Access Control | Admin-side
Access to UK Postbox’s technology resources is only permitted through secure connectivity, by authentication, session expiry and IP restricted access. Our production password policy requires complexity, expiration, and lockout and disallows reuse. UK Postbox grants access on a need to know basis of least privilege rules, reviews permissions quarterly, and revokes access immediately after employee termination.
Access Control | Client-side
Access is restricted by authentication and session expiry. Passwords are hashed and salted. All access to client PDFs, thumbnails and data are conducted through the website which is authenticated by user session. Sessions are audited, and users have the option to enable Two-Factor Authentication for an additional layer of security.
The core infrastructure is hosted in the Azure Cloud, West Europe and UK South datacenters. The source code for Software developed in house is stored in private repositories on github.com. Access to source code is restricted to users authenticated by senior management
Our development team employs secure coding techniques and best practices. Developers are formally trained in secure web application development practices upon hire and annually.
Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.
Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorised UK Postbox employees. Logs are preserved in accordance with regulatory requirements. We will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their account.
Encryption / SSL
All communications for websites, services and statistics panels are served over SSL. The SSL certificates are cycled every 30 days.
Email communications are not encrypted, and therefore it is the policy of UK Postbox not to use email for sharing confidential information. Any incoming attachments will be removed to ensure that confidential/sensitive attachments are not received. UK Postbox offers secure upload processes to protect customer documentation.
Client Payment / Compliance PCI
UK Postbox is compliant with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2) and can therefore accept or process credit card information securely in accordance with these standards. UK Postbox re-certifies this compliance annually. Identifiable payment information is not stored in-house. Stripe.com and PayPal handle card information and provide a token which is used to access funds. No card information other than the last 4 digits are stored in the database or in logging.
UK Postbox maintains a documented vulnerability management program which includes periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments, are regularly scanned.