Q37
Do you have a current SOC 2 Type II report?
SOC 2 Type II: claimed_with_trust_page
SendGrid Vendor Risk Assessment — Full Report
Before you share customer data with SendGrid, your compliance team needs documented proof they can be trusted. ThirdProof investigated SendGrid across 27 intelligence sources — here's what we found.
⚠ FedRAMP Status: Not found in the FedRAMP Marketplace. Vendors handling government data or CUI must be FedRAMP authorized.
Risk Tier
Tier 3 — Moderate RiskSOC 2
⚠ Vendor AttestedFedRAMP
— Not AuthorizedLast Assessed
Mar 25, 2026🟢IP Reputation: Abuse score: 0%, 0 reports🟡SSL/TLS: TLSv1.2🟢Domain Age: 16.9 years🟢Infrastructure: 2 open ports, 0 CVEs
- FedRAMP Status
- SendGrid is not listed on the FedRAMP Marketplace as of March 2026.
- SOC 2 Status
- SendGrid has a SOC 2 claim detected on their trust page. Claim is vendor-attested — no public registry exists for independent verification.
- Sanctions Screening
- SendGrid returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
- Risk Tier
- ThirdProof assigned SendGrid a Moderate Risk tier with 89% confidence across 27 intelligence sources.
24 sources queried. 89% confidence. Every SendGrid investigation produces both a risk report and an auto-filled security questionnaire — no vendor follow-up required.
Get SendGrid's Full Report Free →5 free investigations|Risk report + auto-filled questionnaire|Avg. 7 minutes
Certification & Compliance Status
Security Questionnaire — Auto-Filled
43 of 133 questions answered for SendGrid
Auto-filled from public evidence • 32% complete
Q38
Do you have ISO 27001 certification?
SendGrid's official security page confirms ISO/IEC 27001 compliance certification.
Q41
Are you FedRAMP authorized? At what level?
Not found in FedRAMP marketplace
Source: External Automedium confidence
Q40
Are you HIPAA compliant? Do you sign BAAs?
HIPAA compliance / BAA claim found on trust page (Vendor attested)
Q42
Are you GDPR compliant? Do you have a DPA available?
SendGrid makes available a GDPR-compliant Data Processing Addendum for processing personal data under GDPR as a data processor.
+ 4 more compliance questions answered in the full report
Every investigation produces a full PDF report plus the complete 133-question questionnaire, mapped to SOC 2, HIPAA, PCI DSS, SIG, and more.
Get SendGrid's Full Report Free →✗Not Listed on FedRAMP Marketplace
Verified against FedRAMP Marketplace API as of March 2026
Organizations with federal compliance requirements should verify this directly at marketplace.fedramp.gov.
SendGrid (Twilio) is not independently listed on the FedRAMP Marketplace. Twilio is FedRAMP authorized separately.
◇27 data sources queried per assessment
◷Reports generated in an average of 7 minutes
◈SHA-256 verified for audit integrity
✓Deterministic risk scoring — no AI guesswork
3Tier
Moderate Risk
Sendgrid
Vendor Risk Assessment
Confidence Score89%
Based on data availability and source coverage
24
Sources Queried
23
Sources With Data
March 25, 2026
Last Assessed
Executive Summary
AI-generated analysis for Sendgrid
SendGrid (sendgrid.com), operated under Twilio Inc., is a widely-deployed cloud email delivery platform rated Tier 3 (Moderate Risk) by ThirdProof's rule engine, reflecting a combination of meaningful security concerns and substantive positive signals across infrastructure, domain health, and compliance posture. SendGrid demonstrates a strong technical security baseline across multiple dimensions:
Key Findings
- Domain infrastructure is healthy with valid DNS, SSL/TLS, and all three primary security headers (HSTS, CSP, X-Frame-Options) configured
- Infrastructure exposure is minimal, with only 2 open ports (80 and 443) detected and zero known CVEs — well below the SaaS industry average of 8–12 open ports
- The domain has been established for over 16 years, registered via enterprise-tier registrar MarkMonitor, and carries zero abuse reports against its primary IP
- Domain reputation is clean across all blacklist checks (SURBL, Spamhaus DBL, URLhaus), Malware detection service shows no threats, and open threat exchange returned zero pulses
- The HTTP security headers scan yielded a grade of B (70/100), indicating a largely well-configured security posture
- Multiple compliance certifications are claimed on the vendor's security page (https://sendgrid.com/security), including SOC 2 Type II, PCI DSS Level 1, ISO 27018, and HIPAA eligibility The primary concern driving the Tier 3 designation is a high-severity archived media finding: a 2025 report from SOCRadar references an alleged breach exposing SendGrid customer credentials. While this article is approximately one year old and the underlying incident is characterized as "alleged," it represents an unresolved question about credential security and platform integrity that warrants direct follow-up with the vendor. Additionally, a cluster of Hacker News discussions from January 2026 documents phishing attacks exploiting SendGrid's infrastructure and brand — a known risk vector for high-volume email platforms — and an older 2015 Krebs on Security report documents a prior employee account compromise. The certificate transparency logs show 34 different certificate issuers, which may indicate inconsistent certificate lifecycle management across the platform's large infrastructure footprint. Finally, while the vendor's subprocessor page exists, automated extraction was unsuccessful, leaving supply chain visibility incomplete. All four claimed certifications (SOC 2, ISO 27018, PCI DSS, HIPAA) are vendor-attested rather than independently verified. SendGrid is a mature, widely-used platform with a strong technical security baseline and substantial compliance claims from its parent company Twilio. The conditional recommendation reflects the unresolved alleged breach report and the need to independently verify compliance documentation before onboarding at medium data access levels.
