MassiveSMS
Buy a pack
[Legal]Security Overview

Security Overview.

Last updated · May 1, 2026·Massive SMS Inc.

MassiveSMS handles phone numbers, message contents, and billing data for thousands of operators worldwide. Security is a primary engineering concern, not a compliance afterthought. This page summarizes our posture. For detailed reports and questionnaires, email security@massivesms.com.

Compliance & certifications

  • SOC 2 Type I achieved Q1 2026. SOC 2 Type II audit in progress with target completion Q4 2026.
  • ISO/IEC 27001 in progress (target Q3 2026).
  • PCI DSS: we are in SAQ A scope — we never see, store, or process card numbers. All card data is collected and processed by Stripe, Inc., a PCI DSS Level 1 service provider, via Stripe Elements / Stripe Checkout. Our integration uses tokenized references only.
  • GDPR, UK GDPR, LGPD, CCPA/CPRA, PIPEDA compliant.
  • TCPA recordkeeping built into the platform: opt-in, opt-out, and audit logs retained 7 years.
  • HIPAA: not currently a covered entity. We do not accept PHI through the Service.

Encryption

  • In transit: TLS 1.3 enforced for all public endpoints. HSTS preloaded.
  • At rest: AES-256 for primary databases, encrypted EBS volumes, encrypted S3 buckets.
  • Backups: encrypted, region-isolated, integrity-checked weekly.
  • Secrets: stored in AWS Secrets Manager + Vercel encrypted env. Rotated quarterly.

Access control

  • Production access requires SSO + hardware security key (FIDO2 / WebAuthn).
  • Least-privilege IAM. Just-in-time elevation for write access, audited.
  • No shared credentials. Bastion-only SSH with session recording.
  • Mandatory background checks for engineers with production access.

Application security

  • OWASP Top 10 controls baked into framework patterns and code review.
  • Dependency scanning on every PR (Snyk + GitHub Dependabot).
  • Static analysis (Semgrep) and secret scanning (TruffleHog) in CI.
  • Third-party penetration test conducted before public launch. Annual cadence post-launch. Reports under NDA.
  • Responsible disclosure program: report vulnerabilities to security@massivesms.com. Public bug bounty platform planned for Q4 2026.

Infrastructure

  • Multi-AZ deployments on AWS (us-east-1 primary, eu-west-1 read replica).
  • Vercel edge for the dashboard and marketing site.
  • Separate VPCs for production, staging, and CI build runners.
  • WAF and DDoS mitigation at the edge (Vercel + AWS Shield).
  • Carrier-side: dual-route failover (Telnyx primary, Twilio backup) to minimize delivery dependency.

Logging & monitoring

  • Centralized application logs to Datadog with 90-day retention.
  • Audit logs of every admin action, opt-in/opt-out, and authentication event for 7 years.
  • Real-time alerting on anomalous traffic, failed authentication, and infrastructure health.
  • On-call rotation 24/7 for production incidents.

Incident response

We follow a documented incident response runbook with severity tiers (SEV-1 through SEV-4). Critical incidents are escalated to engineering leadership within 5 minutes of detection. Customer notifications for confirmed Personal Data breaches go out within 72 hours per GDPR / LGPD obligations, with detailed post-mortems published publicly for SEV-1 and SEV-2 events.

Business continuity

  • RPO (Recovery Point Objective): 5 minutes for primary data, 1 hour for analytics.
  • RTO (Recovery Time Objective): 30 minutes for the API, 1 hour for the dashboard.
  • Quarterly DR drills with documented results.
  • Vendor concentration risk reviewed annually; alternate carriers and cloud regions identified.

Employee security

  • Mandatory annual security and privacy training.
  • Endpoint management via MDM with full-disk encryption, automatic patching, and remote wipe.
  • Phishing simulation campaigns quarterly.
  • Offboarding revokes all access within 60 minutes of HR notification.

Reporting a vulnerability

We welcome responsible disclosure. Email security@massivesms.com with steps to reproduce, impact assessment, and any supporting material. We acknowledge within 24 hours and aim to remediate critical issues within 7 days. Public bug bounty platform launches Q4 2026. Until then, eligible reports are rewarded $500–$5,000 depending on severity, paid via the same channels as our affiliate program.

Documentation on request

Available under NDA via security@massivesms.com:

  • SOC 2 Type I report (current); SOC 2 Type II report (when available, Q4 2026)
  • Penetration test summary
  • Vendor security questionnaire (CAIQ + custom)
  • Subprocessor list with country and purpose
  • Business continuity plan summary
  • Incident response runbook (redacted)