This page is the vendor due diligence pack for EMP (Email Marketing Panamá), written for the audience that foreign procurement evaluation actually answers to: vendor risk officers, IT security teams, legal counsel, procurement legal teams running due diligence on third-country email infrastructure providers. The Spanish-language counterpart at /nosotros.html covers the founding story for Panamanian audience; this page covers the procurement-grade questions that foreign vendor evaluation typically asks before approving cross-border processor agreements: operational maturity (16 years independent, zero funding rounds, no exit pressure), key person risk transparency with documented mitigations, infrastructure ownership map distinguishing Tier 1 owned versus Tier 2 commodity-substitutable versus Tier 3 structural dependencies, financial profile (positive cash flow since 2014, zero external debt, indefinite operational runway), continuity posture (documented business continuity plan reviewed annually, sub-processor map, ANTAI compliance track record), regulatory compliance across five regimes (Panama Law 81, EU GDPR, California CCPA, Brazilian LGPD, Mexico LFPDPPP), team composition documented at headcount level, and physical presence at Atrium Tower Obarrio with office visit option for procurement teams. The page is not a marketing pitch; it is the documentation pack that vendor evaluation reads before approving the contract. Specific revenue and profit figures are not public; aggregate stability indicators are documented for Enterprise tier procurement under NDA. About 28 percent of Enterprise tier procurement reviews request the full documentation pack during evaluation; the pack addresses the typical procurement questions with documented evidence rather than marketing claims.
Operational milestones documented for vendor due diligence. Each milestone has technical or commercial substance; decorative milestones (awards, recognitions, marketing campaigns) are excluded. The timeline matters for procurement because email infrastructure operators that have shipped through multiple mailbox provider policy shifts (Yahoo authentication push 2014, Google bulk sender enforcement 2024, Google February 2026 AI spam update) demonstrate operational adaptation capacity that newer operators have not yet proven.
Independent founding with first commercial PowerMTA license and dedicated single-server deployment. Initial focus: B2B email marketing for Panama domestic market with manual list management and basic deliverability operations.
First dedicated /24 IP allocation from upstream provider, replacing shared IP infrastructure. Operating cash flow turns positive in fiscal year 2014, four years post-founding; positive cash flow continuous through 2026 with no negative quarters.
Verified B2B contact repository milestone reached after 7 years of accumulation through public registry sourcing, association directory licensing, and quarterly verification cycles. Repository methodology documentation finalized for tenant procurement reference.
Panama Law 81 of 2019 on Personal Data Protection promulgated 26 March 2019. EMP framework documentation under Article 7.2 legitimate interest basis finalized in advance of the law's effective date; balance test template, opt-out mechanism specification, and quarterly review protocol documented per tenant.
ANTAI (Autoridad Nacional de Transparencia y Acceso a la Información) becomes enforcement-active after Decree 285 of 28 May 2021 implementing regulation publication. EMP framework documentation submitted on first ANTAI inquiry letter; framework cleared with no enforcement action initiated.
Dual-MTA architecture deployed with primary PowerMTA cluster plus secondary tenant isolation segment. Tenant reputation isolation matures: each tenant's send traffic isolated to dedicated IP allocations with cross-tenant reputation contamination prevented at the MTA level.
KumoMTA open-source MTA deployed as secondary infrastructure for tenant isolation expansion and regional load distribution. Verified B2B contact repository passes 250,000 milestone; quarterly verification cycle catches 2-3 percent monthly B2B data decay rate.
Google + Yahoo bulk sender enforcement requirements (DMARC, SPF, DKIM alignment, one-click unsubscribe headers, spam complaint rate under 0.3 percent) deployed across all tenant traffic with zero tenant non-compliance during the enforcement transition period. Internal audit confirmed full compliance at enforcement start date.
Panama Scorer pre-send deliverability AI v3.0 deployed to production after 18-month development period. Initial training corpus 8.4 million B2B email events; v3.0 baseline performance precision 89.3 percent, recall 86.7 percent. Bundled with platform tiers from launch.
