Security handbook · Governance
Last reviewed: 12 June 2026
This policy defines how Mailbuttons classifies information, how each class must be handled, and how long we keep data before securely deleting it. It supports the Information Security Policy and implements the data-minimisation and storage-limitation principles of UK and EU GDPR.
Purpose and scope
The purpose is to ensure every piece of information we hold is protected in proportion to its sensitivity and kept no longer than necessary. It applies to all Mailbuttons data across our databases, object storage, hosts and supplier accounts (Annex A 5.12, 5.13).
Policy
Classification tiers
We use four tiers, from least to most sensitive:
- Public — information intended for publication (marketing pages, this handbook, the Trust Center).
- Internal — operational information not for publication (internal docs, non-sensitive configuration).
- Confidential — sensitive business information (contracts, internal logs, supplier credentials, secrets).
- Customer Data — the most sensitive tier: customer email content, credentials, API keys, OAuth tokens, and account information. This is what customers trust us with and receives our strongest controls.
Handling rules
- Public — no confidentiality controls; integrity is protected (only authorised changes are published).
- Internal — access limited to the team and contractors who need it.
- Confidential — encrypted at rest and in transit; access on a least-privilege basis under the Asset Management Policy; never shared outside Mailbuttons without authorisation. Secrets (customer API keys, OAuth tokens) are encrypted at rest with AES-256-GCM. The critical master key (LLM_KEY_ENCRYPTION_KEY) is backed up off-box.
- Customer Data — strictest handling. Encrypted in transit with TLS 1.2+/1.3 and at rest; off-site backups are client-side encrypted with a key we control (Backblaze, EU/Amsterdam). Access is minimised and recorded in a customer-facing immutable audit log. We never use customer data to train models; if a customer opts into the hosted-agent LLM feature, content sent to Anthropic (US) is under Standard Contractual Clauses and is not used for training.
Data residency
Data is held in the UK/EEA by default, and customer email content stays in the UK/EEA — unless the customer opts into the hosted-agent LLM feature, in which case the relevant content is processed by Anthropic in the US under SCCs. The canonical sub-processor list is published at /trust#sub-processors.
Retention schedule
We retain data only as long as necessary:
- Account data — 7 years after account closure.
- Audit logs — 7 years.
- Support communications — 3 years.
- Connected-account OAuth tokens — only while the connection is active.
- Email content — per the customer's configuration.
Secure deletion
On expiry of a retention period, or on a valid customer or data-subject request, data is securely deleted so that it is rendered unrecoverable, including from backups within the normal backup-rotation window (Annex A 8.10). Customers can configure email-content retention to suit their own obligations, and we support data-subject rights under GDPR. Deletion requests are directed to dpo@mailbuttons.com.
Responsibilities
The ISMS Owner classifies data, sets and enforces handling and retention rules, and oversees secure deletion. Anyone handling Mailbuttons data must apply the correct tier's controls and report any misclassification or exposure to security@mailbuttons.com. Data-subject and customer deletion requests are handled via dpo@mailbuttons.com.
Review
This policy is reviewed at least annually and after any material change, and is approved by the ISMS Owner.
Related: Information Security Policy, Risk Management Policy, Asset Management Policy.