During the process of receiving private equity investment from Foresight Group, Postworks went through a rigorous technical due diligence process. The DD was completed by a company called Cloud Origin who have advised on deals in excess of $21 Billion USD. The CEO of Cloud Origin, Richard Hall was so excited by the Postworks offering, that he now sits on our board as a non-executive technical director and is integral in shaping strategy (inc data security).
High level certifications, memberships and data security achievements include:
Architecture and development process
Architecturally, we are utilising AWS systems for our hardware requirements including encrypted RDS databases, IAM and IP access controlled S3/Glacier file storage all located within UK geography, with encrypted databases and file backups stored on AWS Ireland instances.
All file transfers are secured with SSL. We leverage AWS security standards, together with their compliance mechanisms.
- By design, account data is logically compartmentalised, so that users can only access data from their own account, even then PDF's are never directly exposed to the user, but instead a temporary file image is shown
- We operate fortnightly development cycles with pre-deployment vulnerability testing as part of our standard testing
- Servers and cloud applications are patched weekly, if required
- Our developers are full-time with IP and IAM restricted access to live data
Penetration testing
We conduct routine pen testing.
Security is in our foundation
Security is fundamental and is approached with a continuous improvement mindset. The Postworks Pyramid is part of our culture and makes it clear to all employees that Security is the base layer of all that we do.
User access control
User access controls are industry standard.
User password complexity
Current user password requirements are 8 characters with one number, which according to Kaspersky could be brute-forced with an average home computer in 12 days.
Data retention periods
Data retention periods vary according to statutory requirements (eg Legal, Financial etc). Client uploads are held for a maximum of 365 days for archive benefits at which time they are securely wiped using a DoD 5220.22-M algorithm.
Data transfer
All communication between end-users and PostworksHUB™, Postworks API, Postbox for Windows™, PostboxServer™ and PostboxPrint™ is encrypted through our SSL certificates, that use RSA 4096 and 2048 bit keys.
Further to this, all internal communication between Postworks API’s and resources is done through the same SSL encryption mechanism, so that no information is exchanged unencrypted.
Production process
Production data (eg your post items) is downloaded from AWS on demand by the Production team, printed and deleted automatically upon successful printing. This ensures that no client data is held within our production site overnight.
A 2D integrity barcode is applied to every second page of uploaded PDF's. This translates to a barcode on every sheet of paper.
Our production equipment reads those 2D marks and ensures that each sheet is reconciled and inserted only with other pages belonging to that postal item to ensure the integrity of the contents of every envelope.
Returns process and waste security
All undelivered items are returned to Postworks by Royal Mail.
The 2D barcode is scanned through the envelope window into our system, flagging these items as returned.
These items and other physical data (eg misprints and reprints) are securely shredded on-site using industrial micro-cut shredders compliant with ISO 9001 / BS EN 15713.
Ongoing staff training and staff engagement
All employees are trained with regard to data protection, GDPR and the definition of Personal Data.
During induction and throughout employment, employees are regularly tested on information security knowledge based on training given.
In addition, ongoing training is provided every three months. Additional client specific data security training is conducted routinely with all staff on behalf of other major clients eg NHS specific data security training.
We financially incentivise staff to identify and report data security improvement opportunities which has led to product upgrades and process refinement.
For more information about how we process data, please refer to our Data Processing Agreement (DPA) contained within our standard terms (Clause 10)