Security handbook · People & Access

Last reviewed: 12 June 2026

Mailbuttons is operated by Code Cutter Limited (UK company no. 08453060). This policy sets out how we manage information security across the employment lifecycle, recognising that we are a small, founder-led team where everyone who touches production carries real responsibility.

Purpose and scope

This policy ensures that everyone who works on or with Mailbuttons systems and data understands and meets their security obligations before, during and after their engagement. It supports Annex A controls A.6.1 to A.6.6. It applies to the founder, any employees, and all contractors, freelancers and temporary workers. Contractors and freelancers are bound to exactly the same security requirements as staff; the size of the team is no excuse for weaker practice.

Policy

Pre-employment. Before anyone is given access to systems or customer data, we carry out proportionate identity, reference and background checks appropriate to the role and the sensitivity of the data involved. Everyone signs a confidentiality and non-disclosure agreement covering customer data, secrets and intellectual property. Contractors sign equivalent confidentiality terms in their engagement contract before work begins.

Security in role definitions. Security responsibilities are written into every role. Where the team is one person, the founder holds the role of ISMS Owner and is accountable for operating the controls in this handbook. As the team grows, responsibilities are assigned explicitly rather than assumed.

Onboarding. Access is provisioned on a least-privilege, need-to-know basis in line with the Access Control Policy. New joiners complete security awareness training proportionate to their role, covering phishing, secret handling, the rules on AI-tool use, and incident reporting. Every joiner reads and formally acknowledges the Acceptable Use Policy before receiving production access.

During employment. Everyone keeps their awareness current and follows the Acceptable Use Policy at all times. Because Mailbuttons is itself an AI company, the rules on the use of AI tools are taken seriously: customer data, secrets and confidential information must never be placed into personal or unapproved third-party AI tools, as set out in the Acceptable Use Policy. Everyone has a standing obligation to report suspected security events, weaknesses or near-misses to security@mailbuttons.com without delay and without fear of blame.

Disciplinary process. Security violations are taken seriously. Suspected breaches of policy are investigated proportionately and fairly. Depending on severity and intent, outcomes range from additional training and a formal warning through to termination of employment or contract and, where appropriate, referral to law enforcement. The same process applies to contractors via their engagement terms.

Offboarding. When anyone leaves, all their access to Mailbuttons systems, including Kanidm identities, production hosts, API keys, the executor VM and supplier accounts, is revoked the same day. Company assets, devices and credentials are recovered or invalidated, and any shared secrets they could have known are rotated. Departing individuals are reminded that their confidentiality obligations continue indefinitely after the engagement ends.

Responsibilities

The ISMS Owner is accountable for this policy: for running pre-employment checks, provisioning and revoking access, delivering awareness training and applying the disciplinary process. Every individual, whether staff or contractor, is responsible for meeting their security obligations and reporting concerns promptly.

Review

This policy is reviewed at least annually and after any material change, and is approved by the ISMS Owner.

Related: Acceptable Use Policy, Access Control Policy, Cryptography Policy.