The journey starts

Within a few months of onboarding our first customer to Resend, we started getting requests for . With our SOC 2 audit moving quickly, we were ambitious about how fast we could also go after GDPR.

We underestimated how time-consuming it would be to scale the business as a whole and kicked the GDPR can down the line multiple times.

We were making small steps forward all along the way but had yet to see significant progress. I remember our internal progress dashboard hovering around 60%-80% for almost nine months.

Closing the complexity gap

Part of the reason GDPR dragged out is that we wanted to make sure we did it right. For controls we didn't already know about, we needed to conduct research and due diligence to be confident in the results.

One example is writing a new Data Privacy Addendum, or DPA. There were a couple of approaches:

• Use a template
• Copy other companies
• Hire a privacy consultant

It was the first time any Resend team member had written a DPA, so we used a hybrid approach.

We started with a template from our compliance system, Vanta. From there, we tweaked almost everything to completely align it with our situation. Then, we looked at other companies in the communication or developer tools space to see how they structured their legal documents and tackled specific privacy topics. We took these references as inspiration and continued to tweak our DPA in our own words.

Once we had a version we were confident with, we started sharing it with customers who had requested it. They gave us feedback on errors or improvements and we incorporated into the final document.

This process of finding a solid starting point and then iterating with inspiration and feedback was the only way we could navigate the many unknowns of GDPR.

While preparing for SOC 2, we already had GDPR in mind. This made Vanta an obvious choice as a partner to help guide us through the process and organize our evidence.

Not only does Vanta organize the requirements and provide a checklist of what you need to do to comply, but it also includes templates for more complex assets like DPAs, ROPAs, and DPIAs. This was a great starting point to understand what we needed to do.

You might wonder: "If it took you so much effort to reach GDPR compliance, why is it important?"

A majority of the businesses using Resend either reside in the EU or have customers there. We are now honoring our responsibility to comply with the rights of the recipients living in the EU.

GDPR compliance is an obligation not only for us but also for many of the businesses using Resend. Resend's compliance allows even more businesses to build their operations on top of Resend's infrastructure without compromising privacy or compliance.

More resources

To learn more about how we address our responsibility as a processor, you can: