Security & compliance
Dedicated page for CISO / IT Directors
Everything your security team needs to validate Send in your information system: architecture, subprocessors, encryption, organizational measures, GDPR. Documentation up to date 2026.
Hosting
Send is available in two hosting models, you choose according to your required level of sovereignty.
Hosted SaaS
- → Host : JMSI on dedicated infrastructure in France (Île-de-France)
- → Datacenter : Tier III certified, redundant dual power supply
- → Architecture : 2 Ubuntu LTS nodes, MariaDB 11, Redis 7, NFS WireGuard
- → Isolation : multi-tenant single-DB per
tenant_id+ global scope - → Backups : DB + files daily to third-party storage
Self-hosting
- → Your servers, your datacenter, your private cloud
- → No subprocessor to declare in your GDPR registry
- → No telemetry, no unsolicited outbound call
- → Compatible with regulated sectors (healthcare HDS, finance, defense)
- → License details and pricing →
Subprocessors (SaaS mode)
Comprehensive list of subprocessors used in hosted SaaS mode. To copy into your GDPR article 30 registry. In self-hosting mode, this list is empty.
| Subprocessor | Purpose | Country | DPA |
|---|---|---|---|
| JMSI | Infrastructure host | France | Included in Send contract |
| Stripe Payments Europe Ltd | Subscription billing | Ireland (EU) | Available on Stripe Dashboard |
| Sentry (Functional Software) | Application error reporting | USA (under SCC) | Available at sentry.io/legal/dpa |
| Anthropic PBC | Tool content_long_description generation (1 annual batch) | USA (under SCC) | Available at anthropic.com/legal |
| Mailgun (ou SMTP client) | Transactional email sending | Configurable per tenant | According to chosen SMTP provider |
Updated on 4 June 2026. In case of modification, 30-day notice before taking effect.
Technical and organizational measures
Encryption in transit
TLS 1.2+ mandatory (TLS 1.3 by default). Modern cipher suites. HSTS preload enabled.
Encryption at rest
Secrets (Stripe keys, LLM API, SMTP password) encrypted AES-256 via Laravel encrypted cast. OS-level encrypted disks. Per-file encryption planned for Phase 4.
Authentication
Bcrypt hashing for passwords. Password reset via 1h signed link. Optional TOTP 2FA (enforceable per tenant). Aggressive rate limiting on /login + /register.
Authorization
Spatie Permission package with roles tenant-admin / tenant-manager / tenant-user / tenant-guest. Laravel policies on each business model. Mandatory tenant isolation tests.
Antivirus
ClamAV integrated on anonymous uploads (public collection page + /send). Healthcheck cron every 10 min, Sentry report if daemon down.
HTTP headers
HSTS preload, strict CSP (script-src self + wasm-unsafe-eval for tools), X-Frame DENY, X-Content nosniff, Referrer-Policy strict-origin, restrictive Permissions-Policy.
Audit log
All sensitive actions (login, share file, change role, delete data) logged via spatie/activitylog. 13-month retention (CNIL recommendation).
Backups
Daily DB + storage backup to third-party storage (S3 compatible). Restoration tested quarterly. 30-day default retention, configurable.
Data deletion
Soft delete + deferred hard delete after 30 days (configurable). GDPR article 17 via /api/v1/me/export. Audit log anonymization (not deletion — legal obligation).
Structured logs
Dedicated JSON channel with request_id + tenant_id + user_id. Ingestion-ready for Loki/ELK/Datadog. Sentry on errors.
Business continuity (Disaster Recovery)
Send has a documented Disaster Recovery plan covering 4 failure scenarios across the 2-node architecture + a cross-region cold standby. Mandatory quarterly tests.
RPO (max data loss)
24 hours
Daily S3 backup of DB + files to cross-region storage.
RTO app-server failure
1 hour
DB+app to bring up; NFS storage intact on media-server.
RTO media-server failure
30 min · 2h
Degraded mode 30 min (app up without uploads), full workers rebuild 2h.
RTO total disaster
4 hours
Cross-region cold standby from S3 secondary + DNS failover.
RTO DB corruption
1-2 hours
Point-in-time restore from dated S3 backup (D-1 to D-7).
Quarterly tests
One A/B/C/D scenario executed each quarter on staging, RTO measured and tracked in the admin console (table disaster_recovery_tests). Report available on RSSI audit request.
Complete runbook
Step-by-step procedure (detection, escalation, shell commands, verifications) accessible to authorized admins. Also available as PDF in the DPA.
GDPR compliance
Article 30 — processing registry
List of subprocessors above. Ready-to-integrate registry template (downloadable on request).
Article 28 — DPA (Data Processing Agreement)
Signed DPA included in our terms. PDF version downloadable on request at contact@sudinformatique.com.
Article 15 — right of access
Endpoint /api/v1/me/export available for each user. Generates a ZIP of all personal data in under 5 minutes.
Article 17 — right to be forgotten
Account deletion via user profile. PII field anonymization in audit logs (retained for legal obligations). Hard delete of files after configurable grace period.
Article 32 — security of processing
Technical measures described above. Formalized incident management policy. Annual pen test (from Business / Enterprise self-hosting plans).
Article 33-34 — breach notification
Internal 24h incident procedure. CNIL + affected client notification within 72h via email to tenant admin contacts.
Certifications & roadmap
Current
GDPR-compliant
French hosting, declared subprocessors, DPA available, access/oblivion rights implemented. Quarterly internal audit.
Roadmap 2026-2027
ISO 27001 + HDS
ISO 27001 (information security management system) planned Q3 2027. HDS certification (health data hosting) on the Enterprise self-hosting offer Q4 2027 — based on client demand.
Security contact
RSSI questionnaire to fill in before purchase? Vulnerability to report? Signed DPA to retrieve?
Responsible disclosure program: we value vulnerability reports. Target remediation time 30 days critical / 90 days major.