Skip to main content

Overview

Migma is built with enterprise-grade security and compliance at its core. We maintain SOC 2 certification, GDPR compliance, and help you meet email marketing regulations like CAN-SPAM and CASL.

SOC 2 Certified

Third-party audited security controls

GDPR Compliant

Full data privacy compliance for EU

Email Law Compliant

CAN-SPAM, CASL, and international regulations

SOC 2 Compliance

What is SOC 2?

SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of CPAs (AICPA) that ensures service providers securely manage data to protect customer privacy. Migma’s SOC 2 Type II certification means we’ve been independently audited for:
Controls to protect against unauthorized access:Access controls
  • Multi-factor authentication (MFA)
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews
Infrastructure security
  • Encrypted data transmission (TLS 1.3)
  • Encrypted data at rest (AES-256)
  • Firewall protection
  • Intrusion detection systems
Secure development
  • Code review processes
  • Security testing
  • Vulnerability scanning
  • Dependency monitoring
System uptime and reliability:99.9% uptime SLA
  • Redundant infrastructure
  • Load balancing
  • Auto-scaling
  • Disaster recovery plan
Monitoring
  • 24/7 system monitoring
  • Automated alerting
  • Performance metrics
  • Incident response procedures
Backups
  • Daily automated backups
  • Multiple backup locations
  • Point-in-time recovery
  • Backup testing quarterly
Data processed completely, accurately, and authorized:Quality controls
  • Input validation
  • Error handling
  • Transaction logging
  • Audit trails
Accuracy
  • Data validation rules
  • Automated testing
  • Manual verification for critical operations
  • Reconciliation procedures
Protection of confidential information:Data classification
  • Public, internal, confidential, restricted
  • Appropriate handling per classification
  • Access controls based on sensitivity
Confidentiality agreements
  • Employee NDAs
  • Vendor agreements
  • Customer data agreements
Personal information collection, use, retention, and disposal:Privacy notice
  • Clear privacy policy
  • Consent mechanisms
  • Purpose limitation
  • Data minimization
Data subject rights
  • Right to access
  • Right to deletion
  • Right to portability
  • Right to rectification

SOC 2 Benefits for Customers

Trust: Independent verification of security practices
Compliance: Helps meet your own compliance requirements
Risk reduction: Vendor security validated
Due diligence: Satisfies security questionnaires
Need our SOC 2 report? Contact enterprise@migma.ai

GDPR Compliance

What is GDPR?

General Data Protection Regulation (GDPR) is EU law protecting personal data and privacy. It applies to:
  • Companies operating in the EU
  • Companies offering goods/services to EU residents
  • Companies monitoring EU residents’ behavior
Penalties for non-compliance: Up to €20 million or 4% of global revenue, whichever is higher.

GDPR Principles

Migma helps you comply with all seven GDPR principles:
Lawful basis for processing personal dataMigma supports:
  • Consent: Clear opt-in mechanisms
  • Contract: Transactional emails
  • Legitimate interest: Service communications
How Migma helps:
  • Consent tracking and timestamps
  • Consent withdrawal mechanisms
  • Documented lawful basis

Data Subject Rights

Migma supports all GDPR data subject rights:
Individuals can request their dataHow to request:
  1. Email privacy@migma.ai
  2. Verify identity
  3. Receive data within 30 days
What you receive:
  • All personal data we hold
  • How we use it
  • Who we share it with
  • Retention period
  • Your rights
Format: Machine-readable (JSON/CSV)
Individuals can correct inaccurate dataSelf-service:
  • Preference center updates
  • Profile management
  • Instant changes
Request correction:
Individuals can request deletionHow to request:
  1. Click “Delete my account” in settings
  2. Or email privacy@migma.ai
  3. Confirm deletion request
What gets deleted:
  • ✅ Email address
  • ✅ Name and profile data
  • ✅ Preferences
  • ✅ Email history
  • ✅ Usage data
Retained (legal requirements):
  • Transaction records (tax law)
  • Anonymized analytics
  • Abuse prevention records
Timeline: Immediate deletion, confirmed within 24 hours
Individuals can export their dataExport your data:
  1. Settings → Privacy → Export Data
  2. Download JSON or CSV
  3. Use anywhere
Includes:
  • Subscriber list with all fields
  • Email templates
  • Campaign history
  • Analytics data
  • Preference settings
Individuals can limit how data is usedHow to restrict:
  1. Preference center → Pause all emails
  2. Or email privacy@migma.ai
Effect:
  • No marketing emails sent
  • Data retained but not processed
  • Can be reversed anytime
Individuals can object to processingObject to:
  • Direct marketing (unsubscribe)
  • Profiling for marketing
  • Legitimate interest processing
How:

GDPR Features in Migma

Built-in compliance tools:
Double opt-in for EU subscribers (configurable)
Consent timestamps recorded and auditable
Cookie consent for tracking (where applicable)
Privacy policy link in all emails
Data Processing Agreement available for enterprise
EU data residency option (coming soon)

CAN-SPAM Compliance (USA)

What is CAN-SPAM?

