Infrastructure security

• Hosted on enterprise-grade cloud infrastructure
• TLS 1.2+ for all data in transit
• Encryption at rest (AES-256)
• Secrets managed in a dedicated secrets vault
• Identity-based access between platform services
• Automated infrastructure provisioning via pipelines

Application security

• OAuth 2.0 / OpenID Connect authentication
• Granular role-based access control (RBAC)
• Multi-tenant data isolation
• Input validation on all API endpoints
• Centralized structured logging with controlled access
• Code review required for all production changes

Operational security

• Full audit trail for all entity changes
• Centralized logging and monitoring
• Automated alerting for anomalies
• Principle of least privilege for all access
• Regular access reviews
• Incident response procedures documented

Data residency

All data is hosted in the EU. We do not transfer data outside the EU unless explicitly configured by the tenant. All infrastructure services — database, cache, message bus and blob storage — reside in the same region.

Data processing

Message content is processed only for the purpose of delivery. We do not analyze, mine, or use message content for any purpose other than routing to the configured provider. Message variables are resolved at delivery time and are not stored separately from the rendered message.

Sub-processors

The following third-party services process data on behalf of OneSend2U:

• Microsoft Azure — Cloud infrastructure (EU)
• MongoDB Atlas — Database hosting (EU)
• Twilio — SMS, Email (SendGrid), WhatsApp delivery
• Infobip — SMS, Email, WhatsApp delivery
• Bitly — URL shortening service
• Short.io — URL shortening service
• Stripe — Payment processing for subscriptions and invoices
• PayPal — Payment processing for subscriptions and invoices

No-markup policy

Messaging-provider fees (Twilio, Meta, Infobip and others) are invoiced directly to you by the provider, under your own contract with them. OneSend2U charges only its platform fee.