Google February 2026 AI spam update detected within 6 weeks of going live; Panama Scorer v3.3 hotfix deployment added AI-similarity feature in content structure dimension and Google-aligned personalization heuristics. Validation precision improvement from 92.3 percent (pre-v3.3) to 94.7 percent (v3.4.2 current).
Marketing platform pages redesigned for foreign procurement evaluation. EN site launched with 40+ landing pages covering platform, audiences, deliverability, compliance, and vendor due diligence documentation. ES site continues serving Panama domestic and Latin Spanish-speaking audiences.
Infrastructure ownership map documented for vendor due diligence. Three tiers calibrated by ownership posture and switching cost. Tier 1 owned and operated by EMP without third-party dependency. Tier 2 third-party but commodity-substitutable with operational effort. Tier 3 third-party with structural lock-in that would require business model adjustment to switch. The map matters because most procurement evaluations that surface "EMP is just a Mailchimp reseller" are factually wrong; the Tier 1 ownership documentation answers the question with infrastructure inventory rather than marketing claim.
Infrastructure inventory: the components that EMP owns and operates with no third-party dependency for the core function. Switching cost to alternatives: not applicable because EMP IS the alternative.
Provider redundancy strategy: for each Tier 2 dependency, EMP maintains operational relationships with alternative providers and documents switchover playbooks. Switching cost: 30-90 days of operational effort with no business model adjustment required.
Structural dependencies acknowledged: for each Tier 3 dependency, the switch would require business model adjustment beyond simple operational migration. Procurement-blocking risk: typically not, but worth disclosing for transparency.
Team composition documented at headcount and role level for vendor due diligence. The composition matters because procurement evaluations frequently surface concerns about offshored operations team (lower-cost jurisdictions with potentially weaker labor protections, communication friction in incident response, jurisdictional compliance complications). EMP team composition: 18 full-time staff total, all on Panama employment contracts with associated social security and labor protection coverage; no offshoring of operational team to lower-cost jurisdictions. The headcount has grown from 6 in 2018 to 18 in 2026, a deliberate slow growth trajectory funded from operating cash flow without acquisition or layoff events.
| Functional area | Roles | Headcount |
|---|---|---|
| Leadership + senior engineering | Managing director, head of engineering, senior MTA engineer, senior platform engineer, senior data engineer | 5 |
| Mid-level engineering | Deliverability engineer, audience operations engineer, ML engineer for Panama Scorer maintenance, integrations engineer | 4 |
| Operations + customer success | Operations lead, 2 customer success managers, 1 onboarding specialist | 4 |
| Compliance + finance | DPO, compliance analyst, finance lead | 3 |
| Sales + marketing operations | Sales lead, marketing operations | 2 |
| TOTAL | — | 18 |
Operational continuity posture documented across four dimensions that vendor due diligence typically evaluates. Each dimension covers what the operational practice is, what the historical track record shows, and what documentation is available under NDA for procurement evaluation. The continuity posture matters for vendor procurement because the typical contract horizon is 1-3 years and the procurement team needs evidence that the operator can maintain service continuity through the contract period.
99.95 percent platform uptime SLA on Pro and Enterprise tiers (Starter tier 99.9 percent), measured monthly with credit-back if missed. SLA violation track record since 2024 SLA program launch: 4 violation incidents totaling 7 hours 23 minutes of credited downtime across the 24-month period. All incidents within published incident retrospectives.
24/7 on-call rotation across senior engineering team for Pro and Enterprise tiers. Acknowledgment SLA: within 15 minutes for Severity 1 incidents, within 1 hour for Severity 2. Incident retrospectives published to affected tenants within 5 business days of resolution; retrospective documents the root cause, the remediation, the prevention measures, and the timeline.
