Compliance
SOC 2, GDPR, and data protection practices
npayload is built to meet the security and data protection requirements of regulated industries. This page covers our compliance posture, data handling practices, and the shared responsibility model.
SOC 2 Type II
npayload is pursuing SOC 2 Type II certification. All controls are mapped and audit-ready.
| Milestone | Status |
|---|---|
| Controls mapping | Complete |
| Internal audit | Complete |
| External audit engagement | In progress |
| Expected certification | Q3 2026 |
The SOC 2 report will cover the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
GDPR
npayload complies with the General Data Protection Regulation (GDPR) for organisations operating in the European Union.
Data processing
npayload acts as a data processor on behalf of your organisation (the data controller). We process message payloads and metadata solely for the purpose of delivering your messages.
Right to erasure
You can delete any data stored in npayload:
- Messages: Delete individual messages or purge entire channels
- Channels: Archive and permanently delete channels
- DLQ entries: Purge dead letter queue entries
- Organisation data: Request full account deletion
Deletion requests are processed within 30 days. Backup copies are purged within 90 days.
Data portability
Export your data at any time through the API:
- Message history with full payloads
- Channel and subscription configuration
- Audit logs
Data minimisation
npayload stores only what is necessary for message delivery. In E2E encryption mode, npayload cannot read message payloads at all.
Encryption
In transit
All connections use TLS 1.3. Older TLS versions are not supported. Certificate pinning is available for Enterprise customers.
At rest
All data at rest is encrypted with AES-256. Encryption keys are managed through a dedicated key management service and rotated automatically.
End-to-end encryption
For maximum privacy, npayload offers E2E encryption mode per channel:
- RSA-4096 for key exchange between publishers and subscribers
- AES-256-GCM for payload encryption
- npayload cannot read encrypted payloads
- Only the publisher and subscriber hold decryption keys
E2E encryption mode limits some features (such as payload-based filtering and schema validation) because npayload cannot inspect the payload. Use Hybrid mode if you need routing with payload privacy.
Data retention
Data retention is configurable per channel:
| Setting | Default | Range |
|---|---|---|
| Message retention | 7 days | 1 day to unlimited |
| DLQ retention | 14 days | 1 day to 90 days |
| Audit log retention | 90 days | 90 days to unlimited |
Enterprise customers can configure custom retention policies. Expired data is permanently deleted and cannot be recovered.
Audit logging
Every API operation is recorded in an immutable audit trail:
- Publish, delivery, and retry events
- Channel and subscription lifecycle events
- Authentication and authorisation events
- DLQ replay and purge events
- Administrative actions (user management, configuration changes)
Audit entries are linked with a hash chain, forming a tamper-evident log. Any modification to an entry invalidates the chain.
Incident response
npayload maintains a documented incident response plan:
| Severity | Response time | Update frequency |
|---|---|---|
| Critical (service down) | 15 minutes | Every 30 minutes |
| High (degraded service) | 1 hour | Every 2 hours |
| Medium (non-critical) | 4 hours | Daily |
| Low (informational) | 1 business day | As needed |
Security incidents are disclosed to affected customers within 72 hours, in compliance with GDPR breach notification requirements.
Shared responsibility model
| Responsibility | npayload | Customer |
|---|---|---|
| Infrastructure security | Yes | |
| Platform availability | Yes | |
| Data encryption (in transit, at rest) | Yes | |
| E2E encryption key management | Yes | |
| API key and credential management | Yes | |
| Webhook endpoint security | Yes | |
| Payload content and PII handling | Yes | |
| Access control within your organisation | Yes |
Sub-processors
npayload uses sub-processors for infrastructure, edge delivery, and billing. A current list of sub-processors is available upon request.
We notify customers 30 days before adding a new sub-processor. Enterprise customers can object to sub-processor changes.
Data Processing Agreement
A Data Processing Agreement (DPA) is available for all paid plans. The DPA covers:
- Standard contractual clauses (SCCs) for international transfers
- Data processing terms aligned with GDPR Article 28
- Sub-processor disclosure and notification
Contact support@npayload.com to request a DPA.
Next steps
- Security for authentication, encryption modes, and network security
- Regions and availability for data residency controls
- Audit trails for how audit logging works
Was this page helpful?