The Internal Communication Platform that plugs into Outlook.

 
Home > PoliteMail Technical Requirements > PoliteMail Data Security and Compliance

Security

Because your data is your data. We protect it.

PoliteMail works to limit vulnerabilities through routine, industry standard operational procedures and regular analysis of the overall systems and application attack surface.

We protect your data by applying least privilege principles, restricting access to systems, services and data, employing a layered defense model and establishing a regime of testing, monitoring and analysis.

We utilize employee confidentiality agreements and require role-based security awareness training so each employee understands their role in delivering customer data security and privacy. We review these security role assignments at least quarterly and perform annual security assessments to

Keep your email data safe.

Because PoliteMail specializes in internal communications, we understand the messages are not public information, which is why we process but never store email messages within our system. We also understand that your employee names and email addresses are considered personally identifiable information (PII) and deserve the same level of protection as any other confidential information. Learn more about how our email measurement technology works, and what data is stored.

Meet security and compliance requirements.

Because PoliteMail specializes in internal communications, we understand the messages are not public information, which is why we process but never store email messages within our system. We also understand that your employee names and email address are personally identifiable information (PII) so securing the data and enabling privacy controls are top priorities.

Dedicated application server environments enable custom controls and better performance.

Because PoliteMail provides corporate and enterprise solutions, we offer dedicated cloud services and on-premise software instead of the typical shared, multi-tenant environment. This enables complete isolation of your email data processing system from any other customer, and allows for custom security configurations if required, such as certificate based connectivity, IP restrictions, and VPNs.

Transparent technical & organizational measures designed to protect your data.

With PoliteMail, you own your data, and we protect it. We provide completely transparent policies, procedures and documentation for both our operational and software security.

Network Security

PoliteMail is an official Microsoft Gold Partner and Amazon AWS Partner. We host our cloud services on these Tier 1 Cloud Services Providers using virtual private cloud configurations with tightly controlled access to application servers and database servers.

Azure Partner | AWS Partner

We annually review our partners SSAE-18 SOC2 reporting, and such network and cloud services provider SOC reporting is available to use directly from our partners using their own self-service portals.

Unlike most SaaS providers, PoliteMail provides our large corporate and enterprise customers with dedicated, fully managed cloud infrastructure. Why is this important? Dedicated servers provides more security control and better performance. The only email and data running through these servers will be generated by your authorized users, and every connection can be restricted using standard WAF, IP restrictions, or certificate based authentication protocols.

99.97%

2017 Average Uptime

0% Security Incidents 99.9% uptime guarantee.

  • Tier 1 Cloud Services Hosting Providers
  • On-Premise Software option
  • All Customer Data stored on redundant storage
  • Real-time monitoring of application systems and services
Access Management & Controls

Following least privilege principles, access control to production systems within our virtual private cloud network services environments are restricted by security groups and access control lists. Production system access is further limited by requiring domain login with specific IP restrictions and multi-factor administration user authentication.

  • Least privilege principals
  • Role-based security groups
  • Access control lists (ACLs)
  • IP restriction
  • Multi-factor authentication (MFA)
Systems Security

Securing our application systems and services requires standardized procedures and careful configuration management including:

  • System hardening including port limitations and disabling of services
  • Configuration management tools to create standardized, pre-tested, pre-configured application system environments
  • Application firewall and access control list configurations
  • Baseline security analysis performed on every new and updated environment.
  • Windows systems and security updates downloaded automatically
  • upon release, installed during nightly maintenance windows
  • End to end encryption and key management
  • End-point protection enabled
  • Real-time services and event monitoring
User Authentication

Application user identity and access management is controlled by the application user Admin role. User accounts are set-up within the application. When users install the PoliteMail for Outlook COM add-in, they make an initial connection to the PoliteMail application server with their provided credentials. From that point, each time they login to Outlook, they have access to the software.

  • Coming in 2018 (OAUTH2 authentication)
  • User role and group administration controls.
  • User password utilize most recent NIST standard (longer, stronger, non-expiring passwords)
  • SHA256 one-way salted hash methodology
  • User password policy settings to align password length, strength, complexity, expiration and first-use policies to customer requirements
  • Automated user password reset process with email verification loop.
  • Strong passwords required. Login to Outlook required. Additional IP restrictions may be configured.
  • Current authentication methodology details (link to KB article).
Data Encryption

While the PoliteMail application primarily stores recipient names and email addresses, this data is considered personally identifiable information and is protected as customer confidential information. Encryption at all levels reduces the customer data attack surface area. Although encryption does not provide complete isolation of data from systems administrators, we have employed multi-level access controls with separation of key access, systems access and data access to further reduce risk.

