// Trust & Security Report

    Mailgun Technologies, Inc. (a Sinch company) logo

    Mailgun Technologies, Inc. (a Sinch company)

    Transactional and bulk email delivery API/SMTP platform for developers, with adjacent tools: Mailgun Optimize (deliverability suite), Mailgun Validate (email validation), and Mailgun Inspect (email preview/accessibility). Mailgun is a sibling brand to Mailjet and Email on Acid under the 'Sinch Email' business unit; all three are covered together in Sinch's SOC 2 / ISO audit scope.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    "Sinch Mailgun is SOC 2 Type II and ISO/IEC 27001 Certified" (mailgun.com/security/). Trust center announcement: "Mailgun Technologies, Inc has completed its SOC2 Type II for Sinch Mailgun, Mailjet and Email on Acid Services for the August 1, 2024 to July 31, 2025 period. The report is now available for download from our Trust Center by selecting Mailgun"

    Verify on mailgun.com
    ISO/IEC 27001
    HELD

    "Sinch Mailgun is SOC 2 Type II and ISO/IEC 27001 Certified" (mailgun.com/security/). Trust center: "Updated ISO27001 and ISO27701 Certificates for Mailgun Technologies Inc. are now available for download on the Trust Center" and "We recently received our completed 2023 SOC 2 reports, ISO 27001 and ISO 27701 certifications for Sinch Mailgun, Sinch Mailjet, and Sinch Email On Acid."

    Verify on mailgun.com
    ISO/IEC 27701 (privacy information management)
    HELD

    "2024 ISO27001 and ISO27701 Certificates now available for Mailgun Technologies Inc. Updated ISO27001 and ISO27701 Certificates for Mailgun Technologies Inc. are now available for download on the Trust Center."

    Verify on trust.sinch.com
    GDPR (compliance posture, not a certification)
    HELD

    "We have appointed a Data Protection Officer, who will be in charge of compliance with the GDPR across our business." "We also have in place EU Model standard contractual clauses in our Data Processing Addendum, and in place with all our vendors to ensure any data transfers are done properly and securely." DPA available for Article 28 GDPR requirements; Mailgun EU region (api.eu.mailgun.net) lets customers keep message data in-region.

    Verify on mailgun.com
    EU-U.S. Data Privacy Framework
    HELD

    "Mailgun Technologies, Inc. is now self-certified with the EU-US Data Privacy Framework. The certification can be viewed publicly at: https://www.dataprivacyframework.gov/s/ then search for Mailgun." Privacy policy confirms: Mailgun Technologies, Inc. "complies with the EU-U.S Data Privacy Framework."

    Verify on trust.sinch.com
    HIPAA (Business Associate Addendum available, not a certification)
    HELD

    "This HIPAA Addendum shall be applicable only in the event and to the extent Mailgun meets, with respect to you and as to your use of the Mailgun Services, the definition of a Business Associate set forth at 45 C.F.R. Section 160.103." Same document states: "the Mailgun Services include the transmission of unencrypted email in plain text over the public internet and open networks" and "You are responsible for encrypting any sensitive data you use in conjunction with the Mailgun Services."

    Verify on mailgun.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 Type I
    NOT CONFIRMED

    The Sinch Trust Center lists a general 'SOC 2 Type I' badge across the whole Sinch portfolio, but every Mailgun-specific trust-center announcement found (2023, 2024, 2025) names only 'SOC2 Type II' for 'Sinch Mailgun, Mailjet and Email on Acid Services.' No Mailgun-specific Type I report was named. mailgun.com/security/ also cites only Type II. Treat the Type I badge as unconfirmed for the Mailgun product specifically (likely applies to other Sinch products in the same multi-brand trust center).

    source: trust.sinch.com
    PCI DSS
    NOT CONFIRMED

    A generic 'PCI' badge appears on the shared Sinch Trust Center (covering many Sinch products including voice/payment-notification services), but mailgun.com/security/ makes no PCI claim for the Mailgun product itself, and no Mailgun-specific PCI DSS report or scope statement was found. Third-party guidance describes Mailgun only as usable for PCI-adjacent payment notification emails, not as a PCI DSS certified processor. Treat as unconfirmed for Mailgun specifically.

    source: mailgun.com
    TISAX
    NOT CONFIRMED

    TISAX badge appears on the shared Sinch Trust Center but is an automotive-industry information-security assessment relevant to Sinch's voice/messaging OEM customers; no Mailgun-specific relevance or scope statement found.

    source: trust.sinch.com
    CSA STAR
    NOT CONFIRMED

    CSA badge listed on the shared Sinch Trust Center at the organization level; no Mailgun-product-specific CSA STAR registry entry or scope statement was found on mailgun.com.