Independence Statement
All evidence in this report was independently sourced by ThirdProof from external public data sources without vendor participation, notification, or input.
Investigation Findings
4 findings identified for Sendgrid
1 high3 medium
high
Adverse Media: Alleged massive breach exposing SendGrid customer credentials
1 article(s) reference significant concerns for "SendGrid": "Everything You Need to Know About the Alleged Twilio SendGrid Breach" (SOCRadar® Cyber Intelligence Inc.) https://news.google.com/rss/articles/CBMibEFVX3lxTE4yWEpvcDRqQVpteVR6Zkxkd25SM0pjejV3dmtGXzZWc1pZMXM3Z3BnOV9BMEE3eWNOLWlMdFF2WGdGNHoxNFhXU2VTbjBjSTkxV2RCMDAzc3ByZElKR3dPbXdnRnctQkE4blV0TQ?oc=5
medium
LEI Registration Lapsed
The LEI registration for SendGrid, Inc. has status "LAPSED". This may indicate the entity no longer maintains its regulatory filings.
medium
Adverse Media Scan Unavailable
A critical data source was unavailable during this investigation. Manual verification is recommended.
Source:Adverse Media Scan (Fallback)
medium
Multiple Certificate Issuers (34)
sendgrid.com has certificates from 34 different Certificate Authorities. This may indicate inconsistent certificate management practices.
✓
Security Strengths
26 positive signals verified
✓
Legal Entity Actively Registered
Business Registration →✓
No Sanctions Matches Found
Sanctions & Watchlist Screening →✓
Firmographic Data Available
Company Intelligence →✓
Domain Infrastructure Healthy
Domain Analysis →✓
Valid SSL Certificate
Domain Analysis →✓
Security Headers Present
Domain Analysis →✓
2 Open Ports Detected
Infrastructure Exposure →✓
Established Domain (16+ years)
Domain Registration →✓
Clean domain reputation
Threat Intelligence →✓
Tech Community Discussion: security
Tech Community Sentiment →✓
HTTP Security Grade: B
HTTP Security Scan →✓
Large Certificate Footprint (105 subdomains)
Certificate Transparency →✓
Established Web Presence (16+ years)
Web Archive History →✓
No Threat Intelligence Pulses
Threat Intelligence (OTX) →✓
Clean IP Reputation
IP Reputation →✓
Clean Safe Browsing Status
Malware & Phishing Check →✓
Clean Website Security Scan
Website Security Scan →✓
Certification Claimed: SOC 2
Trust & Compliance Page Scan →✓
Certification Claimed: ISO 27018
Trust & Compliance Page Scan →✓
Certification Claimed: PCI DSS
Trust & Compliance Page Scan →✓
Certification Claimed: HIPAA
Trust & Compliance Page Scan →✓
Subprocessor Page Found, No Entries Parsed
Supply Chain & Subprocessor Discovery →✓
Not Found as FDIC-Insured Institution
FDIC Institution Check →✓
No SEC Enforcement Filings Found
SEC Filing Search →✓
HITRUST Directory Match — Manual Verification Required
Certification Registry Verification →✓
SOC 2 Compliance Claimed on Trust Page
Certification Registry Verification →Recommended Actions
Steps to address findings for Sendgrid
- 1
PRIORITY 1 — Request breach clarification within 30 days: Contact SendGrid/Twilio's security team to obtain a formal written statement on the April 2025 alleged credential breach. Ask specifically: Was a breach confirmed? What customer data was involved? What remediation was applied? Twilio's security disclosure page is at https://www.twilio.com/en-us/security.
