// Trust & Security Report
Resend, Inc.
Developer email API (transactional + marketing email delivery), with add-ons for audiences/broadcasts, inbound email, React Email template library, and webhooks; single product tier structure (Free/Pro/Scale/Enterprise) rather than separate consumer vs enterprise products.
Certifications held
3
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on resend.com“Resend is SOC 2 Type II compliant. The auditing was done by Advantage Partners which has a track record of partnering with many SaaS companies. The reporting period is from February 1, 2025 to February 1, 2026. Resend also uses Vanta to monitor, collect, and submit evidence to auditors.”
Verify on resend.com“Resend is GDPR compliant. We have made it a priority to protect your data. ... Resend also uses Vanta to monitor all GDPR controls and organize evidence for compliance.”
Verify on resend.com“Being certified under the EU-US Data Privacy Framework (DPF) and the UK Extension to the EU-US DPF allows us to better support customers in the EU and the UK. [Resend has] long been SOC 2 and GDPR compliant.”
> Show 7 unconfirmed / not-held certifications
source: resend.comNo public evidence of a separate Type I report; Resend's own blog post frames its first audit directly as a Type II covering August 1, 2023 to February 1, 2024 ("passed our first Type II audit with zero exceptions"), with no mention of a prior Type I.
source: resend.comNo public evidence. Not listed on resend.com/security, the SOC 2 page, the Enterprise page, or the GDPR page. Resend's own GDPR page contrasts itself with ISO 27001 only rhetorically ("Unlike SOC 2 or ISO 27001, GDPR is not a best practice standard...") without claiming ISO 27001 for itself.
source: resend.comNo public evidence of HIPAA compliance or BAA availability. The Enterprise page and DPA make no mention of HIPAA or Business Associate Agreements.
source: resend.comNo public evidence. Resend does not process cardholder data directly (billing is handled via Stripe as a subprocessor); no PCI DSS claim found on any vendor page.
source: resend.comNo public evidence. No AI-governance certification is mentioned on any Resend security, trust, or enterprise page.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Sending region is selectable (US, EU/Ireland, Brazil, Japan) but all account data, email metadata, logs, and API records are stored in the United States regardless of sending region, per Resend's own docs.
The Privacy Policy contains no statement addressing whether customer email content is used for AI/ML model training, and Resend's product is an email-delivery API, not a generative-AI product, so no dedicated AI-training disclosure page exists. The nav link labeled "AI" on resend.com resolved to a 404, so no evidence could be gathered either way; recorded as unknown rather than assumed.
// Security controls
DDoS protection
Automatic protection from Layer 7 (application) and Layer 3 SYN-flood attacks
resend.comAPI key scoping
API keys can be created with limited access and different permission levels
resend.comVulnerability disclosure
Responsible Disclosure program listed alongside SOC 2 / GDPR on the security page
resend.comContinuous compliance monitoring
Vanta used to monitor SOC 2 and GDPR controls and collect audit evidence in real time
resend.com// Products & data scope
data: Email content, recipient PII (addresses, names), delivery/engagement events (opens, clicks, bounces, complaints)
Core product; account/log data stored in US only regardless of chosen send region.
data: Contact lists, subscriber attributes, broadcast analytics
Same underlying compliance posture as core API; no separate certification scope disclosed.
data: None (client-side template code, no data processed by Resend)
Open source project, not itself a hosted service subject to Resend's compliance program.
data: Same data scope as core API
Adds SSO/legal-document redlining and questionnaire support (Enterprise Plan required to request DPA changes); no distinct enterprise-only cert (e.g. no HIPAA/BAA) found.
// What to watch
- No HIPAA/BAA offering found despite Resend being usable for sending patient-facing transactional email; buyers in healthcare should not assume HIPAA coverage without contacting Resend directly.
- AI-training posture on customer/email data is undocumented (no dedicated statement in Privacy Policy); recorded as unknown (null) rather than assumed safe or unsafe.
- All stored account/log data resides in the US even when EU send region is selected; EU customers relying on data residency for compliance should read the DPA (SCCs) and DPF certification, not assume EU data residency.
// At a glance
Pricing model
Usage-based tiers (Free, Pro, Scale) plus custom Enterprise plan
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Resend, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
resend.com