Skip to main content

Overview

Migma is built with enterprise-grade security and compliance at its core. We maintain SOC 2 certification, GDPR compliance, and help you meet email marketing regulations like CAN-SPAM and CASL.

SOC 2 Certified

Third-party audited security controls

GDPR Compliant

Full data privacy compliance for EU

Email Law Compliant

CAN-SPAM, CASL, and international regulations

SOC 2 Compliance

What is SOC 2?

SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of CPAs (AICPA) that ensures service providers securely manage data to protect customer privacy. Migma’s SOC 2 Type II certification means we’ve been independently audited for:
Controls to protect against unauthorized access:Access controls
  • Multi-factor authentication (MFA)
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews
Infrastructure security
  • Encrypted data transmission (TLS 1.3)
  • Encrypted data at rest (AES-256)
  • Firewall protection
  • Intrusion detection systems
Secure development
  • Code review processes
  • Security testing
  • Vulnerability scanning
  • Dependency monitoring
System uptime and reliability:99.9% uptime SLA
  • Redundant infrastructure
  • Load balancing
  • Auto-scaling
  • Disaster recovery plan
Monitoring
  • 24/7 system monitoring
  • Automated alerting
  • Performance metrics
  • Incident response procedures
Backups
  • Daily automated backups
  • Multiple backup locations
  • Point-in-time recovery
  • Backup testing quarterly
Data processed completely, accurately, and authorized:Quality controls
  • Input validation
  • Error handling
  • Transaction logging
  • Audit trails
Accuracy
  • Data validation rules
  • Automated testing
  • Manual verification for critical operations
  • Reconciliation procedures
Protection of confidential information:Data classification
  • Public, internal, confidential, restricted
  • Appropriate handling per classification
  • Access controls based on sensitivity
Confidentiality agreements
  • Employee NDAs
  • Vendor agreements
  • Customer data agreements
Personal information collection, use, retention, and disposal:Privacy notice
  • Clear privacy policy
  • Consent mechanisms
  • Purpose limitation
  • Data minimization
Data subject rights
  • Right to access
  • Right to deletion
  • Right to portability
  • Right to rectification

SOC 2 Benefits for Customers

Trust: Independent verification of security practices
Compliance: Helps meet your own compliance requirements
Risk reduction: Vendor security validated
Due diligence: Satisfies security questionnaires
Need our SOC 2 report? Contact [email protected]

GDPR Compliance

What is GDPR?

General Data Protection Regulation (GDPR) is EU law protecting personal data and privacy. It applies to:
  • Companies operating in the EU
  • Companies offering goods/services to EU residents
  • Companies monitoring EU residents’ behavior
Penalties for non-compliance: Up to €20 million or 4% of global revenue, whichever is higher.

GDPR Principles

Migma helps you comply with all seven GDPR principles:
  • Lawfulness
  • Purpose Limitation
  • Data Minimization
  • Accuracy
  • Storage Limitation
  • Integrity & Confidentiality
  • Accountability
Lawful basis for processing personal dataMigma supports:
  • Consent: Clear opt-in mechanisms
  • Contract: Transactional emails
  • Legitimate interest: Service communications
How Migma helps:
  • Consent tracking and timestamps
  • Consent withdrawal mechanisms
  • Documented lawful basis

Data Subject Rights

Migma supports all GDPR data subject rights:
Individuals can request their dataHow to request:
  1. Email [email protected]
  2. Verify identity
  3. Receive data within 30 days
What you receive:
  • All personal data we hold
  • How we use it
  • Who we share it with
  • Retention period
  • Your rights
Format: Machine-readable (JSON/CSV)
Individuals can correct inaccurate dataSelf-service:
  • Preference center updates
  • Profile management
  • Instant changes
Request correction:
Individuals can request deletionHow to request:
  1. Click “Delete my account” in settings
  2. Or email [email protected]
  3. Confirm deletion request
What gets deleted:
  • ✅ Email address
  • ✅ Name and profile data
  • ✅ Preferences
  • ✅ Email history
  • ✅ Usage data
Retained (legal requirements):
  • Transaction records (tax law)
  • Anonymized analytics
  • Abuse prevention records
Timeline: Immediate deletion, confirmed within 24 hours
Individuals can export their dataExport your data:
  1. Settings → Privacy → Export Data
  2. Download JSON or CSV
  3. Use anywhere
Includes:
  • Subscriber list with all fields
  • Email templates
  • Campaign history
  • Analytics data
  • Preference settings
Individuals can limit how data is usedHow to restrict:
  1. Preference center → Pause all emails
  2. Or email [email protected]
Effect:
  • No marketing emails sent
  • Data retained but not processed
  • Can be reversed anytime
Individuals can object to processingObject to:
  • Direct marketing (unsubscribe)
  • Profiling for marketing
  • Legitimate interest processing
How:

