Home 9 PoliteMail Technical Requirements 9 PoliteMail Data Security Compliance

PoliteMail Security

Because Your Data, Is Your Data.
We Protect It.

See How PoliteMail Protects Your Privacy and Data.

PoliteMail primarily processes and stores distribution group membership, employee name and email address data, in order to send the broadcast email, which is classified as PII.  For a complete list of all data processed and stored see our privacy by design page.


Data Privacy and Security

Data Protection Impact Assessment


Privacy and Security Considerations
for the Global Enterprise

Download our Data Privacy Guide – Privacy and Security Considerations for the Global Enterprise for a full overview of all our privacy and security measures -for detailed information regarding privacy and security as it relates to the GDPR, CCPA and other privacy legislation.


Security Documentation Available Under NDA.

Publicly available list of controls available on this page

  • Technical and Organizational Security Measures
  • GDPR Compliant Data Privacy Model
  • SIG Lite Security Assessment
  • CSA Security Assessment
  • ISO27001/13 Complaint Policy and Procedures
  • OWASP Security Assessment
  • 3rd Party Penetration Testing Results

PoliteMail works to limit vulnerabilities through routine, industry-standard operational procedures and regular analysis of the overall systems and application attack surface.

We protect your data by applying least privilege principles, restricting access to systems, services, and data, employing a layered defense model and establishing a regime of testing, monitoring, and analysis.

We utilize employee confidentiality agreements and require role-based security awareness training so each employee understands their role in delivering customer data security and privacy. We review these security role assignments at least quarterly and perform annual security assessments to

Keep Your Email Data Safe.

Because PoliteMail specializes in internal communications, we understand the messages are not public information, which is why we process but never store email messages within our system. We also understand that your employee names and email addresses are considered personally identifiable information (PII) and deserve the same level of protection as any other confidential information. Learn more about how our email measurement technology works, and what data is stored.

Meet Security and Compliance Requirements.

Because PoliteMail specializes in internal communications, we understand the messages are not public information, which is why we process but never store email messages within our system. We also understand that your employee names and email address are personally identifiable information (PII) so securing the data and enabling privacy controls are top priorities.

Dedicated Application Server Environments Enable Custom Controls and Better Performance.

Because PoliteMail provides corporate and enterprise solutions, we offer dedicated cloud services and on-premise software instead of the typical shared, multi-tenant environment. This enables complete isolation of your email data processing system from any other customer, and allows for custom security configurations if required, such as certificate-based connectivity, IP restrictions, and VPNs.

Transparent Technical & Organizational Measures Designed to Protect Your Data.

With PoliteMail, you own your data, and we protect it. We provide completely transparent policies, procedures and documentation for both our operational and software security.

Network Security

PoliteMail is an official Microsoft Gold Partner and Amazon AWS Partner. We host our cloud services on these Tier 1 Cloud Services Providers using virtual private cloud configurations with tightly controlled access to application servers and database servers.

Partner Logos

We annually review our partners SSAE-18 SOC2 reporting, and such network and cloud services provider SOC reporting is available to use directly from our partners using their own self-service portals.

Unlike most SaaS providers, PoliteMail provides our large corporate and enterprise customers with dedicated, fully managed cloud infrastructure. Why is this important? Dedicated servers provides more security control and better performance. The only email and data running through these servers will be generated by your authorized users, and every connection can be restricted using standard WAF, IP restrictions, or certificate based authentication protocols.


2019 Average Uptime

0% Security Incidents 99.97% uptime guarantee.

  • Tier 1 Cloud Services Hosting Providers
  • On-Premise Software option
  • All Customer Data stored on redundant storage
  • Real-time monitoring of application systems and services
Access Management & Controls

Following least privilege principles, access control to production systems within our virtual private cloud network services environments are restricted by security groups and access control lists. Production system access is further limited by requiring domain login with specific IP restrictions and multi-factor administration user authentication.

  • Least privilege principals
  • Role-based security groups
  • Access control lists (ACLs)
  • IP restriction
  • Multi-factor authentication (MFA)
  • Session time-outs after 20 minutes of inactivity
Systems Security

Securing our application systems and services requires standardized procedures and careful configuration management including:

  • System hardening to NIST 800-88 standards including port limitations and disabling of services
  • Configuration management tools to create standardized, pre-tested, pre-configured application system environments
  • Application firewall and access control list configurations
  • Baseline security analysis performed on every new and updated environment
  • Windows systems and security updates downloaded automatically
    upon release, installed during nightly maintenance windows
  • End to end encryption and key management
  • End-point antimalware protection enabled
  • Real-time lagging and event monitoring
User Authentication

Application user identity and access management is controlled by the application user Admin role. User accounts are set-up within the application. When users install the PoliteMail for Outlook COM add-in, they make an initial connection to the PoliteMail application server with their provided credentials. From that point, each time they login to Outlook, they have access to the software.

  • (OAUTH2/Open ID authentication)
  • User role and group administration controls
  • Passwords utilize most recent NIST standard (longer, stronger, non-expiring passwords)
  • SHA256 one-way salted hash methodology for tokens and registry keys
  • User password policy settings to align password length, strength, complexity, expiration and first-use policies to customer requirements
  • Automated user password reset process with email verification loop
  • Strong passwords required. Login to Outlook required. Additional IP restrictions may be configured
Data Encryption

While the PoliteMail application primarily stores recipient names and email addresses, this data is considered personally identifiable information and is protected as customer confidential information. Encryption at all levels reduces the customer data attack surface area. Although encryption does not provide complete isolation of data from systems administrators, we have employed multi-level access controls with separation of key access, systems access and data access to further reduce risk.