  • TLS 1.2 enforced for all data in transit
  • AES 256 data encryption for storage and backups
  • Key management system
  • Encrypted message queues for SMTP email
  • *Coming in 2018 – “Always Encrypted” SQL Server database level encryption
Logging, Monitoring & Auditing

Log files are stored local to each application server systems and also consolidated to centralized, non-admin accessible storage which is continually monitored for specific events and error codes.

  • Access to the application, host servers, smtp and database servers are logged, including logins, failed attempts, and certain system operations and events
  • Standard IIS and SQL logging
  • Automatic log out after 20 minutes of inactivity
  • Automatic lock-out after 5 failed login attempts, requires Admin user reset, or automated user password reset process with email verification
  • Logs are continuously monitored for high priority events and codes, exceptions are elevated to administrators though EventViewer and manually reviewed
  • Application system health page available to customers
Software Lifecycle Security

Application security starts with development. Our products are all developed on the Microsoft Team Foundation Server platform with standard C#, .Net, SQL backend code and a React/Typescript/JavaScript front end. Our developers are trained in security awareness, use only authorized tools and libraries, perform threat modeling processes and check their code during the design, implementation and testing phases against the OWASP Top 10 and SANS/CWE Top 25.

  • Routine static and dynamic code analysis
  • No open source
  • All development performed in-house
  • Manual review of all third-party libraries
  • No dynamic SQL (stored procedures only)
  • OWASP Zed Proxy internal penetration testing on every build
  • All risks documents within our incident management system, all high and medium risk vulnerabilities remediated prior to release
  • Third party penetration tests on every major release, at least annually
  • Dev, Test and Production environments completely isolated, and access limited
Backup and Recovery

SQL database backups occur daily and are replicated to redundant, separate, encrypted cloud storage. Recovery procedures are tested monthly across a rotating subset of instances. Disaster recovery processes and procedures are documented and evaluated annually.

  • RPO: 25hrs
  • RTO: 73hrs
Incident Response and Remediation Processes

PoliteMail has document incident response plans which identify customer communication contacts, process and methodology, and are implemented if and when any data security or privacy incidents emerge. Remediation of all software security, support issues and cases, software defects and vulnerability assessment risks are accomplished using our standardized Team Foundation Server work item tracking and measurement process.

Availability control

PoliteMail has implemented suitable measures to ensure that Customer Data including Personal Data is protected from accidental destruction or loss. This is accomplished with the following controls:

  • Regular evaluation of data center partners to optimize for systems performance, security, redundancy and disaster recovery
  • Service agreements which ensure a high level of uptime, data redundancy and data security
  • All Customer Data will be stored on redundant storage
  • Backup policies and procedures which provide for a RTO < 25 hours
  • Real-time monitoring of application systems and services
  • Documented policies and procedures for failover and recovery

Maintain and annually test a disaster recovery plan

Data Protection and Encryption

TLS 1.2 in transit
AES256 at rest
Secure cryptographic key management

PoliteMail has implemented suitable measures to ensure that Customer Data is appropriately segregated for each Customer and Personal Data collected for different purposes can be processed separately.

  • Dedicated application and database servers and dedicated storage per customer
  • Business transaction data (sales, contracts, service requests) is separate from application Customer Data
  • Physically separate Production, Test and Development systems
Monitoring and Logging

Log aggregation
security information and event management (SIEM) solution for more analysis and threat detection
alert notifications when specific errors, errors and thresholds are exceeded

PoliteMail leverages our cloud service partner intrusion detection systems (IDS), and operates a security incident and event management (SIEM) system which combines commercial and custom tools to collect and examine its application use and system logs for anomalies and specific error code.

Penetration testing
  • Input validation (data entry routines) and checksum validation on post transmissions
  • Session time-outs after 20 minutes of inactivity
Software Security

Protect your backend from excess traffic by configuring standard or burst rate-limits for each method in your REST APIs

Security documentation available under NDA.

  • Technical and Organizational Security Measures
  • GDPR Compliant Data Privacy Model
  • SIG Lite Security Assessment
  • CSA Security Assessment
  • ISO27001/13 Complaint Policy and Procedures
  • OWASP Security Assessment
  • 3rd Party Penetration Testing Results

Request Non-Disclosure Agreement

Fill in the form to request our non-disclosure agreement or submit your own here for legal review

Request Don-Disclosure Agreement

4 + 6 =

Want to see a live demo of PoliteMail in action?