GDPR Features in Migma

Built-in compliance tools:
Double opt-in for EU subscribers (configurable)
Consent timestamps recorded and auditable
Cookie consent for tracking (where applicable)
Privacy policy link in all emails
Data Processing Agreement available for enterprise
EU data residency option (coming soon)

CAN-SPAM Compliance (USA)

What is CAN-SPAM?

Controlling the Assault of Non-Solicited Pornography And Marketing Act is US federal law regulating commercial email. Penalties: Up to $50,120 per violation

CAN-SPAM Requirements

Migma helps you comply with all CAN-SPAM requirements:
1

Accurate Header Information

Required: From, To, and Reply-To must be accurateMigma enforces:
  • Verified sender domains
  • Accurate from names
  • Working reply-to addresses
  • No deceptive routing information
2

Non-Deceptive Subject Lines

Required: Subject must reflect email contentExamples:
  • ✅ “25% Off Summer Sale - Ends Friday”
  • ❌ “Re: Your Order” (when there’s no order)
  • ❌ “Urgent: Security Alert” (for marketing)
Migma’s AI: Helps generate accurate subjects
3

Identify as Advertisement

Required for commercial emailsNot always necessary if:
  • Relationship exists
  • Content is transactional
  • Customer requested info
Migma includes:
  • Optional “Advertisement” disclosure
  • Configurable per campaign type
4

Physical Postal Address

Required: Valid physical address in every emailMigma automatically includes:
Your Company Name
123 Main Street, Suite 100
San Francisco, CA 94105
Configure once: Settings → Compliance → Business AddressWhere it appears:
  • Email footer
  • Preference center
  • Unsubscribe page
5

Clear Unsubscribe Mechanism

Required:
  • Conspicuous unsubscribe option
  • Works for 30 days after sending
  • No fee, login, or additional info required
Migma provides:
  • ✅ One-click unsubscribe link
  • ✅ 30+ day link validity
  • ✅ No login required
  • ✅ Instant processing
  • ✅ Confirmation message
Automatically in every email footer
6

Honor Opt-Out Requests

Required: Process unsubscribes within 10 business daysMigma processing:
  • Instant: Unsubscribes processed immediately
  • ✅ No emails sent after opt-out
  • 📝 Opt-out list maintained
  • 🔒 Cannot sell/transfer opt-out list
7

Monitor Third Parties

Required: Responsible for all email sent on your behalfIf using agencies/contractors:
  • Ensure they comply with CAN-SPAM
  • Monitor their sending practices
  • You’re liable for violations
Migma helps:
  • User permission system
  • Audit logs of all sends
  • Agency access controls

CAN-SPAM Compliance Checklist

Before sending marketing emails:
From address is accurate and yours
Subject line reflects email content
Physical address in footer
Clear unsubscribe link
Unsubscribe works immediately
No deceptive headers or routing
Migma automatically handles most of these!

CASL Compliance (Canada)

What is CASL?

Canada’s Anti-Spam Legislation is stricter than CAN-SPAM. Key differences:
  • Opt-in required (vs opt-out in CAN-SPAM)
  • Express or implied consent needed before sending
  • Penalties: Up to $10 million CAD per violation

CASL Requirements

CASL Features in Migma

Checkbox consent tracking (express)
Consent timestamps and source
Consent expiration warnings (implied)
Canadian compliance mode toggle

Other International Regulations

Requires consent for cookies and tracking Migma’s tracking:
  • Email open tracking (pixel)
  • Link click tracking
  • Analytics cookies (website)
Compliance:
  • Preference center includes tracking consent
  • Can disable tracking per subscriber
  • Cookie consent banner (for web)

Australian Spam Act

Similar to CAN-SPAM but requires:
  • Consent (opt-in)
  • Clear unsubscribe
  • Accurate sender info
Migma supports: All requirements via settings

PECR (UK)

Privacy and Electronic Communications Regulations Requirements:
  • Consent for marketing emails
  • Exceptions for existing customers
  • Clear unsubscribe
Migma compliance: Same as GDPR + consent tracking