Controlling the Assault of Non-Solicited Pornography And Marketing Act is US federal law regulating commercial email. Penalties: Up to $50,120 per violation

CAN-SPAM Requirements

Migma helps you comply with all CAN-SPAM requirements:
1

Accurate Header Information

Required: From, To, and Reply-To must be accurateMigma enforces:
  • Verified sender domains
  • Accurate from names
  • Working reply-to addresses
  • No deceptive routing information
2

Non-Deceptive Subject Lines

Required: Subject must reflect email contentExamples:
  • ✅ “25% Off Summer Sale - Ends Friday”
  • ❌ “Re: Your Order” (when there’s no order)
  • ❌ “Urgent: Security Alert” (for marketing)
Migma’s AI: Helps generate accurate subjects
3

Identify as Advertisement

Required for commercial emailsNot always necessary if:
  • Relationship exists
  • Content is transactional
  • Customer requested info
Migma includes:
  • Optional “Advertisement” disclosure
  • Configurable per campaign type
4

Physical Postal Address

Required: Valid physical address in every emailMigma automatically includes:
Your Company Name
123 Main Street, Suite 100
San Francisco, CA 94105
Configure once: Settings → Compliance → Business AddressWhere it appears:
  • Email footer
  • Preference center
  • Unsubscribe page
5

Clear Unsubscribe Mechanism

Required:
  • Conspicuous unsubscribe option
  • Works for 30 days after sending
  • No fee, login, or additional info required
Migma provides:
  • ✅ One-click unsubscribe link
  • ✅ 30+ day link validity
  • ✅ No login required
  • ✅ Instant processing
  • ✅ Confirmation message
Automatically in every email footer
6

Honor Opt-Out Requests

Required: Process unsubscribes within 10 business daysMigma processing:
  • Instant: Unsubscribes processed immediately
  • ✅ No emails sent after opt-out
  • 📝 Opt-out list maintained
  • 🔒 Cannot sell/transfer opt-out list
7

Monitor Third Parties

Required: Responsible for all email sent on your behalfIf using agencies/contractors:
  • Ensure they comply with CAN-SPAM
  • Monitor their sending practices
  • You’re liable for violations
Migma helps:
  • User permission system
  • Audit logs of all sends
  • Agency access controls

CAN-SPAM Compliance Checklist

Before sending marketing emails:
From address is accurate and yours
Subject line reflects email content
Physical address in footer
Clear unsubscribe link
Unsubscribe works immediately
No deceptive headers or routing
Migma automatically handles most of these!

CASL Compliance (Canada)

What is CASL?

Canada’s Anti-Spam Legislation is stricter than CAN-SPAM. Key differences:
  • Opt-in required (vs opt-out in CAN-SPAM)
  • Express or implied consent needed before sending
  • Penalties: Up to $10 million CAD per violation

CASL Requirements

CASL Features in Migma

Checkbox consent tracking (express)
Consent timestamps and source
Consent expiration warnings (implied)
Canadian compliance mode toggle

Other International Regulations

Requires consent for cookies and tracking Migma’s tracking:
  • Email open tracking (pixel)
  • Link click tracking
  • Analytics cookies (website)
Compliance:
  • Preference center includes tracking consent
  • Can disable tracking per subscriber
  • Cookie consent banner (for web)

Australian Spam Act

Similar to CAN-SPAM but requires:
  • Consent (opt-in)
  • Clear unsubscribe
  • Accurate sender info
Migma supports: All requirements via settings

PECR (UK)

Privacy and Electronic Communications Regulations Requirements:
  • Consent for marketing emails
  • Exceptions for existing customers
  • Clear unsubscribe
Migma compliance: Same as GDPR + consent tracking

Security Features

Encryption

All data encrypted during transmission:TLS 1.3 for all connections
  • API requests
  • Web interface
  • Email sending
  • Database connections
HTTPS enforced
  • Automatic redirect from HTTP
  • HSTS headers
  • Perfect forward secrecy
All data encrypted when stored:AES-256 encryption
  • Database (MongoDB encrypted)
  • File storage (S3 encrypted)
  • Backups (encrypted at rest)
Key management
  • Separate encryption keys per customer (enterprise)
  • Regular key rotation
  • Hardware security modules (HSMs)

Authentication & Access Control

Secure login:Password requirements
  • Minimum 12 characters
  • Complexity requirements
  • No common passwords
  • Password hashing (bcrypt)
Multi-factor authentication (MFA)
  • TOTP authenticator apps
  • SMS backup codes
  • Enforce for all users (enterprise)
Session management
  • Secure session tokens
  • Automatic timeout
  • Device tracking

