Compliance Certifications

Reviewed: 29 January 2026

At a glance

• We maintain a practical, evidence‑based compliance programme focused on security, privacy and payments.
• Our current certifications/registrations include Cyber Essentials Plus, ICO registration (ZA038907), and HMRC/MLR registration (XLML00000192390).
• We use PCI DSS‑validated payment service providers and target SAQ A scope for our own environment.
• Third‑party sub‑processors are vetted; we collect and review their certifications and provide change notifications.

Need a document pack (AOC/ROC, CE+ cert, pen‑test letter)? Email security@ukpostbox.com or dpo@ukpostbox.com. Some artefacts may require an NDA.

Current certifications & registrations

Certificate numbers/dates are provided where available. Public copies are linked where permitted.

Note: UK Postbox does not store/process/transmit cardholder data on our systems. See PCI DSS Compliance Policy.

Independent testing & assurance

• Penetration testing: Independent tests by CREST-accredited or CHECK-approved testers at least annually and after major changes; remediation tracked to closure. A high‑level attestation letter is available under NDA.
• Vulnerability management: Continuous scanning (external & internal), CSPM checks and dependency/container scanning with defined SLAs (Critical ≤ 7 days). Quarterly summaries available on request.
• Cyber Essentials Plus: Annual assessment of technical controls on in‑scope systems.

Sub‑processor assurances

We maintain a live list of sub‑processors in our Trust Centre. For each, we collect where available:

• Security/privacy attestations (e.g., ISO 27001, SOC 2, Cyber Essentials, PCI DSS where relevant).
• Data transfer safeguards (IDTA / UK Addendum to SCCs) for any extra‑UK processing.

• Incident notice commitments ("without undue delay").

  Sub-processor certifications and attestations are reviewed at least annually and upon notification of material changes. We will notify customers of material changes to sub‑processors where practicable (see our DPA).

Statements of alignment

These are statements of practice, not certifications:

• UK GDPR & DPA 2018: Policies and procedures in place—Data Protection Policy, Privacy Notice, SAR Procedure, DPIA Procedure, ROPA, DPA, Retention & Deletion, Consent & Cookies.
• Security controls (Art. 32): Encryption in transit/at rest, IAM/MFA, logging/SIEM, vulnerability mgmt, supplier due‑diligence—see Data Security & Encryption Practices and Access Control & Authentication.
• Business continuity: BC/DR Policy with target RTO/RPO and tested backups. Cyber governance: We align with the UK Cyber Governance Code of Practice (published 2025) for board-level cyber security governance.
• Mail handling: Mail Inspection & Handling Policy; destruction to BS EN 15713.

Roadmap (forward‑looking)

The following are targets, not commitments, and may change.

• Evaluate ISO/IEC 27001 certification (information security management) and/or SOC 2 Type II assurance for selected services. We will communicate certification timelines once determined following gap assessment.
• Expand CE+ scope to additional environments as systems evolve.
• Publish a quarterly security update post summarising changes and improvements.

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom

Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com

Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907