Security Features

Encryption

All data encrypted during transmission:TLS 1.3 for all connections
  • API requests
  • Web interface
  • Email sending
  • Database connections
HTTPS enforced
  • Automatic redirect from HTTP
  • HSTS headers
  • Perfect forward secrecy
All data encrypted when stored:AES-256 encryption
  • Database (MongoDB encrypted)
  • File storage (S3 encrypted)
  • Backups (encrypted at rest)
Key management
  • Separate encryption keys per customer (enterprise)
  • Regular key rotation
  • Hardware security modules (HSMs)

Authentication & Access Control

  • User Authentication
  • Role-Based Access
  • API Security
Secure login:Password requirements
  • Minimum 12 characters
  • Complexity requirements
  • No common passwords
  • Password hashing (bcrypt)
Multi-factor authentication (MFA)
  • TOTP authenticator apps
  • SMS backup codes
  • Enforce for all users (enterprise)
Session management
  • Secure session tokens
  • Automatic timeout
  • Device tracking

Infrastructure Security

SOC 2 Type II audited infrastructure
Regular penetration testing (quarterly)
Vulnerability scanning (continuous)
DDoS protection (Cloudflare)
WAF (Web Application Firewall)
Intrusion detection (automated)

Application Security

Input validation on all user input
XSS protection (content sanitization)
CSRF tokens on all forms
SQL injection prevention (parameterized queries)
Dependency scanning (automated updates)
Code review before deployment

Privacy Features

Data Processing Agreement (DPA)

For GDPR compliance: Enterprise customers receive a DPA covering:
  • Scope of processing
  • Data protection obligations
  • Sub-processors
  • Data subject rights
  • Security measures
  • Breach notification
Request DPA: [email protected]

Subprocessors

Third-party services Migma uses:
ServicePurposeLocation
AWSHosting & infrastructureUSA
MongoDB AtlasDatabaseUSA
AnthropicAI modelsUSA
StripePayment processingUSA
CloudflareCDN & securityGlobal
Enterprise customers: Can request dedicated infrastructure or data residency options.

Data Residency

Current: Data stored in US (AWS us-east-1) Coming soon:
  • ✅ EU data residency option
  • ✅ UK data residency option
  • ✅ Customer-specified regions (enterprise)

Incident Response

Security Incident Process

1

Detection

Automated monitoring:
  • Intrusion detection
  • Anomaly detection
  • Alert systems
2

Assessment

Within 1 hour:
  • Classify severity
  • Identify scope
  • Determine impact
3

Containment

Immediate actions:
  • Isolate affected systems
  • Block malicious activity
  • Prevent spread
4

Notification

If personal data affected:
  • Customers notified within 72 hours
  • Authorities notified (if required)
  • Transparent communication
5

Remediation

Fix and recover:
  • Patch vulnerabilities
  • Restore from backups
  • Enhanced monitoring
6

Post-Incident

Learn and improve:
  • Root cause analysis
  • Update procedures
  • Additional safeguards

Breach Notification

If your data is compromised:
  • Email notification within 72 hours
  • Details of what happened
  • Data affected
  • Steps taken
  • Your recommended actions
GDPR requirement: 72-hour notification to authorities

Audit & Logging

Audit Logs

Migma logs all significant actions:
User logins and logouts
Email creation and edits
Email sends
Subscriber additions/deletions
Setting changes
Team member actions
API calls
Retention: 1 year (enterprise: 7 years) Access: Settings → Audit Logs

Compliance Reporting

Enterprise features:
  • Downloadable compliance reports
  • Activity summaries
  • User access reports
  • Data processing records

Best Practices

For GDPR compliance:
  1. User signs up
  2. Confirmation email sent
  3. User clicks confirm link
  4. Subscription activated
Migma setting: Settings → Compliance → Double Opt-In: ON
Document everything:
  • When consent obtained
  • How consent obtained
  • What they consented to
  • IP address (optional)
  • Timestamp
Migma tracks automatically
Quarterly checklist:
  • Review privacy policy (still accurate?)
  • Check unsubscribe links (working?)
  • Verify physical address (current?)
  • Test preference center (functional?)
  • Review retained data (still needed?)
Ensure team knows:
  • Privacy requirements
  • How to handle data requests
  • What not to do with subscriber data
  • Breach reporting procedures

Need Help?

Privacy Policy

Read our privacy policy

Terms of Service

Review terms of service

Enterprise Security

Get SOC 2 report