// Trust & Security Report

    Resend, Inc. logo

    Resend, Inc.

    Developer email API (transactional + marketing email delivery), with add-ons for audiences/broadcasts, inbound email, React Email template library, and webhooks; single product tier structure (Free/Pro/Scale/Enterprise) rather than separate consumer vs enterprise products.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Resend is SOC 2 Type II compliant. The auditing was done by Advantage Partners which has a track record of partnering with many SaaS companies. The reporting period is from February 1, 2025 to February 1, 2026. Resend also uses Vanta to monitor, collect, and submit evidence to auditors.

    Verify on resend.com
    GDPR (posture, not a certifiable standard)
    HELD

    Resend is GDPR compliant. We have made it a priority to protect your data. ... Resend also uses Vanta to monitor all GDPR controls and organize evidence for compliance.

    Verify on resend.com
    EU-US Data Privacy Framework (DPF) + UK Extension
    HELD

    Being certified under the EU-US Data Privacy Framework (DPF) and the UK Extension to the EU-US DPF allows us to better support customers in the EU and the UK. [Resend has] long been SOC 2 and GDPR compliant.

    Verify on resend.com
    > Show 7 unconfirmed / not-held certifications
    SOC 2 Type I
    NOT CONFIRMED

    No public evidence of a separate Type I report; Resend's own blog post frames its first audit directly as a Type II covering August 1, 2023 to February 1, 2024 ("passed our first Type II audit with zero exceptions"), with no mention of a prior Type I.

    source: resend.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not listed on resend.com/security, the SOC 2 page, the Enterprise page, or the GDPR page. Resend's own GDPR page contrasts itself with ISO 27001 only rhetorically ("Unlike SOC 2 or ISO 27001, GDPR is not a best practice standard...") without claiming ISO 27001 for itself.

    source: resend.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or BAA availability. The Enterprise page and DPA make no mention of HIPAA or Business Associate Agreements.

    source: resend.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Resend does not process cardholder data directly (billing is handled via Stripe as a subprocessor); no PCI DSS claim found on any vendor page.

    source: resend.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence. No AI-governance certification is mentioned on any Resend security, trust, or enterprise page.

    source: resend.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on Resend's own domain.

    source: resend.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found on Resend's own domain.

    source: resend.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Sending region is selectable (US, EU/Ireland, Brazil, Japan) but all account data, email metadata, logs, and API records are stored in the United States regardless of sending region, per Resend's own docs.

    The Privacy Policy contains no statement addressing whether customer email content is used for AI/ML model training, and Resend's product is an email-delivery API, not a generative-AI product, so no dedicated AI-training disclosure page exists. The nav link labeled "AI" on resend.com resolved to a 404, so no evidence could be gathered either way; recorded as unknown rather than assumed.

    // Security controls

    Encryption in transit

    TLS

    resend.com

    Encryption at rest

    AES-256

    resend.com

    Uptime SLA

    99.95% server uptime

    resend.com

    DDoS protection

    Automatic protection from Layer 7 (application) and Layer 3 SYN-flood attacks

    resend.com

    API key scoping

    API keys can be created with limited access and different permission levels

    resend.com

    Backups

    Daily backups, retained for one week

    resend.com

    Penetration testing

    Regular penetration tests conducted by third-party security firms

    resend.com

    Vulnerability disclosure

    Responsible Disclosure program listed alongside SOC 2 / GDPR on the security page

    resend.com

    Continuous compliance monitoring

    Vanta used to monitor SOC 2 and GDPR controls and collect audit evidence in real time

    resend.com

    // Products & data scope

    Resend Email API (transactional + marketing)Developer email sending API / SMTP / SDKs

    data: Email content, recipient PII (addresses, names), delivery/engagement events (opens, clicks, bounces, complaints)

    Core product; account/log data stored in US only regardless of chosen send region.

    Audiences / BroadcastsMarketing email / contact management

    data: Contact lists, subscriber attributes, broadcast analytics

    Same underlying compliance posture as core API; no separate certification scope disclosed.

    React EmailOpen-source template library

    data: None (client-side template code, no data processed by Resend)

    Open source project, not itself a hosted service subject to Resend's compliance program.

    Enterprise planHigher-tier commercial offering

    data: Same data scope as core API

    Adds SSO/legal-document redlining and questionnaire support (Enterprise Plan required to request DPA changes); no distinct enterprise-only cert (e.g. no HIPAA/BAA) found.

    // What to watch

    • No HIPAA/BAA offering found despite Resend being usable for sending patient-facing transactional email; buyers in healthcare should not assume HIPAA coverage without contacting Resend directly.
    • AI-training posture on customer/email data is undocumented (no dedicated statement in Privacy Policy); recorded as unknown (null) rather than assumed safe or unsafe.
    • All stored account/log data resides in the US even when EU send region is selected; EU customers relying on data residency for compliance should read the DPA (SCCs) and DPF certification, not assume EU data residency.

    // At a glance

    Pricing model

    Usage-based tiers (Free, Pro, Scale) plus custom Enterprise plan

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Resend, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    resend.com

    > Browse all vendor trust reports