Skip to main content

Security Overview

At Transmit, security is foundational to everything we build. We employ industry-leading security practices to protect your data, ensure privacy, and maintain the highest levels of compliance.

SOC 2 Type II Certified

Independently audited security controls

End-to-End Encryption

Data encrypted at rest and in transit

Zero Trust Architecture

Every request authenticated and authorized

Regular Security Audits

Continuous monitoring and penetration testing

Data Encryption

Encryption in Transit

All data transmitted to and from Transmit is encrypted using industry-standard protocols:
  • TLS 1.3 for all API connections
  • Perfect Forward Secrecy (PFS) to protect past sessions
  • Strong cipher suites (AES-256-GCM, ChaCha20-Poly1305)
  • Certificate pinning available for enhanced security
  • HSTS (HTTP Strict Transport Security) enforced
// All API calls are automatically encrypted
const response = await client.emails.send({
  from: 'hello@yourdomain.com',
  to: 'user@example.com',
  subject: 'Secure Communication',
  html: '<p>This message is encrypted in transit</p>'
});
// ✅ Data encrypted with TLS 1.3 automatically

Encryption at Rest

All data stored in Transmit’s infrastructure is encrypted:
  • AES-256 encryption for all stored data
  • Separate encryption keys per customer (multi-tenant isolation)
  • Hardware Security Modules (HSM) for key management
  • Encrypted backups with separate key rotation
  • Automatic key rotation on a regular schedule
What we encrypt:
  • Email content and attachments
  • SMS message bodies
  • Contact information
  • API keys (hashed with bcrypt)
  • Webhook payloads in queue
  • Audit logs and analytics data

API Security

Authentication

Transmit uses bearer token authentication with strong security controls: 
curl https://api.transmit.dev/v1/emails \
  -H "Authorization: Bearer tx_live_abc123..." \
  -H "Content-Type: application/json"
Security features:
  • API keys are cryptographically random (256-bit entropy)
  • Keys are hashed using bcrypt before storage
  • Support for multiple keys per organization
  • Ability to scope keys to specific permissions
  • Automatic key expiration policies available
  • Rate limiting per key to prevent abuse

API Key Best Practices

API keys should only be used server-side. Never include them in:
  • Frontend JavaScript code
  • Mobile apps
  • Public repositories
  • Version control systems
Store keys in environment variables or secrets management:
# .env (never commit this file)
TRANSMIT_API_KEY=tx_live_abc123...

const client = new TransmitClient({
  apiKey: process.env.TRANSMIT_API_KEY
});
Generate new API keys periodically:
  • Create new key in dashboard
  • Update your application
  • Verify new key works
  • Revoke old key
Recommended rotation schedule: every 90 days
Separate keys for different environments:
  • Development: tx_test_dev_...
  • Staging: tx_test_staging_...
  • Production: tx_live_prod_...
This limits blast radius if a key is compromised.
Regularly check your dashboard for:
  • Unusual request patterns
  • Failed authentication attempts
  • Unexpected geographic access
  • Spike in usage
Set up alerts for suspicious activity.

Rate Limiting

Protect your application from abuse with built-in rate limiting:
  • Automatic rate limiting based on your plan
  • Configurable limits for enterprise customers
  • Per-key tracking to isolate abuse
  • Gradual backoff with clear error messages
  • Rate limit headers in API responses
HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1641052800
Retry-After: 60

Infrastructure Security

Multi-Tenant Isolation

Each organization’s data is strictly isolated:
  • Logical isolation with organization-scoped queries
  • Database-level row security policies
  • Separate encryption keys per tenant
  • Network segmentation for sensitive workloads
  • No cross-tenant data access by design

Access Controls

Strict access controls at every layer:
  • Role-Based Access Control (RBAC) for team members
  • Principle of least privilege for all services
  • Multi-factor authentication (MFA) required for dashboard access
  • IP allowlisting available for enterprise plans
  • Session timeout and automatic logout
  • Audit logging of all access and changes

Network Security

Comprehensive network security measures:
  • DDoS protection at network edge
  • Web Application Firewall (WAF) filtering malicious traffic
  • Private networking for internal services
  • VPC isolation preventing lateral movement
  • Intrusion detection systems (IDS) monitoring traffic
  • Security groups restricting service communication

Vulnerability Management

Proactive vulnerability identification and remediation:
  • Automated security scanning of all code
  • Dependency vulnerability monitoring with automatic updates
  • Regular penetration testing by third-party firms
  • Bug bounty program rewarding security researchers
  • Quarterly security assessments
  • Zero-day response protocols

Compliance & Certifications

SOC 2 Type II

Transmit is SOC 2 Type II certified, demonstrating:
  • Security - Protection against unauthorized access
  • Availability - System uptime and reliability
  • Processing Integrity - Complete and accurate processing
  • Confidentiality - Protection of confidential information
  • Privacy - Collection and handling of personal information
Annual audits conducted by independent third parties.