Infrastructure Security

SOC 2 Type II audited infrastructure
Regular penetration testing (quarterly)
Vulnerability scanning (continuous)
DDoS protection (Cloudflare)
WAF (Web Application Firewall)
Intrusion detection (automated)

Application Security

Input validation on all user input
XSS protection (content sanitization)
CSRF tokens on all forms
SQL injection prevention (parameterized queries)
Dependency scanning (automated updates)
Code review before deployment

Privacy Features

Data Processing Agreement (DPA)

For GDPR compliance: Enterprise customers receive a DPA covering:
  • Scope of processing
  • Data protection obligations
  • Sub-processors
  • Data subject rights
  • Security measures
  • Breach notification
Request DPA: enterprise@migma.ai

Subprocessors

Third-party services Migma uses:
ServicePurposeLocation
AWSHosting & infrastructureUSA
MongoDB AtlasDatabaseUSA
AnthropicAI modelsUSA
StripePayment processingUSA
CloudflareCDN & securityGlobal
Enterprise customers: Can request dedicated infrastructure or data residency options.

Data Residency

Current: Data stored in US (AWS us-east-1) Coming soon:
  • ✅ EU data residency option
  • ✅ UK data residency option
  • ✅ Customer-specified regions (enterprise)

Incident Response

Security Incident Process

1

Detection

Automated monitoring:
  • Intrusion detection
  • Anomaly detection
  • Alert systems
2

Assessment

Within 1 hour:
  • Classify severity
  • Identify scope
  • Determine impact
3

Containment

Immediate actions:
  • Isolate affected systems
  • Block malicious activity
  • Prevent spread
4

Notification

If personal data affected:
  • Customers notified within 72 hours
  • Authorities notified (if required)
  • Transparent communication
5

Remediation

Fix and recover:
  • Patch vulnerabilities
  • Restore from backups
  • Enhanced monitoring
6

Post-Incident

Learn and improve:
  • Root cause analysis
  • Update procedures
  • Additional safeguards

Breach Notification

If your data is compromised:
  • Email notification within 72 hours
  • Details of what happened
  • Data affected
  • Steps taken
  • Your recommended actions
GDPR requirement: 72-hour notification to authorities

Audit & Logging

Audit Logs

Migma logs all significant actions:
User logins and logouts
Email creation and edits
Email sends
Subscriber additions/deletions
Setting changes
Team member actions
API calls
Retention: 1 year (enterprise: 7 years) Access: Settings → Audit Logs

Compliance Reporting

Enterprise features:
  • Downloadable compliance reports
  • Activity summaries
  • User access reports
  • Data processing records

Best Practices

For GDPR compliance:
  1. User signs up
  2. Confirmation email sent
  3. User clicks confirm link
  4. Subscription activated
Migma setting: Settings → Compliance → Double Opt-In: ON
Document everything:
  • When consent obtained
  • How consent obtained
  • What they consented to
  • IP address (optional)
  • Timestamp
Migma tracks automatically
Quarterly checklist:
  • Review privacy policy (still accurate?)
  • Check unsubscribe links (working?)
  • Verify physical address (current?)
  • Test preference center (functional?)
  • Review retained data (still needed?)
Ensure team knows:
  • Privacy requirements
  • How to handle data requests
  • What not to do with subscriber data
  • Breach reporting procedures

Intellectual Property & Prohibited Uses

Protection of Proprietary Systems

Migma’s proprietary technology is protected by intellectual property laws.
Strictly Prohibited Activities:The following actions are expressly forbidden and constitute violations of our Terms of Service:
  • Extracting, copying, or reverse-engineering our AI model instructions, prompts, or system configurations
  • Scraping, harvesting, or systematically collecting emails, templates, or content from the platform
  • Reproducing or redistributing our proprietary algorithms, workflows, or technical implementations
  • Using extracted content for commercial purposes including training competing AI models
  • Sharing, selling, or licensing any proprietary Migma technology or content to third parties
  • Automated data extraction via bots, scrapers, or unauthorized API usage

