Trust Center
Last updated:
The DDSEMail Trust Center is the single place to evaluate our security and compliance posture: HIPAA-conscious handling with a signed BAA, AES-256 encryption, TLS 1.3 in transit, audit logging, an annual SOC 2 Type II program, a named sub-processor list, and a coordinated vulnerability-disclosure process. Use the links below for the detail your review needs.
Compliance at a glance
| Area | Posture | Detail |
|---|---|---|
| HIPAA | Signed BAA on supported tiers; PHI handled accordingly | BAA overview |
| SOC 2 | Type II program, audited annually | Security |
| Encryption | AES-256 at rest; TLS 1.3 in transit | Security |
| Audit logging | Access and meaningful actions recorded | Security |
| Privacy / GDPR | Controller/processor roles; data-subject rights | Privacy · GDPR |
| Sub-processors | Short, named list with data categories | Sub-processors |
Security overview
DDSEMail encrypts traffic with TLS 1.3, encrypts sessions and sensitive material at rest with AES-256-GCM, stretches passwords with PBKDF2, and records access in an audit trail. The full description lives on the Security page.
HIPAA & the BAA
Where we handle protected health information, we sign a Business Associate Agreement and process PHI only to operate the service. See the BAA overview for what's in and out of scope and how to request the executed agreement.
Sub-processors
We rely on a short, named list of third-party providers, each contractually bound to protect your data. The current list and the data categories involved are on the Sub-processors page.
Reporting a vulnerability
We welcome coordinated disclosure. See security.txt for how to reach our security contact. Please do not test against production patient data.
Documentation requests
Need a SOC 2 report, completed security questionnaire, or signed BAA/DPA for vendor review? Contact us and we'll route the request. Compliance documentation contact: {{TODO: security/compliance contact email}}.