Compliance & Certifications
FormaMail maintains compliance with major security and privacy frameworks to ensure your data is handled securely and in accordance with applicable regulations.
SOC 2 Type II
SOC 2 Type II certification is in progress. Target completion: Q2 2026.
FormaMail is working toward SOC 2 Type II certification, which demonstrates our commitment to:
- Security: Protection against unauthorized access
- Availability: System uptime and performance monitoring
- Processing Integrity: Accurate and timely data processing
- Confidentiality: Protection of confidential information
- Privacy: Personal information handling per privacy notice
Request SOC 2 Report
Once available, SOC 2 reports can be requested via our contact page. Reports are shared under NDA.
GDPR Compliance
FormaMail is fully GDPR (General Data Protection Regulation) compliant for EU customers and data subjects.
Our GDPR Commitments
| Requirement | How We Comply |
|---|---|
| Lawful Basis | We process data under contract (to provide the service) |
| Data Minimization | We only collect data necessary for the service |
| Purpose Limitation | Email data used only for sending/tracking emails |
| Storage Limitation | Configurable retention periods (30-365 days) |
| Data Subject Rights | Full support for access, deletion, portability |
| Data Protection Officer | Available via contact page |
Data Subject Rights
FormaMail supports all GDPR data subject rights:
- Right to Access: Export all your data in JSON format via dashboard
- Right to Deletion: Delete account and all associated data
- Right to Rectification: Update personal data via dashboard
- Right to Data Portability: Export data in machine-readable format
- Right to Object: Opt out of marketing communications
Data Processing Agreement (DPA)
A DPA is available for all customers upon request. Our DPA covers:
- Nature and purpose of processing
- Types of personal data processed
- Categories of data subjects
- Duration of processing
- Technical and organizational measures
- Sub-processor list
Request a DPA: Use our contact page
Sub-processors
We use the following sub-processors to provide our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Application hosting, database, cache | US |
| Amazon Web Services (SES) | Email delivery | US |
| Cloudflare | DNS, DDoS protection, file storage (R2) | US |
| Vercel | Frontend hosting, CDN | US |
| Cashfree | Payment processing | India |
Sub-processor list is updated quarterly. Subscribe to updates via our contact page.
CCPA Compliance
FormaMail complies with the California Consumer Privacy Act (CCPA):
Consumer Rights Under CCPA
- Right to Know: Request what personal information we collect
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: We do not sell personal information
- Non-Discrimination: No discrimination for exercising CCPA rights
Do Not Sell My Personal Information
We do not sell personal information. FormaMail does not sell, rent, or trade customer data to third parties for commercial purposes.
CCPA Requests
To exercise your CCPA rights, use the in-dashboard privacy center or contact us via our contact page.
PCI DSS
FormaMail does not directly process, store, or transmit credit card data.
Payment processing is handled by Cashfree, which is PCI DSS Level 1 certified - the highest level of certification in the payment card industry.
What This Means
- Credit card numbers never touch our servers
- Payment forms are hosted by Cashfree
- We only store non-sensitive payment metadata (last 4 digits, expiry)
- All payment data is handled in PCI-compliant environments
HIPAA
FormaMail is not currently HIPAA compliant. Do not use FormaMail to send protected health information (PHI).
If you have HIPAA compliance requirements, please contact us to discuss our roadmap.
ISO 27001
ISO 27001 certification is on our roadmap for 2026. Our security practices already align with ISO 27001 principles:
- Information security policies
- Asset management
- Access control
- Cryptography
- Operations security
- Communications security
- Incident management
- Business continuity
Data Residency
Current Availability
| Region | Status | Notes |
|---|---|---|
| United States | Available | All customer data |
| European Union | Not available | Data stored in US |
| Asia Pacific | Not available | Data stored in US |
Important: All data, including data from EU and other international customers, is currently stored and processed in the United States. If you have specific data residency requirements, please contact us to discuss your needs.
Future Data Residency
EU and other regional data residency options are on our roadmap for future consideration. Contact us if you have specific requirements.
Compliance Documentation
Available Documents
| Document | Availability |
|---|---|
| Privacy Policy | Public |
| Terms of Service | Public |
| Data Processing Agreement | On request |
| SOC 2 Report | Coming Q2 2026 |
| Penetration Test Summary | On request (Enterprise) |
| Security Questionnaire | On request |
Request Documents
Use our contact page to request compliance documentation.
Compliance Contacts
For all compliance-related inquiries including security, privacy, GDPR, legal, and contracts, please use our contact page.
Select the appropriate subject when submitting your inquiry:
- Security - For security issues or vulnerability reports
- Privacy - For GDPR, CCPA, or other privacy-related requests
- Sales - For enterprise compliance requirements or DPA requests
- Support - For general compliance questions