Documented business continuity plan covering founder unavailability scenarios, primary infrastructure failure, sub-processor failure, ANTAI investigation response, breach notification cascade, tenant data export under emergency conditions. BC plan reviewed annually with senior team and updated based on operational learnings. Available under NDA on Enterprise tier as part of vendor due diligence package.
SOC 2 Type II report covering most recent fiscal year (available under NDA on Enterprise tier). ISO 27001 alignment statement documented (formal certification not held, alignment to controls documented). CAIQ Lite security questionnaire response template (4 business hours typical turnaround on Enterprise tier); custom security questionnaire response on Enterprise tier with 5-10 business day turnaround.
Headquarters and primary operational location: Atrium Tower, Floor 15, Calle 54, Obarrio, Panama City, Panama. The Obarrio district is Panama City's primary business district concentrated along Calle 50 and Calle 54 corridors; the building hosts financial services, legal firms, multinational regional offices, and technology operators. Office space: approximately 280 square meters dedicated EMP space, not coworking. The physical presence matters for vendor due diligence because procurement evaluations occasionally surface concerns about virtual-office or PO-box-only operators that lack genuine operational substance. EMP's physical office with full-time staff on Panama employment contracts is the operational answer to the question.
Office visit option: office visits welcomed by Pro and Enterprise tier clients with 2 weeks notice. About 14 percent of Enterprise tier discovery calls fold in a physical office visit during the procurement evaluation; the visit format typically covers a half-day technical walkthrough (infrastructure tour, MTA configuration discussion, monitoring dashboard demo, audience repository sampling) plus a half-day commercial discussion (DPA negotiation, pricing structure, escalation procedures). Office visit logistics: Panama City has direct flights from Miami (3 hours), Houston (4 hours), New York (5.5 hours), Madrid (10 hours), Frankfurt (12 hours); the Obarrio district is 25 minutes from Tocumen International Airport via the Corredor Sur expressway. Hotels in walking distance: Marriott Panama, Hilton Garden Inn, Le Méridien Panama. Visa requirements vary by passport; US, EU, and UK passports do not require visa for stays under 90 days. About 3 office visits per quarter happen in the typical operating year.
Communication infrastructure for remote evaluation: for procurement evaluations that skip physical office visit (the majority case at 86 percent of Enterprise discovery calls), the technical and commercial evaluation runs over video conference plus document exchange under NDA. Video conference platform: Zoom primary, Google Meet secondary, Microsoft Teams supported on request. Document exchange: secure document portal for sensitive documents (SOC 2 report, BC plan, balance test documentation, sub-processor map); standard email for non-sensitive documents (DPA template, pricing structure, public timeline). Time zone overlap: Panama UTC-5 has working hour overlap with US Eastern (full overlap), US Central (4 hour overlap morning), US Pacific (3 hour overlap morning), London (5 hour overlap afternoon for London), Frankfurt (4 hour overlap afternoon for CET).
"You're a small operator. Why would we trust you over a SaaS giant with thousands of engineers?"
Honest answer with both directions of the tradeoff. Where small operators win: direct senior engineering access for incident response (no tier-1 support gatekeeping), faster operational decision-making (no committee-driven product roadmap), aligned incentives (no shareholder pressure for short-term revenue extraction), bespoke technical integration (Enterprise tier hybrid pattern, custom rule sets, custom feature engineering), and personal accountability (the senior team that built the operation is the senior team responding to incidents). Where large SaaS operators win: headcount depth for 24/7 follow-the-sun support across all tiers (EMP follow-the-sun is Pro+ tier only), broader vertical specialization through dedicated teams per vertical, deeper integration ecosystem (HubSpot has 1,800+ integrations, Mailchimp has 300+; EMP has 28 documented integrations), brand recognition for procurement legal sign-off (Mailchimp brand passes legal review faster than \"Email Marketing Panamá\" brand even with equivalent documentation). The honest match: EMP fits B2B Latin specialized operations where direct engineering access and Latin specialization matter; mainstream SaaS fits broad horizontal operations where ecosystem integration and brand recognition matter. About 22 percent of Enterprise tier discovery calls end with the honest verdict that mainstream SaaS fits better; the redirect rate matters more than the conversion.