GDPR Compliance

Full compliance with EU General Data Protection Regulation:
  • Data Processing Agreements (DPA) available
  • Right to be forgotten - Delete user data on request
  • Data portability - Export data in machine-readable format
  • Consent management - Opt-in/opt-out tracking
  • Data breach notification - 72-hour notification requirement
  • Data residency options for EU customers

CCPA Compliance

California Consumer Privacy Act compliance:
  • Consumer rights to access and delete data
  • Do Not Sell opt-out mechanisms
  • Transparent data practices disclosure
  • Data minimization principles applied

HIPAA Compliance

For healthcare customers (Enterprise plan):
  • Business Associate Agreement (BAA) available
  • HIPAA-compliant infrastructure
  • Encrypted PHI (Protected Health Information)
  • Audit logging of all PHI access
  • Access controls and authentication

Additional Certifications

  • ISO 27001 (Information Security Management)
  • PCI DSS Level 1 (for payment-related communications)
  • WCAG 2.1 AA (Accessibility standards)

Data Privacy

Data Collection

We only collect data necessary to provide our service: What we collect:
  • Email addresses and content (to send emails)
  • Phone numbers and SMS content (to send SMS)
  • Engagement data (opens, clicks) when tracking enabled
  • API usage logs for debugging and billing
  • Minimal metadata (timestamps, IDs)
What we don’t collect:
  • Personal information beyond what you send
  • Browsing history or tracking outside our platform
  • Third-party cookies or cross-site tracking
  • Sensitive data unless explicitly sent by you

Data Retention

Clear data retention policies:
  • Message content: 30 days by default (configurable)
  • Analytics data: 12 months
  • Audit logs: 7 years (compliance requirement)
  • Backups: 90 days with automatic deletion
  • Deleted data: Permanently purged within 30 days

Data Location

Control where your data is stored:
  • US region (default) - Data centers in United States
  • EU region - Data centers in European Union
  • APAC region - Data centers in Asia-Pacific
  • Data sovereignty - Data never leaves selected region

Webhook Security

Signature Verification

All webhooks are signed with HMAC-SHA256: 
import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}

app.post('/webhooks/transmit', (req, res) => {
  const signature = req.headers['x-transmit-signature'];
  const secret = process.env.TRANSMIT_WEBHOOK_SECRET;

  if (!verifyWebhookSignature(JSON.stringify(req.body), signature, secret)) {
    return res.status(401).send('Invalid signature');
  }

  // Process webhook...
  res.status(200).send('OK');
});

Webhook Best Practices

Always Verify Signatures

Never process webhooks without signature verification

Use HTTPS Endpoints

Webhook URLs must use HTTPS, never HTTP

Validate Payload Schema

Verify payload structure matches expected format

Implement Replay Protection

Check timestamp and reject old webhooks

Incident Response

Security Incident Protocol

In the event of a security incident:
  1. Detection - Automated monitoring alerts security team
  2. Assessment - Immediate severity evaluation
  3. Containment - Isolate affected systems
  4. Notification - Inform affected customers within 24 hours
  5. Remediation - Fix vulnerability and deploy patches
  6. Review - Post-mortem analysis and improvements

Data Breach Response

If data is compromised:
  • Immediate notification to affected customers
  • Regulatory notification within required timeframes (72h for GDPR)
  • Free credit monitoring for affected individuals
  • Transparent communication about scope and impact
  • Corrective action plan publicly shared

Security for Developers

Secure Coding Practices

We follow security best practices in development:
  • Input validation on all API parameters
  • Output encoding to prevent injection attacks
  • Parameterized queries to prevent SQL injection
  • Content Security Policy (CSP) headers
  • CSRF protection on all state-changing operations
  • Regular security training for all engineers

Third-Party Security

Careful vetting of third-party services:
  • Security questionnaires for all vendors
  • Regular vendor reviews and audits
  • Contractual security requirements
  • Minimal data sharing with third parties
  • Vendor security incident monitoring

Reporting Security Issues

We take security seriously and welcome responsible disclosure: Contact: security@transmit.dev Responsible Disclosure Program:
  1. Email security@transmit.dev with details
  2. Allow 90 days for remediation before public disclosure
  3. Receive acknowledgment within 24 hours
  4. Coordinated disclosure timeline agreed upon
  5. Recognition in our security hall of fame (optional)
Bug Bounty: We offer rewards for critical vulnerabilities
Please do not test vulnerabilities on production systems. Contact us for a safe testing environment.

Security Checklist for Customers

Use this checklist to ensure you’re following security best practices:
  • Store API keys in environment variables
  • Never commit keys to version control
  • Use different keys per environment
  • Rotate keys every 90 days
  • Monitor key usage in dashboard
  • Revoke unused or compromised keys immediately
  • Only send necessary data to Transmit
  • Sanitize user input before sending
  • Enable encryption for sensitive content
  • Configure appropriate data retention periods
  • Regularly audit data being sent
  • Use HTTPS endpoints only
  • Always verify webhook signatures
  • Validate payload structure
  • Implement replay attack protection
  • Rate limit webhook processing
  • Log all webhook events
  • Enable MFA for all team members
  • Use role-based access control
  • Regularly review team member access
  • Remove access for departed team members
  • Audit access logs monthly
  • Set up alerts for unusual activity
  • Monitor API error rates
  • Track authentication failures
  • Review bounce and complaint rates
  • Check for data exfiltration patterns

Questions?

Our security team is here to help:

Security Documentation

Authentication and API security

Compliance Portal

Certifications and compliance docs

Security Contact

Report vulnerabilities or ask questions

Enterprise Security

Advanced security features for enterprises
I