- 2
PRIORITY 2 — Obtain and review the SOC 2 Type II report: Request the current SOC 2 Type II report and bridge letter from Twilio's compliance team. Submit the request via https://www.twilio.com/en-us/security — many enterprise accounts can access audit reports through a signed NDA. Ensure the report period covers at least the past 12 months.
- 3
PRIORITY 3 — Execute a HIPAA Business Associate Agreement if applicable: If your use case involves sending or processing any protected health information (PHI), a signed BAA is legally required. Request this directly from your SendGrid/Twilio account representative before any PHI is transmitted through the platform.
- 4
PRIORITY 4 — Manually review the subprocessor list: Navigate directly to https://sendgrid.com/subprocessors and document all listed subprocessors. Verify that any subprocessors in non-adequate jurisdictions (for GDPR purposes) are covered by appropriate transfer mechanisms such as Standard Contractual Clauses.
- 5
PRIORITY 5 — Document vendor-attested certifications in your risk register: Record that SOC 2, PCI DSS, ISO 27018, and HIPAA certifications are claimed by the vendor at https://sendgrid.com/security but have not been independently verified. Mark these for re-verification annually or when the vendor's compliance posture changes.
Intelligence Sources Queried
24 sources in this assessment
23of 24 sources returned data
IP Reputation
AI Data Usage Policy
Threat Intelligence (OTX)
Certification Registry Verification
Certificate Transparency
Domain Analysis
FDIC Institution Check
Business Registration
Historical Media Search
Tech Community Sentiment
Company Intelligence
HTTP Security Scan
Sanctions & Watchlist Screening
Malware & Phishing Check
SEC Filing Search
Infrastructure Exposure
SSL/TLS Analysis
Supply Chain & Subprocessor Discovery
Trust & Compliance Page Scan
Website Security Scan
Threat Intelligence
Web Archive History
Domain Registration
Adverse Media Scan (Fallback)
Data Coverage Notes
Some data sources may have had limited availability during this assessment. This does not reflect negatively on the vendor.
- The primary real-time adverse media scan was unavailable during this investigation; the historical media archive search (Google News) was used as a supplementary source, but real-time media coverage within the current news cycle could not be fully assessed.
- Subprocessor data could not be automatically extracted from the vendor's published subprocessor page due to page format constraints; manual review of sendgrid.com is required to obtain a complete supply chain inventory.
- External cyber risk scoring was not available for this assessment; the infrastructure and threat intelligence findings in this report are based on open-source and blacklist data rather than a continuous monitoring score.
- ISO 27001 certification could not be independently verified via the IAF CertSearch public registry; absence from the registry does not definitively confirm absence of certification, as registry coverage is incomplete for some certificate bodies.
- The AI data usage policy scan located the Twilio privacy policy page but found no explicit statements regarding AI/ML training commitments, third-party AI providers, or data retention practices specific to AI features; organizations with AI-related data handling concerns should request a dedicated AI data use addendum from the vendor.
183+
Vendors assessed
98%
Average confidence
<2 min
Time to report
Security & Compliance Profile
32% complete · 43/133 questions answered from public sourcesAre you SendGrid? Claim this profile to complete your security record. Buyers are reviewing this profile now.
Claim this profile →What a ThirdProof assessment covers↓
Sanctions Screening
Is SendGrid on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?
Cyber Risk Assessment
What is SendGrid's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.
Business Registration
Is SendGrid a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.
Adverse Media Analysis
Has SendGrid appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.
Domain & Infrastructure
Is SendGrid's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.
Company Intelligence
What are SendGrid's firmographics? Employee count, industry classification, technology stack, and corporate structure.
Trust & Compliance Verification
Does SendGrid claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.
Supply Chain & Subprocessor Discovery
Who does SendGrid depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.
Regulatory & Financial Filings
Has SendGrid appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.
Full methodology, rule engine, and AI disclosure: /methodology
Compliance Resources
→ SOC 2 Vendor Assessment: What Your Auditor Actually Reviews→ SOC 2 CC9.2 Vendor Management with ThirdProof→ HIPAA Vendor Risk Assessment with ThirdProof→ FedRAMP Authorized Vendor List→ FedRAMP Vendor Authorization Status Guide→ Sanctions Screening for Vendor Due Diligence→ Vendor Due Diligence Checklist→ All 27 Intelligence Sources
Seeing this in an audit? ThirdProof lets you investigate SendGrid and every other vendor in your stack — average report time: 7 minutes. Get SendGrid's Full Report Free →
Frequently asked about SendGrid
Is SendGrid FedRAMP authorized?+
SendGrid is not currently listed on the FedRAMP Marketplace as of March 2026.