  • HTTPS TLS 1.2 enforced for all data in transit
  • AES 256 data encryption for storage and backups
  • Azure Key Vault management system
  • Encrypted message queues for SMTP email
  • “Always Encrypted” SQL Server database level encryption enterprise purchase option for “always encrypted”
Logging, Monitoring & Auditing

Log files are stored local to each application server systems and also consolidated to centralized, non-admin accessible storage which is continually monitored for specific events and error codes.

  • Access to the application, host servers, SMTP and SQL Servers are actively logged and monitored for errors and events.
  • IIS and SQL logging
  • Automatic log out after 20 minutes of inactivity
  • Automatic lock-out after 5 failed login attempts, requires Admin user reset, or automated user password reset process with email verification
  • Logs are continuously monitored for priority event codes, exceptions elevated to administrators though EventViewer.
  • Application system health page and SMTP queue viewer available to customers
Software Lifecycle Security

Application security starts with development. Our products are all developed on the Microsoft Team Foundation Server platform with standard C#, .Net, SQL backend code and a React/Typescript/JavaScript front end. Our developers are trained in security awareness, use only authorized tools and libraries, perform threat modeling processes and check their code during the design, implementation and testing phases against the OWASP Top 10 and SANS/CWE Top 25.

  • Routine static and dynamic code analysis
  • No open source
  • All development performed in-house
  • Manual review of all third-party libraries
  • No dynamic SQL (stored procedures only)
  • OWASP Zed Proxy internal penetration testing on every build
  • All risks documents within our incident management system, all high and medium risk vulnerabilities remediated prior to release
  • Third party penetration tests at least annually
  • Dev, Test and Production environments completely isolated, and access limited by security group and role
Backup and Recovery

SQL database backups occur daily and are replicated to redundant, separate, encrypted cloud storage. Recovery procedures are tested monthly across a rotating subset of instances. Disaster recovery processes and procedures are documented and evaluated annually.

  • RPO: 25hrs
  • RTO: 73hrs
Incident Response and Remediation Processes

PoliteMail has document incident response plans which identify customer communication contacts, process and methodology, and are implemented if and when any data security or privacy incidents emerge. Remediation of all software security, support issues and cases, software defects and vulnerability assessment risks are accomplished using our standardized Team Foundation Server work item tracking and measurement process.

Availability Control

PoliteMail has implemented suitable measures to ensure that Customer Data including Personal Data is protected from accidental destruction or loss. This is accomplished with the following controls:

  • Regular evaluation of data center partners to optimize for systems performance, security, redundancy and disaster recovery
  • Service agreements which ensure a high level of uptime, data redundancy and data security
  • All Customer Data will be stored on redundant cloud storage
  • Backup policies and procedures which provide for a RPO < 25 hours
  • Real-time monitoring of application systems and services
  • Documented business continuity policies and procedures for failover and recovery

Maintain and annually test a disaster recovery plan

Data Protection and Encryption

TLS 1.2 in transit
AES256 at rest
Secure cryptographic key management

PoliteMail has implemented suitable measures to ensure that Customer Data is appropriately segregated for each customer, and Personal Data collected for different purposes can be processed separately

  • Dedicated application servers and SQL databases with dedicated storage drives
  • Business transaction data (sales, contracts, service requests) is separate from application Customer Data
  • Physically separate Production, Test and Development systems
  • Input validation (data entry routines) and checksum validation on post transmissions
Monitoring and Logging

PoliteMail leverages our cloud service partner intrusion detection systems (IIPS), and operates a security incident and event management (SIEM) system which combines commercial and custom tools to collect and examine its application use and system logs for anomalies and specific error code.

Centralized log aggregation with threat analysis and detection, alert notifications of specific errors and threshold exceptions.

Penetration Testing
  • Internal assessments with static and dynamic tests, performed risks remediated prior to release
  • Third-party manual penetration testing at least annually
Security Awareness Training Program

Our employees are regularly trained upon hire and annually to ensure they stay up to date on fundamental information security knowledge. Employees are tested throughout their training to measure their knowledge, re-educate and address gaps where necessary. Based on the employees’ roles within the organization they are trained and tested on the following courses:


Security Awareness Essentials

  • Data Privacy
  • Password management
  • Password Best Practices
  • Identity theft
  • Malware
  • Social engineering
  • Data Security
  • Phishing
  • Physical security
  • Travel safety
  • Mobile data
  • Remote Computing
  • Bring Your Own Device
  • Privacy
  • Acceptable use

Privileged User Security

  • Introduction
  • Threat agents
  • Hackers
  • Spear-phishing
  • Social engineers
  • Malicious insiders
  • Advanced persistent threats
  • Human error
  • Consequences of a breach for the organization
  • Due care
  • Creating long passwords
  • Best practices: Supervisors
  • Best practices: System Administrators & IT
  • Course summary

Baseline Fundamentals of Information Security for IT Professionals

  • Introduction
  • Common forms of attack
  • Network security
  • Cryptography
  • Password management
  • Disaster recovery
  • Best practices