, have NDA agreements to protect your and our data and undergo security training at onboarding and a recurring (at least yearly) security training after that. Furthermore, periodical phishing simulations as well as other awareness campaigns are a part of how we keep security top of mind.
Sendcloud has a central Information Security Policy (in line with our ISO 27001:2013 certification) stating the management support and goals of our ISMS. We have multiple supporting policies tackling topics such as: user access, mobile devices, passwords, incidents, business continuity, third party software & cloud apps, suppliers, project management and data classification. Specific departments also have dedicated policies (such as an Application Security & Secure Software Guideline in our Engineering & Product teams).
Data you provide to Sendcloud is encrypted at rest & in transit at AWS. Sendcloud only allows data to be transmitted over HTTPS transport layer security (TLS) encrypted connections. We use Amazon Key Management Service to regulate keys within our environment. For any connection made to the Sendcloud platform (API, shop integrations, etc.) we use unique and strong key pairs.
Sendcloud undergoes annual penetration testing conducted by an independent third-party agency. All testing is done in an isolated clone environment, which means no production systems are affected. No customer or consumer data is exposed in any testing. The outcomes of these tests are fed into our mitigation & remediation process to improve the security maturity of our platform.
We also leverage a public HackerOne Bug Bounty Program and encourage other white hat hackers to find and report vulnerabilities to us under our public Bug Bounty Program.
AWS offers us various services to monitor and control our cloud environment, such as AWS Guard Duty and Cloudwatch. Several security tools are implemented to identify abnormalities in the platform. We actively monitor the performance of our entire platform and have extensive follow up mechanisms in place to ensure proper follow up during working hours. We also have engineers on duty for extended support outside of normal working hours.
Performance and Availability
Sendcloud uses a variety of solutions at AWS to ensure proper uptime and availability of the Sendcloud platform and Services. This all is governed by our Business Continuity Plan. We have load balancers in place to regulate traffic, we leverage rate limiting and DDoS protection, which is built-into our AWS environment. Furthermore, we have extensive backup plans, including a hotlink between multiple availability zones to minimize the risk of downtime. You can view a history of our uptime (and the current stat of services) at https://status.sendcloud.com/
Questions or feedback
If you have any questions about the way we deal with your data or feedback for the Sendcloud security team, you can send an email to [email protected]