Does SendGrid have SOC 2 Type II?+
Yes — SendGrid holds SOC 2 (Type II not confirmed). Rated Moderate Risk — significant adverse media. See all 4 findings →
Is SendGrid on the OFAC sanctions list?+
SendGrid returned no matches in ThirdProof's OFAC SDN, EU Consolidated, and UN sanctions screening as of March 2026.
What is SendGrid's vendor risk tier?+
ThirdProof assigned SendGrid a risk tier of Moderate Risk with 89% confidence based on assessment across 27 intelligence sources as of March 2026.
Can I get an auto-filled security questionnaire for SendGrid?+
Yes. Every ThirdProof investigation of SendGrid produces two deliverables: an audit-ready risk report and a 133-question security questionnaire pre-filled with evidence from 27 independent sources. The questionnaire is mapped to SIG, SOC 2, HIPAA, PCI DSS and 9 other frameworks — answered without sending SendGrid a single email or waiting for a vendor response.
Is SendGrid safe to use as a vendor?+
SendGrid is a email delivery vendor that handles organizational data. Safety depends on their current security posture, certification status, and how they handle your specific data. ThirdProof automates this evaluation across 27 intelligence sources — sanctions databases (OFAC, EU, UN), business registration verification, adverse media scanning, and cyber risk assessment — producing a deterministic risk tier with confidence score plus an auto-filled security questionnaire. Run a free investigation to see SendGrid's full risk profile.
Does SendGrid have SOC 2 certification?+
Yes — SendGrid holds SOC 2 + 3 other certs. Rated Moderate Risk — significant adverse media. See all 4 findings →
Has SendGrid had any data breaches?+
Data breach history is an important signal for any vendor, particularly email delivery platforms like SendGrid that handle organizational data. ThirdProof's adverse media analysis searches multiple news APIs and public records for data breaches, security incidents, lawsuits, regulatory enforcement actions, and financial distress signals. Each finding is linked to its original source with severity classification.
Is SendGrid on any sanctions lists?+
Sanctions screening is standard due diligence for email delivery vendors. ThirdProof screens SendGrid against OFAC SDN, consolidated international sanctions lists, and PEP databases. The screening uses entity name verification to reduce false positives. If SendGrid or any associated officers appear on a sanctions list, this triggers automatic escalation to the highest risk tier.
How do I assess SendGrid for vendor risk?+
Assessing SendGrid as a email delivery vendor involves verifying SOC 2 Type II and applicable industry standards compliance, reviewing their subprocessor chain, and checking sanctions exposure. ThirdProof automates this across 27 intelligence sources in an average of 7 minutes — no questionnaires or vendor participation required. Your first 5 investigations are free.
How long does a ThirdProof assessment take?+
A ThirdProof assessment completes in an average of 7 minutes. 27 intelligence sources are queried in parallel — sanctions databases, business registries, threat intelligence feeds, certificate transparency logs, and more. The result is a deterministic risk tier with confidence score and audit-ready PDF report.
Is ThirdProof free?+
ThirdProof offers 5 free vendor assessments with no credit card required. Each assessment includes the full report — risk tier, confidence score, individual findings, executive summary, and PDF export. Paid plans start at $399/month for teams that need ongoing vendor monitoring.
Can I use a ThirdProof report as SOC 2 audit evidence?+
Yes. ThirdProof reports are designed to satisfy SOC 2 CC9.2 (vendor risk management) requirements. Each report includes SHA-256 integrity verification, methodology disclosure, source attribution for every finding, and AI content labeling. Auditors can independently verify the report's authenticity and trace each finding to its original source.
How is ThirdProof different from a security questionnaire?+
Security questionnaires require vendor participation, take weeks, and produce self-reported answers. ThirdProof queries 27 independent intelligence sources — no vendor involvement needed. Risk tiers are assigned by a deterministic rules engine (not AI opinion), and every finding links to its original source. You get an audit-ready report in an average of 7 minutes instead of waiting weeks for a questionnaire response.
Also investigate these vendors
SendGrid is in your vendor stack. Can you prove you assessed them?
SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.
ThirdProof investigates SendGrid across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.
✓ 5 free investigations✓ Risk report + auto-filled questionnaire✓ No credit card required✓ Average report time: 7 minutes
Replaces $600–$900 in manual compliance consulting time per vendor assessed.