Security handbook · Governance
Last reviewed: 12 June 2026
This is the top-level policy of the Mailbuttons information security management system (ISMS). It sets out management's intent and the principles that all other policies in this handbook elaborate.
Purpose and scope
Mailbuttons operates an Agent Mail API: a tenant-aware JMAP email proxy wrapping a self-operated Stalwart email cluster, letting developers provision email domains and mailboxes and run AI agents on inbound mail. Customers trust us with email content and credentials, and that trust is the core of our business.
This policy applies to all Mailbuttons systems, data, people and suppliers. That includes our Rust/Axum backend, Next.js frontend, PostgreSQL databases, RustFS object storage, VPS hosts, source repositories, SaaS and supplier accounts, domains, and anyone — founder, contractor or sub-processor — who handles Mailbuttons or customer information.
Mailbuttons is the trading name of Code Cutter Limited (UK company no. 08453060), registered office Unit 96 The Maltings Business Centre, Stanstead Abbotts, Ware, Herts, SG12 8HG, UK. We are ICO registered.
Policy
Mailbuttons is committed to protecting the confidentiality, integrity and availability of customer email and platform data. Our information security objectives are:
- Confidentiality — customer email content and credentials are accessible only to the customer and to the minimum systems and people required to operate the service.
- Integrity — data is accurate, and unauthorised or accidental change is prevented or detected.
- Availability — the service and customer data are available when needed, with recoverability after failure.
We are a small, founder-led company. A single founding engineer operates production. We are honest about this: we do not pretend to run separate security teams. Instead we achieve security through strong tooling, careful supplier selection, automation, and segregation of duties where it is feasible. We design controls that one accountable person can actually run and verify.
We commit to:
- The ISO/IEC 27001:2022 control framework. The platform is built to this standard; our formal certification audit begins on the first paid Business contract.
- Compliance with the law, including UK GDPR, EU GDPR and the Data Protection Act 2018, and our ICO obligations.
- A risk-based approach. Effort is directed where risk is highest, governed by our Risk Management Policy and recorded in a risk register and Statement of Applicability.
- Continual improvement of the ISMS through review, incident learning and supplier oversight.
This policy is elaborated by the sub-policies in this handbook, including the Risk Management Policy, the Asset Management Policy, and the Data Classification and Retention Policy. Our canonical sub-processor list is published on the Trust Center at /trust#sub-processors.
Everyone who handles Mailbuttons information has a duty to comply with these policies and to report suspected security weaknesses or incidents promptly to [email protected], which we acknowledge within two UK business days (Annex A 5.24). Non-compliance may lead to corrective action, removal of access, termination of an engagement or contract, and where relevant, regulatory or legal consequences.
Responsibilities
The ISMS Owner (the founder) is accountable for information security, owns this policy and the risk register, approves risk acceptance, and oversees suppliers. Contractors and sub-processors are responsible for following this policy and the controls placed on them. Customers are responsible for safeguarding their own credentials and for configuring data handling appropriately.
Review
This policy is reviewed at least annually and after any material change, and is approved by the ISMS Owner.
Related: Risk Management Policy, Asset Management Policy, Data Classification and Retention Policy.