Trust Center
How Mailbuttons protects your data
The information we put in front of every procurement and compliance review — certifications, sub-processors, security controls, incident response.
Last updated 28 May 2026.
Who to contact
Named addresses so a procurement reviewer doesn't have to guess.
Operated by Code Cutter Limited (registered in England & Wales, no. 08453060), trading as Mailbuttons.
Security & vulnerability reports
security@mailbuttons.comData Protection Officer
dpo@mailbuttons.comLegal & contracts
legal@mailbuttons.comSales & contract negotiation
sales@mailbuttons.comWho you're dealing with
Mailbuttons is a small, focused engineering operation. The procurement review is conducted with the person who wrote the code.
Richard Halldearn
Founder
A decade engineering trading systems and market-risk platforms at Morgan Stanley, Deutsche Bank and Credit Suisse, followed by CTO and CEO roles at PE-backed technology companies. MSc Computer Science, Imperial College London. Now runs codecutter.io, a technology advisory practice for PE firms and portfolio boards — and is currently embedded on an AML modernisation programme at a UK retail bank.
Mailbuttons is the email-infrastructure problem he kept hitting in compliance-heavy AI work — built from the inside of regulated-finance projects, not from a startup-blog reading list.
Compliance status
Specific and time-bound. The honest position is more useful than a misleading "we're working on it".
| Standard | Status |
|---|---|
| UK GDPR / EU GDPR | Compliant. We act as Data Processor under our standard DPA when customers process third-party data. |
| ISO/IEC 27001 | Policy set authored to the 2022 control framework and published below. Certification audit begins on first paid Business contract. |
| SOC 2 | Type I scoped to commence Month 12 from first paid Business contract; Type II audit window opens at Month 18. |
| Independent penetration test | First annual third-party penetration test scheduled to coincide with the ISO 27001 audit kickoff. Summary report shared under NDA on request. |
| ICO registration (UK) | Registered. |
Data residency
Customer data — including the contents of email passing through your mailboxes and the audit logs derived from it — is stored within the United Kingdom and European Economic Area. Primary hosting is a UK-based VPS in the Greater London region. Object storage and message-queue infrastructure run on the same UK host.
Customer data leaves the UK/EEA only via two narrow paths: Cloudflare (DNS and edge protection — global edge nodes) and Anthropic (LLM inference, only when the hosted-agent feature is enabled; a customer can disable this and no customer email content leaves the UK/EEA). A third US-incorporated sub-processor, Backblaze, holds encrypted off-site backups in its EU Central region (Amsterdam) — data is encrypted client-side before transit and never leaves the EEA at rest. All transfers are made on the basis of UK Addendum / EU Standard Contractual Clauses.
Multi-region (Frankfurt secondary) is on our roadmap, prioritised against the first Business contract that requires it for buyer-specific residency reasons.
Sub-processors
| Sub-processor | Purpose | Region | First engaged |
|---|---|---|---|
| Stripe Payments UK Ltd | Payment card processing | UK / EU | 2026-02 |
| Stalwart Labs | Email server software (operated by us) | UK | 2025-11 |
| Fasthosts Internet Ltd | VPS hosting (UK data centres) | UK | 2025-11 |
| Cloudflare, Inc. | DNS and edge protection | Global; UK SCCs | 2025-11 |
| Anthropic, PBC | LLM inference for hosted agents (opt-in) | US; SCCs in place | 2026-01 |
| Backblaze, Inc. | Encrypted off-site backup (client-side encryption) | EU Central (Amsterdam); UK Addendum / SCCs | 2026-05 |
Notice commitment
We give 30 days' written notice before engaging any new sub-processor that processes customer personal data. Customers on Business and Enterprise tiers may object in writing, in which case we will work in good faith on an alternative or, failing that, allow exit without further commitment.
Security controls
The substance behind the policies — what we actually do.
Encryption in transit
TLS 1.2 or higher on all customer-facing endpoints (HTTP, JMAP, IMAP, SMTP submission). Inbound mail uses opportunistic STARTTLS. DANE TLSA enforcement is documented but not yet published — see our threat-model note for the trade-off.
Encryption at rest
PostgreSQL data and object storage (RustFS) reside on encrypted volumes. Database backups are encrypted before leaving the host.
Authentication
Customer-facing authentication is OIDC via our managed Kanidm identity provider, with passkey support. Business-tier customers may federate via their own SAML or OIDC identity provider for the admin console.
Access control
Production access is restricted to the founding engineer. All admin actions are logged immutably alongside the customer-facing audit log. Production credentials live in encrypted environment files with 0600 permissions; nothing is committed to source control.
Audit logging
Every policy decision and every administrative action produces an audit row covering sender, verification verdicts, body hash, decision, tokens consumed, output sent. Retained for 7 years on Business and Enterprise tiers; shorter on Free / Developer / Team. Exportable to Splunk, Datadog or Elastic.
Backups & business continuity
Daily PostgreSQL dumps with 30-day retention, written to a separate region. Documented recovery procedure with measured RTO/RPO available on request.
Information security policies
The following policies are maintained and reviewed annually:
- ·Information Security Policy — Top-level statement of intent, scope and responsibilities.
- ·Acceptable Use Policy — What users may and may not do on our systems.
- ·Access Control Policy — How identity, authentication and authorisation are managed.
- ·Cryptography Policy — Key management and approved algorithms.
- ·Incident Response Policy — Detection, escalation, communication, post-incident review.
- ·Business Continuity and Disaster Recovery Policy — RTO/RPO and recovery scenarios.
- ·Supplier Security Policy — How we assess and re-assess sub-processors.
- ·Risk Management Policy — How we identify, score and treat information-security risks.
Vulnerability disclosure
We welcome security research and disclosure. Please report suspected vulnerabilities to security@mailbuttons.com. In return we commit to:
- ·Acknowledging your report within 2 UK business days
- ·Working in good faith toward a fix and keeping you informed of progress
- ·Crediting reporters in any post-fix disclosure, where requested and where coordinated disclosure is observed
- ·Not pursuing legal action against good-faith researchers operating within the scope below
Scope
Endpoints under mailbuttons.com and *.mailbuttons.com are in scope. Out of scope: DoS / DDoS, social engineering of our staff, physical attacks against our suppliers. We do not currently run a paid bug-bounty programme.
Incident response
If we confirm a security incident affecting customer data, we will:
- Notify affected customers within 72 hours of confirmed impact, by email to the technical contact on file.
- Liaise with the UK ICO and any relevant EU supervisory authorities per our UK/EU GDPR obligations.
- Publish a post-incident analysis on this page once the immediate response is complete.
Documents
- Data Processing Agreement
- Privacy Policy
- Terms of Service
- Sub-processor list (on this page)
- Pen-test summary report — available under NDA on request
- Customer security questionnaire (SIG-Lite format) — completed copy available on request
Mailbuttons is early. We update this page as our compliance posture evolves. Material changes are recorded in the page's git history.