Security Overview

Reviewed: 29 January 2026

At a glance

  • Security is built into UK Postbox by design and default.
  • Data is protected with encryption in transit and at rest, least‑privilege access, and continuous monitoring.
  • We operate a formal Incident Response programme with regulator/customer notification where required, and maintain Business Continuity & Disaster Recovery plans.
  • We hold Cyber Essentials Plus and use PCI DSS‑validated payment providers (tokenised/hosted payments; target SAQ A).

Our security model

Defence in depth

  • Network & cloud security: multi‑AZ deployments, hardened perimeters, WAF/DDoS protection, rate limiting, secure configurations verified continuously. We operate on zero-trust principles: no implicit trust based on network location; all access is authenticated and authorised.
  • Application security: secure SDLC, code review, dependency/SCA scanning, SAST/DAST (where applicable), change control via CI/CD.
  • Data security: encryption TLS 1.2+ (TLS 1.3 preferred) in transit and AES‑256 at rest; strict key management (KMS/HSM, rotation, audit).
  • Access control: role‑based access control (RBAC), least privilege, MFA for privileged users, quarterly access reviews. Privileged access uses just‑in‑time elevation with automatic expiry; standing admin access is minimised.
  • Monitoring: centralised logging, SIEM alerting for anomalous access or exfiltration patterns; vulnerability scanning and patching with defined SLAs.
  • Physical & mailroom security: access‑controlled handling areas, CCTV, visitor management, and BS EN 15713 destruction for paper.

Data roles (controller vs processor)

  • We act as controller for account, billing, support, analytics/telemetry, marketing and CCTV/call recordings.
  • We act as processor for mail‑content scans and related metadata processed on the customer’s instructions. See our Data Processing Agreement (DPA).

Key policies & certifications

  • Cyber Essentials Plus certification (scope: production environment and corporate network).
  • PCI DSS: We do not store/process/transmit cardholder data on our systems. Payments are via PCI DSS‑validated PSPs (tokenised/hosted). Target SAQ: A (A‑EP if architecture changes).
  • Core policies (public): Data Security & Encryption, Access Control & Authentication, Incident Response & Breach Notification, Vulnerability Management & Pen Testing, BC/DR, Data Protection Policy, Restricted Goods, Mail Inspection & Handling.

Encryption & key management

  • Transport: TLS 1.2+ (1.3 preferred), HSTS, secure cookies, modern ciphers.
  • At rest: AES‑256 (or service‑equivalent) for databases, object/file storage, backups.
  • Keys/secrets: managed in KMS/HSM with separation of duties, rotation, and audit trails; secrets in a secrets manager (never in code).

Access control & authentication

  • Staff access via SSO + MFA, time‑bound elevation for admin tasks, and quarterly reviews.
  • Customer accounts support MFA and step‑up verification for sensitive actions.
  • Service accounts follow least privilege; tokens are short‑lived and scoped; mTLS/OIDC used between services where applicable.

Vulnerability management & testing

  • Continuous external/internal vulnerability scanning, CSPM checks, SCA for dependencies, and container image scanning.
  • Remediation SLAs: Critical ≤ 7 days (48h mitigation), High ≤ 14 days, Medium ≤ 30 days.
  • Independent penetration testing at least annually and after significant change; critical/high issues retested. We do not currently operate a paid bug bounty programme but welcome responsible disclosure and acknowledge contributors.
  • Coordinated Vulnerability Disclosure: report issues to security@ukpostbox.com.

Incident response & breach notification

  • 24/7 incident playbooks: triage → contain → eradicate → recover → review. Incidents are classified by severity (Critical/High/Medium/Low) with corresponding response timeframes and escalation paths.
  • Personal data breaches: assess under UK GDPR; as controller we notify the ICO within 72 hours where required and affected individuals when risk is high. As processor, we notify customers without undue delay and assist per the DPA.

Business continuity & disaster recovery

  • Redundant cloud architecture, encrypted backups with restore tests, and documented DR runbooks.
  • Target RTO/RPO standards for key services (e.g., login & mailbox view RTO 4h, RPO 15m) with annual table‑top and failover tests.
  • Mailroom continuity includes alternate workflows/sites and carrier fallbacks.

Payments & PCI

  • Payments handled by validated PSPs; we receive tokens and non‑sensitive metadata only.
  • No PAN or CVV is accepted by support channels; staff are trained to route customers to hosted payment pages.

Sub‑processors & data residency

  • We maintain a live list of sub‑processors in the Trust Centre with change notifications where practicable.
  • Primary processing is in the UK/EEA. Where data is transferred outside the UK, we use IDTA or the UK Addendum to SCCs and conduct transfer assessments.

Customer responsibilities

Security is a shared responsibility. Customers should:

  • enable MFA, use strong, unique passwords, and keep contact details current;
  • configure retention for digital scans to meet your obligations;
  • keep devices and browsers updated;
  • avoid uploading malicious content;
  • report suspected compromise to security@ukpostbox.com within 24 hours of discovery.

Reporting a security issue

If you believe you’ve discovered a vulnerability or incident affecting UK Postbox:

  1. Email security@ukpostbox.com with details to reproduce (no sensitive data).
  2. Do not publicly disclose until we’ve confirmed a fix or 90 days have elapsed (unless otherwise agreed). UK Postbox provides safe harbour to security researchers acting in good faith; we will not pursue legal action for activities that comply with this policy.
  3. We will acknowledge within 5 business days and keep you informed. (No bug bounty at present.)

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom


Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com


Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907