Intellectual Property Rights

What Migma owns:
Protected intellectual property includes:AI model instructions and prompts
  • System prompts and configurations
  • Model fine-tuning and training data
  • Prompt engineering techniques
  • AI workflow architectures
Platform technology
  • Source code and algorithms
  • Database schemas and structures
  • API implementations
  • User interface designs
Proprietary methodologies
  • Email generation processes
  • Image-to-email conversion algorithms
  • Figma import technology
  • Content optimization systems
Legal protection: Copyright, trade secret, and patent laws
Your content ownership:You retain ownership of:
  • Your email content and copy
  • Your uploaded images and assets
  • Your subscriber lists and data
  • Your brand materials
License you grant Migma:
  • Limited license to process and display your content
  • Only for providing the service to you
  • Revocable upon account deletion
  • Non-transferable to third parties
What we don’t do:
  • Claim ownership of your content
  • Use your content for other customers
  • Sell or license your content
  • Train models on your private content (without consent)
AI-generated content rights:Content created by Migma’s AI:
  • You receive a license to use commercially
  • Migma retains underlying technology rights
  • You cannot extract or reverse-engineer the generation process
  • You cannot claim the AI system as your own
Example:
  • ✅ Use AI-generated email in your campaigns
  • ✅ Modify and customize AI output
  • ❌ Extract prompts used to generate content
  • ❌ Replicate our AI generation system

Enforcement & Violations

We actively monitor for violations:
1

Detection

Automated monitoring for:
  • Unusual API usage patterns
  • Systematic data extraction attempts
  • Unauthorized access to system internals
  • Suspicious account activity
2

Investigation

Upon detection:
  • Account flagged for review
  • Activity logs analyzed
  • Scope of violation assessed
  • Evidence documented
3

Enforcement Actions

Depending on severity:Minor violations:
  • Warning notification
  • Temporary access restrictions
  • Mandatory compliance review
Serious violations:
  • Immediate account suspension
  • Permanent account termination
  • Legal action for damages
  • Criminal referral (if applicable)
4

Legal Remedies

We reserve the right to:
  • Seek injunctive relief
  • Pursue monetary damages
  • Report to law enforcement
  • Pursue criminal charges for theft of trade secrets

Penalties for Violations

Legal consequences may include:💰 Financial penalties:
  • Statutory damages up to $150,000 per work (copyright)
  • Actual damages plus profits from misuse
  • Attorney fees and court costs
  • Punitive damages for willful violations
⚖️ Civil liability:
  • Breach of contract claims
  • Misappropriation of trade secrets
  • Unfair competition
  • Tortious interference
🚨 Criminal liability:
  • Trade secret theft (up to 10 years imprisonment)
  • Computer fraud and abuse
  • Wire fraud
  • Copyright infringement

Acceptable Use Policy

What you CAN do:
Use Migma to create and send your email campaigns
Export your own subscriber data and content
Integrate via official API with proper authentication
Share publicly available documentation and guides
Provide feedback and feature suggestions
Use AI-generated content in your business
What you CANNOT do:
❌ Reverse-engineer our AI models or prompts
❌ Scrape or systematically download platform content
❌ Share or resell access to Migma technology
❌ Use extracted data to build competing products
❌ Circumvent security or access controls
❌ Violate rate limits or terms of service

Reporting Violations

If you discover misuse of Migma’s intellectual property:

Report IP Violations

Email: legal@migma.aiInclude:
  • Description of the violation
  • Evidence (URLs, screenshots, etc.)
  • Your contact information
  • Date and time of discovery
We investigate all reports within 48 hours

Third-Party Compliance

If you’re building integrations or using our API:
Authorized API use only:Required:
  • Valid API key with proper scopes
  • Respect rate limits
  • Follow API documentation
  • Proper attribution where required
Prohibited:
  • Sharing API keys
  • Exceeding rate limits
  • Undocumented API endpoints
  • Automated account creation
Building on Migma:Allowed:
  • Official API integrations
  • Zapier/Make.com workflows
  • Custom internal tools
  • Documented webhook usage
Not allowed:
  • Screen scraping
  • Unofficial API access
  • Bypassing authentication
  • Extracting proprietary logic
If you’re an agency or reseller:You may:
  • Manage client accounts (with permission)
  • Create campaigns for clients
  • Provide training and support
  • Charge for your services
You may not:
  • Resell Migma access without authorization
  • White-label Migma as your own product
  • Share proprietary Migma technology
  • Claim ownership of Migma features

Data Protection for Proprietary Content

How we protect our intellectual property:
Security controls:
  • 🔒 Encrypted system prompts and configurations
  • 🔐 Access controls on proprietary code
  • 🛡️ Rate limiting and abuse detection
  • 📊 Monitoring and anomaly detection
  • 🚫 Obfuscation of sensitive algorithms

Educational Use & Research

Academic and research exceptions:
Limited exceptions for:Academic research:
  • Must be non-commercial
  • Requires prior written approval
  • Proper attribution required
  • Results may be published with permission
Educational purposes:
  • Classroom demonstrations (with license)
  • Student projects (non-commercial)
  • Training materials (authorized only)
Contact: research@migma.ai for approval

Need Help?

Privacy Policy

Read our privacy policy

Terms of Service

Review terms of service

Contact Privacy Team

privacy@migma.ai

Enterprise Security

Get SOC 2 report