"Panama jurisdiction gives us heartburn. Why not US, EU, or UK based?"
Three honest answers depending on the source of the heartburn. Heartburn source 1 unfamiliarity: if the procurement team has not previously contracted with a Panama-based processor, the unfamiliarity is reasonable and addressable through the documentation pack covering Law 81 Article 7.2 legitimate interest framework, multi-regime alignment with GDPR Article 6.1.f, CCPA, LGPD, Mexico LFPDPPP, and the EMP framework documentation cleared through three ANTAI inquiry letters since 2021. The documentation typically resolves the unfamiliarity over 2-4 weeks of legal counsel review. Heartburn source 2 specific regulatory blocker: if the procurement team has a specific regulatory blocker (sector-specific data residency requirement, government contract data sovereignty clause, financial services regulatory restriction on third-country processors), the blocker is genuinely procurement-blocking and EMP redirects honestly to US or EU providers that satisfy the specific blocker. About 8 percent of EU-headquartered discovery calls surface specific regulatory blockers that make Panama jurisdiction non-viable. Heartburn source 3 strategic preference: if the procurement team simply prefers US or EU jurisdiction as strategic positioning (regardless of specific regulatory requirement), the preference is reasonable and EMP does not argue against it. The honest match: Panama jurisdiction carries specific advantages (outside US CLOUD Act, Latin specialization, ANTAI compliance posture) for clients where those advantages matter; for clients where US or EU jurisdiction is the strategic preference, mainstream providers fit better and EMP recommends them.
"What's the actual revenue? Can you handle a Fortune 500 contract operationally?"
Specific revenue figures are not public; aggregate stability and operational capacity indicators are documented under NDA on Enterprise tier procurement. Operational capacity indicators: current peak daily campaign volume across the EMP tenant base is approximately 47 million messages per day; the architecture can scale to approximately 180 million daily within current infrastructure footprint without additional capex. The 47 million baseline is approximately 30 percent of architectural capacity, leaving meaningful headroom for new tenant ramp without infrastructure investment. Largest single-tenant volume currently in production: 12 million messages per day for one Enterprise tier tenant (regulated industry with multi-country Latin operations). Largest contract value historically: mid-six-figure annual contract value, multi-year contract horizon. Customer concentration: top 5 customers represent approximately 31 percent of revenue; top 10 represent approximately 47 percent; the concentration profile is typical for B2B SaaS at EMP's scale and stage. Specific revenue figures, growth rate, retention rate, and customer concentration available under NDA on Enterprise tier procurement evaluation. The honest framing: EMP can operationally handle Fortune 500 single-tenant contracts at the volume range typical for B2B Latin operations (under 50 million daily); for B2C scale at hundreds of millions of daily messages to consumer audiences, US-scale platforms fit better and EMP redirects honestly.
"How do we handle vendor termination cleanly? What about data portability?"
Termination protocol documented in DPA section 8 (post-termination obligations) with four explicit categories of post-termination action. Category 1 in-flight ARCO requests: any ARCO request received before tenant termination is completed by EMP within the original 10 working day window regardless of termination timing. Category 2 contact list and processing data return: tenant contact list, campaign history, engagement metrics, and processing audit trail returned to the former tenant in machine-readable format (CSV plus JSON) within 30 days of termination request; format compatible with HubSpot import, Mailchimp import, Salesforce import, custom CRM import. Category 3 data deletion from EMP infrastructure: deletion within 90 days of termination unless legal hold applies (contractual dispute, regulatory inquiry); deletion covers primary databases, backup snapshots, and audit log retention with the appropriate retention period exceptions per regulatory requirement. Category 4 suppression list continuity: opt-out signals received during the EMP subscription remain in EMP's suppression list permanently to prevent re-addition by other tenants; the suppression list is the operational mechanism that protects data subjects from re-contact across the EMP tenant base regardless of any single tenant relationship status. The post-termination obligations are standard processor commitments under Law 81 Article 24 and align with GDPR Article 28(3)(g) processor return-or-deletion obligations. About 6 percent of Enterprise tier procurement reviews specifically request the termination protocol documentation; the documentation is included in the standard DPA template with negotiable timing parameters on Enterprise tier.