    source: trust.sinch.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence. Mailgun is an email delivery API, not an AI/LLM product; the Sinch Trust Center lists only 2 FAQ answers under an 'Artificial Intelligence' category (governance FAQs, not a certification) and no ISO 42001 or CSA STAR AI badge is listed.

    source: trust.sinch.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not listed on the Sinch Trust Center badges or on mailgun.com/security/; not typically pursued by transactional email API vendors without direct US federal agency contracts.

    source: mailgun.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Dual-region hosting: US (default, api.mailgun.net) and EU (api.eu.mailgun.net); customers choose region at the domain level and message data is stated to stay within the chosen region. Underlying infrastructure described as Google Cloud Platform on the current security page, while the GDPR page still references legacy providers ("Amazon Web Services, Rackspace, Softlayer, and Google Cloud Platform") - a likely stale/unreconciled statement across two of Mailgun's own pages.

    Mailgun is a transactional/bulk email delivery API, not a generative-AI product, and no public statement (privacy policy, security page, or trust center) addresses training AI/ML models on customer email content or metadata either way. The homepage references an 'Email Impact' marketing report discussing AI's influence on email as a channel trend, not an AI feature built into the product. Recommend listing AI-training posture as 'not applicable / no public statement' rather than asserting an opt-out exists.

    // Security controls

    Encryption at rest

    AES-256 encryption at rest for all customer data

    mailgun.com

    Encryption in transit

    TLS/HTTPS for API and dashboard traffic; however, the HIPAA BAA itself discloses that outbound email delivery to third-party mail servers occurs in plain text when the recipient's server does not support TLS - encryption in transit is not end-to-end guaranteed for the email payload itself

    mailgun.com

    Data center controls

    "access to all data centers is highly controlled with around the clock surveillance and biometric access control systems"; hosted on Google Cloud Platform infrastructure

    mailgun.com

    Penetration testing

    Annual third-party penetration tests for Mailgun/Mailjet/Email on Acid, performed by Doyensec (2023) and Abira Security (2024); reports posted to the trust center security portal

    trust.sinch.com

    Vulnerability disclosure / incident transparency

    Trust center publishes dated advisories confirming no impact from named CVEs/incidents (e.g. CVE-2022-3602/3786 OpenSSL, CVE-2023-4863 libwebp, Citrix CVE-2023-4966, Salesloft/Drift, Salt Typhoon)

    trust.sinch.com

    Data Protection Officer

    Appointed DPO responsible for GDPR compliance across the business

    mailgun.com

    // Products & data scope

    Mailgun Send (core API/SMTP)Transactional & bulk email delivery

    data: Recipient addresses, message content/metadata, sending domain/DNS records, delivery logs

    The product AIFOXX lists; covered by the SOC 2 Type II / ISO 27001 / ISO 27701 certifications cited above.

    Mailgun OptimizeEmail deliverability analytics/consulting suite

    data: Aggregate sending reputation and engagement data

    Same compliance scope as core Mailgun per trust center product grouping.

    Mailgun ValidateEmail address validation API

    data: Email addresses submitted for syntax/deliverability validation

    Same compliance scope as core Mailgun per trust center product grouping.

    Mailgun InspectEmail preview / accessibility and rendering QA

    data: Rendered email HTML/content submitted for preview

    Same compliance scope as core Mailgun per trust center product grouping.

    // What to watch

    • Sinch's Trust Center is shared across many unrelated product lines (SMS, voice, chat, email); several badges shown at the org level (PCI, TISAX, CSA STAR, HECVAT) are NOT confirmed as applying to the Mailgun product specifically and are graded held=false here despite appearing as generic badges - avoid displaying these on the Mailgun listing without a Mailgun-specific source.
    • SOC 2 Type I is asserted as a general Sinch trust-center badge but every Mailgun-named audit announcement found cites Type II only; do not list Type I for Mailgun without a Mailgun-named report.
    • HIPAA support is a signed Business Associate Addendum, not a certification, and the addendum itself discloses that email transmission is not guaranteed to be encrypted end-to-end (plain text if the recipient's server lacks TLS support) - list with this caveat, not as a blanket 'HIPAA compliant' claim.
    • Mailgun's own GDPR page still names legacy infrastructure providers (AWS, Rackspace, Softlayer) alongside GCP, while the current security page names only GCP - a minor unreconciled/stale statement across two of the vendor's own pages, not a fabrication risk but worth noting.
    • AI-training posture on customer data has no public vendor statement either direction; do not assert an opt-out or a training-use claim for AIFOXX's AI-tools framing - Mailgun is infrastructure, not a generative AI product, and this should be labeled 'not applicable / unstated' rather than true or false.

    // At a glance

    Pricing model

    Free tier plus usage/volume-tiered subscription plans; custom enterprise pricing for higher volume and features like dedicated IPs and HIPAA BAA

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mailgun Technologies, Inc. (a Sinch company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.sinch.com

    > Browse all vendor trust reports