InboxJet ("InboxJet", "we", "us", "our") values the trust that our customers place in us by letting us act as custodians of their data. We take our responsibility to protect and secure your information seriously and strive for complete transparency around our security practices detailed below. Our Privacy Policy also further details the ways we handle your data.
This Statement complements InboxJet's Information Security Policy and provides a summary of the company's internal security policies and procedures. The Statement's aim is to provide assurance to interested parties about the security of the SaaS applications, as well as the data contained within them.
If you have any questions about the below, please contact us at support@inboxjet.app
InboxJet has implemented governance, risk management, and compliance practices that align with the most globally recognized information security frameworks and has further implemented Information Security Management System (ISMS) to manage and continually improve information security posture.
InboxJet takes a risk-based approach to information security aligned with ISO 27001 and the GDPR framework.
Information security roles and responsibilities are well defined within InboxJet. We take information security very seriously and have representation and sponsorship at the executive level by Chief Technology Officer (CTO), with support from the CEO.
The company has trained and experienced staff developing and operating information systems. InboxJet has implemented segregation of duties to protect critical functions. Security is considered in all projects the company undertakes.
Mobile Device Management (MDM) and other controls are in place to reduce the risks of InboxJet employees working remotely and with mobile devices.
InboxJet carefully screens people who do work for, or on behalf of, the company. Everyone at InboxJet is trained and is aware of information security and data protection.
The company requires confidentiality and nondisclosure from all those who work for InboxJet, both during and after employment.
Disciplinary action is enforced for noncompliance with corporate policy.
The company maintains high ethical standards that are defined and enforced through InboxJet's code of conduct.
InboxJet inventories and labels all information assets and information systems to manage appropriate access and facilitate effective patch management and incident response.
Customer data is classified at the highest classification level to facilitate proper identification and handling as defined in the company's Information Classification Policy which is regularly communicated through training.
Personal data/PII is treated with the highest confidentiality and we take appropriate measures to protect it.
Staff are trained on the dangers of physical media and avoid using it wherever possible. Approval is required before storing or printing customer data on physical media.
The Principle of Least Privilege (POLP) is enshrined at InboxJet in policy and in culture.
Access is granted on a Need to Know or Need to Use basis only.
User access procedures are documented, and access is revoked the moment it is no longer required.
The company conducts user access audits and review administrative logs periodically. InboxJet publishes and enforces an internal Password Standard Policy.
Access to InboxJet's sites is restricted with additional layers of security around information and communications infrastructure. The company monitors site access, and third parties require business justification and an escort for access. InboxJet enforces a clear desk and clear screen policy.
InboxJet has documented procedures for all standard operations and tight control over Change Management governed by the Change Management Policy.
A dedicated DevOps team monitors and manages the production platform. InboxJet deploys malware controls to reduce the chance and impact of infections.
Audit and event logs are captured, protected and regularly reviewed, as defined by the Logging Policy.
InboxJet regularly takes and tests backups and builds multiple layers of redundancy into the company's platform, as defined by the Backup and Retention Policy.
The deployment process makes it impossible to install software on live production systems.
InboxJet runs a vulnerability management program based on the Common Vulnerability Scoring System (CVSS).
InboxJet hardens all network services and firewalls.
Continuous compliance monitoring for changes are run to secure configurations.
Segregation principles are used at multiple levels for security, redundancy and performance.
InboxJet provides guidance on the safe methods of information transfer and trains users on the risks.
NDAs are required from all parties that have or may have access to sensitive information resources.
InboxJet considers security requirements for every piece of work that goes through the company's Software Development Life Cycle (SDLC).
The company regularly scans public APIs for vulnerabilities.
All development activity follows InboxJet's secure SDLC, which is actively monitored and governed by the Secure Development Policy.
Security testing is conducted as a part of all tasks with security requirements and for all software deployments which includes testing against known standards, such as OWASP.
Multiple security gates are baked into the SDLC processes and are enforced by the 2-person rule.
InboxJet minimizes outsourced development and applies additional controls to manage risks of code produced by third parties.
InboxJet mandates and enforces the separation of development, testing and production environments to improve code quality and reduce errors.
InboxJet closely manages suppliers using risk management principles.
InboxJet performs additional vulnerability checking on dependencies in the supply chain and addresses them in accordance with the Information Security Policy.
InboxJet maintains a security incident response process that covers the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. This process is reviewed regularly and tested bi-annually.
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if InboxJet learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
InboxJet has a documented Business Continuity Plan, recovery procedures and a trained response team.
To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, we implement a disaster recovery program at all our data center locations. This program includes multiple components to minimize the risk of any single point of failure. For business critical applications, application data is replicated to multiple systems within the data center and, in some cases, replicated to secondary or backup data centers that are geographically dispersed to provide adequate redundancy and high availability. High-speed connections between our data centers help to support swift failover.
InboxJet ensures that antivirus and malicious code protection are centrally managed and configured to retrieve the updated signatures and definitions available. Malicious code protection policies automatically apply updates to these protection mechanisms. Anti-virus tools are configured to run scans, virus detection, real-time file write activity and signature file updates. Laptop and remote users are covered under virus protection.
InboxJet identifies and tracks regional security requirements to ensure compliance. Staff are required to observe intellectual property rights.
InboxJet's Data Protection Program, backed by the Data Protection Policy, ensures the company maintains privacy compliance within regional regulatory contexts.
Care is taken with the use of cryptographic techniques and methods to ensure compliance with laws and regulations.
External audits to review the company's information security implementation are conducted annually, at a minimum.
InboxJet's Platform is penetration tested by a specialist third-party firm annually, at a minimum.
Last Updated: March 18, 2025