"What's the security posture? SOC 2, ISO 27001, penetration testing?"
Security posture documented across three dimensions. Dimension 1 attestation reports: SOC 2 Type II report covering most recent fiscal year (available under NDA on Enterprise tier); the SOC 2 scope covers the platform infrastructure, the audience repository, the Panama Scorer infrastructure, and the tenant management platform. ISO 27001 alignment statement documented (formal certification not held; alignment to all 114 Annex A controls documented with evidence; the formal certification is in scope for 2026-2027 fiscal year). Dimension 2 penetration testing: annual external penetration test by recognized security firm (currently rotating between two firms for cross-validation); penetration test report available under NDA on Enterprise tier; the most recent test (Q1 2026) found 3 medium-severity findings, all remediated within 30 days of report delivery, plus 7 low-severity findings remediated within 60 days. Dimension 3 security questionnaire response: CAIQ Lite questionnaire response template available with 4 business hour typical turnaround; full CAIQ questionnaire response with 5 business day turnaround; SIG questionnaire response with 7 business day turnaround; custom enterprise security questionnaires (Fortune 500 typical scope) with 10 business day turnaround. The security posture is the answer to the procurement question \"can our IT security team approve the vendor under our security framework?\" About 22 percent of Enterprise tier procurement reviews request the full security documentation pack during evaluation.
"Customer references? Can we talk to current Enterprise tenants before signing?"
Customer references available with mutual coordination. Standard reference protocol: after Enterprise tier discovery call confirms platform fit and procurement legal review begins, EMP hands the prospective tenant 3-5 customer reference contacts matched to the prospective tenant's vertical and use case. The references are existing Enterprise tier tenants who have explicitly opted into reference participation as part of their tenant agreement; reference participation is voluntary and reversible. The reference call is 30-45 minutes with the prospective tenant's procurement or technical team plus the existing tenant's relevant operational lead (typically Head of Marketing Operations, Head of RevOps, or Head of Deliverability depending on the prospective tenant's evaluation focus). What references typically cover: onboarding experience, ongoing operational quality, incident response quality, billing and contract experience, sub-processor management, regulatory documentation completeness, recommendation candor (would they renew, what would they change). EMP does not coach references; the references speak honestly including criticism. About 47 percent of Enterprise tier procurement reviews fold in reference calls during the evaluation; reference participation rate from existing tenants is approximately 73 percent (some decline due to internal confidentiality preferences). The references are diagnostic and frequently surface improvement opportunities that EMP addresses; the operational feedback loop matters more than the conversion rate per call.
Discovery call format: 45-minute video call covering current email infrastructure stack, regulatory exposure profile, procurement legal requirements (DPA negotiation depth, SCC framework maturity, security questionnaire format), audit and continuity requirements, key person risk tolerance, customer reference requirements, and the specific vendor due diligence questions blocking your evaluation. Output of the call: explicit fit verdict (subscribe at appropriate tier with documentation pack delivery, OR redirect to mainstream provider when fit is wrong, OR defer pending procurement timeline), draft DPA delivered within 5 business days when fit confirmed, vendor DD pack delivered within 5-10 business days under NDA on Pro and Enterprise tiers, customer reference contacts provided after platform fit confirmation. Mutual NDA signed before any sensitive procurement detail exchanged. About 56 percent of discovery calls convert to subscription, 28 percent get redirected to alternative or hybrid pattern, 16 percent decide to defer based on procurement timeline. The discovery call is genuinely diagnostic; mainstream providers get recommended on this call when the use case fits their strengths better than EMP's Panama-based independent operator profile.
