Security handbook · People & Access

Last reviewed: 12 June 2026

Mailbuttons is operated by Code Cutter Limited (UK company no. 08453060). This policy defines the cryptographic controls we use to protect customer data and secrets, and how we manage the keys that underpin them.

Purpose and scope

This policy ensures that cryptography is used correctly and consistently to protect the confidentiality and integrity of data in transit and at rest. It supports Annex A controls A.8.24 (use of cryptography) and A.5.33 (protection of records). It covers all Mailbuttons systems, data stores, backups and communications, and applies to staff and contractors.

Policy

No home-grown cryptography. We use well-established, peer-reviewed algorithms and reputable, maintained implementations only. We never invent our own cryptographic primitives or protocols.

Data in transit. All network traffic uses TLS 1.2 or higher, with TLS 1.3 preferred, and modern cipher suites; weak protocols and ciphers are disabled. Mail transport uses STARTTLS, with DANE/TLSA records published so that sending servers can verify our certificates and enforce encrypted delivery.

Data at rest. Sensitive data at rest is encrypted with AES-256-GCM. This includes customer secrets such as bring-your-own-key (BYOK) LLM API keys and OAuth tokens, which are encrypted before storage and decrypted only in memory at the point of use.

Backups. Backups are encrypted client-side before they leave our infrastructure, using a key we control, and are stored in the EU with Backblaze. Backblaze never holds the plaintext or the key.

Key management. Keys are generated using cryptographically secure random sources, stored with strictly restricted access, and never committed to source control or shared over chat or email. Keys are rotated on a defined schedule and immediately on suspected compromise. A critical master key, the LLM_KEY_ENCRYPTION_KEY that protects customer secrets, is backed up off-box: because Fasthosts provides no provider-level snapshots, losing the host must not mean losing the ability to recover. That off-box backup is itself protected and access to it is tightly restricted.

Certificate management. Public-facing TLS is terminated through Cloudflare, with Cloudflare origin certificates securing the link between the edge and our origin. Certificates are tracked so they are renewed before expiry, and private keys are stored with restricted access on the systems that need them.

Customer secrets and tokens. Customer BYOK keys and OAuth tokens are treated as the most sensitive data we hold. They are always encrypted at rest, decrypted only transiently for the specific operation that needs them, and never logged.

Responsibilities

The ISMS Owner is accountable for this policy: for selecting approved algorithms, managing keys and their rotation, maintaining the off-box master key backup, and overseeing certificate renewal. Everyone handling keys or secrets must follow the rules in this policy and the Acceptable Use Policy, and must report any suspected key or certificate compromise to [email protected].

Review

This policy is reviewed at least annually and after any material change, and is approved by the ISMS Owner.

Related: Human Resources Security Policy, Acceptable Use Policy, Access Control Policy.