Compliance & Trust

AutoSPF runs on DuoCircle's compliance program.

AutoSPF is built and operated by DuoCircle LLC. The AutoSPF service line is in scope for our SOC 2 Type II examination and has its own CSA STAR registry entry. All vendor-assessment documents are published in one place at the DuoCircle Trust Center.

SOC 2 Type II

Annual examination since 2022 by Hancock Askew & Co, LLP. All four Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity. Report available under Bonterms Mutual NDA.

CSA STAR Level 1

AutoSPF has its own entry in the Cloud Security Alliance public registry. CAIQ Lite, subset of CCM v4.1. Renewed annually.

View AutoSPF on CSA STAR →

HECVAT Full

For colleges and universities, the Higher Education Community Vendor Assessment Toolkit, current version, available under NDA.

Penetration testing

Annual third-party penetration test. Executive summary available under NDA.

What data does AutoSPF process?

AutoSPF manages your SPF DNS record. SPF is a public standard (RFC 7208), and any SPF record published in DNS is publicly resolvable by anyone on the internet. The data we work with is configuration data, not message data. AutoSPF sits outside the mail flow and never receives, stores, or forwards email messages.

What we see

Your domain name (public in DNS)
SPF mechanisms in your source record: include:, ip4:, ip6:, a, mx (public in DNS)
The flattened SPF record we publish for you (public in DNS)
Account contact info you provide at signup
Audit log of admin actions, retained for one year

What we never see

Email message content or body
Email headers (From, To, Subject)
Sender or recipient email addresses
Attachments
DMARC aggregate or forensic reports
Any Protected Health Information (PHI)

HIPAA and Business Associate Agreements

A HIPAA Business Associate is a vendor that creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity (45 CFR §160.103). AutoSPF does none of those things. The service operates on a public DNS record and has no path through which PHI could enter, even theoretically. For the same reason your domain registrar, authoritative DNS provider, and TLS certificate authority are not HIPAA Business Associates, AutoSPF is not a HIPAA Business Associate, and a BAA covering AutoSPF would have no PHI to govern.

If your procurement process requires documentation against an email-related vendor, the right artifact for AutoSPF is almost always a Data Processing Agreement (DPA), which we provide on request, plus the SOC 2 Type II report and policy pack listed above.

Read the full data privacy and HIPAA / BAA write-up →

Need the SOC 2, HECVAT, or our policy pack?

Submit one request through the DuoCircle Trust Center. We use the standardized Bonterms Mutual NDA, published in advance so your legal team can review it before any conversation begins. We respond within one business day, and most often the same day.

Request documents Browse Trust Center

Public, no NDA

CSA STAR registry entry for AutoSPF
Security Overview, plain-English version of our control set.
Policy catalog, the titles and review cadence of every policy in our information security program.
Subprocessor list, every third-party vendor that processes personal data on our behalf.
Bonterms Mutual NDA, published in advance so you can read it before you ask.
AutoSPF data privacy and HIPAA / BAA write-up, what the service does and does not process.

AutoSPF runs on the standardized Bonterms Cloud Terms. Self-serve plans run on Bonterms Online Cloud Terms, accepted at sign-up. Enterprise plans run on a counter-signed Cover Page. Same balanced framework either way, no surprise additions.

Reviewed 2026-05-11.

See also: Privacy Policy · Cloud Terms · DPA