Security handbook · Resilience & Suppliers

Last reviewed: 12 June 2026

Mailbuttons operates no data centre of its own and works as a small remote team, so physical and environmental security rests on two pillars: reliance on our hosting provider and disciplined endpoint hygiene. This policy sets out both honestly.

Purpose and scope

This policy defines how Code Cutter Limited (trading as Mailbuttons) addresses physical and environmental security for production infrastructure and the endpoints used to operate it. It aligns with ISO/IEC 27001:2022 Annex A controls 7.1–7.4 (physical perimeters, entry, securing facilities and monitoring), 7.7 (clear desk and clear screen), 7.9 (security of assets off-premises), 7.10 (storage media), 7.14 (secure disposal or re-use of equipment) and 6.7 (remote working).

Policy

Inherited data-centre controls. All production infrastructure is hosted in Fasthosts' UK data centres. Physical and environmental controls — perimeter and access control, power and uninterruptible supply, cooling, fire detection and suppression, and facility monitoring — are provided and operated by Fasthosts. We rely on their certifications and assurances for these controls and assess them as part of supplier management. We operate no data centre, server room or comms room of our own.

Endpoint physical security. Workstations and devices used to operate Mailbuttons are protected with full-disk encryption, automatic screen locking after a short idle period, and strong authentication. Devices are not left unattended in unsecured or public spaces, and access to production systems is limited to managed, up-to-date endpoints.

Secure remote and home working. As a remote micro-team, work takes place outside any office. Team members maintain a reasonably secure working environment, prevent shoulder-surfing of sensitive information, use trusted networks, and keep work devices physically secure at home and while travelling. Production access uses authenticated, encrypted connections.

Removable media. Customer data is not placed on removable media unless encrypted, and removable media is avoided for production data as a matter of routine.

Clear desk and clear screen. We follow clear-desk and clear-screen practice: sensitive material is not left visible, screens are locked when unattended, and printed material containing sensitive information is avoided and securely destroyed if produced.

Secure disposal. When a device or storage medium reaches end of life or is re-purposed, we securely erase it or render its data irrecoverable before disposal, re-use or recycling. Because endpoints use full-disk encryption, cryptographic erasure combined with secure wiping is our baseline.

Honest statement of posture. This is, by design, largely a reliance-on-supplier and endpoint-hygiene policy. The physical security of servers is inherited from Fasthosts; our direct responsibility is the security of the small number of endpoints and the discipline of the people who use them.

Responsibilities

The ISMS Owner is accountable for this policy, for assessing Fasthosts' physical and environmental assurances under supplier management, and for ensuring endpoints are encrypted, maintained and securely disposed of. Everyone working on Mailbuttons is responsible for the physical security of their devices, clear-desk and clear-screen practice, and secure remote working.

Review

This policy is reviewed at least annually and after any material change, and is approved by the ISMS Owner.

Related: Incident Response Policy, Business Continuity and Disaster Recovery Policy, Supplier Security Policy