Security handbook · People & Access

Last reviewed: 12 June 2026

Mailbuttons is operated by Code Cutter Limited (UK company no. 08453060). This policy sets out how company systems, data and devices may be used, and the security practices everyone must follow. It applies equally to staff, contractors and freelancers.

Purpose and scope

This policy protects the confidentiality, integrity and availability of Mailbuttons systems and customer data by defining acceptable and prohibited use. It supports Annex A controls A.5.10, A.8.1 and A.6.7. It applies to everyone who uses company accounts, devices, source code, infrastructure or customer data, on any device, in any location.

Policy

Acceptable use. Company systems, data and devices are provided for legitimate work in operating and improving Mailbuttons. Customer data is accessed only when there is a genuine operational need, and only the minimum necessary. Treat all customer email content and metadata as confidential.

Prohibited activities. Do not use company systems for unlawful, fraudulent or harassing purposes; do not attempt to bypass security controls, tenant isolation or the executor sandbox; do not install unauthorised software on production systems; do not exfiltrate, copy or retain customer data outside approved systems; and do not share company accounts or credentials with anyone.

Authentication. Use the company-approved password manager for all credentials. Multi-factor authentication is mandatory; we use Kanidm with passkeys as the primary factor. Never reuse passwords across services and never disable MFA.

Device security. Any device used to access company systems must have full-disk encryption enabled, automatic screen lock after a short idle period, a strong unlock secret, and security patches applied promptly. Keep operating systems and browsers up to date. Lost or stolen devices must be reported to security@mailbuttons.com immediately.

Clear screen and desk. Lock your screen whenever you step away. Do not leave secrets, customer data or unlocked sessions visible or unattended.

Handling secrets and credentials. Secrets, API keys, OAuth tokens and customer credentials must never be committed to source control, pasted into chat or email, or stored in plain text. Use the approved secret manager and the encrypted stores described in the Cryptography Policy. If a secret is exposed, treat it as compromised, report it, and ensure it is rotated.

AI usage. Mailbuttons is an AI company, so the way we use AI tools matters. Do not put customer data, secrets, credentials or confidential information into personal or unapproved third-party AI tools, chatbots or assistants. Use only company-approved AI tools, and only with data that is approved for that tool. Our production LLM provider (Anthropic, opt-in, under SCCs) does not train on customer data; that approval does not extend to personal accounts or other AI services. When in doubt, ask before you paste.

Reporting. Everyone has a duty to report suspected security events, weaknesses, phishing attempts and near-misses to security@mailbuttons.com, which acknowledges reports within two UK business days. Reporting promptly and in good faith is always the right thing to do and will never itself lead to disciplinary action.

Responsibilities

The ISMS Owner is accountable for maintaining this policy, approving tools and investigating reports. Every individual is responsible for following these rules on every device they use for company work and for reporting concerns promptly. Misuse is handled under the disciplinary process in the Human Resources Security Policy.

Review

This policy is reviewed at least annually and after any material change, and is approved by the ISMS Owner.

Related: Human Resources Security Policy, Access Control Policy, Cryptography Policy.