Technical and Operational Security

At Forfront, we're genuinely passionate about making sure your data is secure with e-shot, our communication and digital marketing platform. We've been delivering services for over 20 years to both the UK public and private sectors, and globally too. Our motto, 'we make it simple', extends to how we protect your information. 

Our commitment to security is reflected in our robust policies and processes, aligning with standards like ISO 27001:2022, Cyber Essentials Plus, the National Cyber Security Centre (NCSC) 14 principles of Cloud security, and NCSC Software as a Service (SaaS) security guidance. While we don't share all the specifics of our security strategy publicly, we want to give you an overview of how we keep your information safe. 

The e-shot platform is designed with your company and data protection in mind, both when it's stored and when it's moving. We focus on two key areas for information security: 

 

Data Stored 

  • e-shot keeps each client's data in its own database, ensuring complete separation and security. 

  • All data is stored in secure data centres with no unauthorised access. 

  • Your data is encrypted and stored on industry-standard, enterprise-level database applications. 

  • Our infrastructure, network equipment, and servers are protected by enterprise-grade firewalls, antivirus, anti-malware, and anti-ransomware endpoint security. 

  • We make sure all our equipment is kept up to date with the latest firmware and critical software updates. 

  • Information and data are controlled and stored internally within e-shot's data store and processing facilities. 

  • Account data is backed up regularly to keep it safe. 

 

Data in Transit 

We define two main categories of data in transit: 

  • Internal Systems: This is information processed within the e-shot facility, moving between the database, microservices, and our Mail Transfer Agents (MTAs), which are responsible for sending external communications. 

  • External Communication: This is data leaving e-shot to be delivered to its destination. 

  • Both internal and external e-shot data in transit use cryptographic protocols with properly configured certificates and Transport Layer Security (TLS) version 1.2 or higher to encrypt all traffic and ensure secure communications. 

  • Our e-shot operations and deliverability teams are responsible for correct infrastructure configuration and authentication. We manage and maintain SPF, DKIM, DMARC, and TLS to ensure every email sent from e-shot is correctly configured and authorised on behalf of the sending organisation. 

  • We use sophisticated forensic analytics to identify and monitor external activity. 

  • We also use pseudonymisation in e-shot data management and de-identification procedures, replacing personally identifiable information fields with artificial identifiers. 

  • For all .gov.uk organisations, the e-shot platform enforces TLS 1.2 encryption (or higher). Other email campaigns use opportunistic TLS, which upgrades a plain text connection to an encrypted one. 

  • Accounts and their data are deleted 30-90 days after cancellation. 

 

Access to Data 

e-shot offers various levels of protection for our clients. 

 

User Access 

  • To ensure robust security, e-shot enforces the use of one of these methods across all accounts and users: Multi-Factor Authentication (MFA), Single Sign-On (SSO) or IP restriction. 

  • Account administrators manage individual users. 

  • Basic authentication uses complex, strong one-way hashed passwords, and each user can set up multi-factor authentication (MFA). 

  • Account administrators can enforce MFA sign-in across the organisation, enable and disable user access, set up MFA individually, set up IP or IP range restricted access, enable users to use Single Sign-On (SSO) with their Microsoft 365 credentials, and prompt users to reset their passwords. 

  • Account administrators set up e-shot users with low basic read-only privileges or role-based privileges restricted to activities related to their job. 

  • Account administrators can audit user activity, including sign-ins and main actions performed. 

  • Our Chief Information Security Officer's (CISO) team also has access to sign-in activity and constantly monitors our environment for unauthorised activity. 

  • API access is protected by TLS 1.2 encryption and secured token authorisation. 

 

Internal Security 

  • Our Forfront and e-shot offices are secured by access cards (logged) and monitored with infrared CCTV. 

  • Forfront employees undergo Government Baseline Personnel Security Standard (BPSS) clearance, and access to data is controlled by role-based permissions. 

  • All Forfront employees go through a strict onboarding process that introduces security policies and awareness from day one. We also have a Continuous Professional Development (CPD) programme to maintain this awareness throughout their employment. 

 

External Security - Data Centres 

  • Forfront uses world-class, accredited data centres and cloud services located within the UK or UK regions. 

  • All our data centres maintain round-the-clock physical security, equipped with strict role-based biometric scanners for access and CCTV. 

  • They also hold a broad range of industry accreditations, such as ISO27001 and ISO9001. 

 

Application Security 

Access to our sign-in and application pages is protected by: 

  • Encryption with TLS 1.2 or above. 

  • DDoS protection. 

  • All traffic generates security logs. 

  • We conduct annual penetration testing and continuously improve our security with new technology, policies, and processes. 

  • We also maintain a Vulnerability Disclosure Policy (VDP) to work with the security community and address any potential vulnerabilities proactively. You can find details on how to report a security issue on our website at https://www.e-shot.net/report-a-security-issue. 

 

Cybersecurity 

We deploy a variety of anti-cybercrime measures, including: 

  • DDoS protection and mitigation. 

  • Brute force protection. 

  • Web Application Firewall. 

  • Physical enterprise-grade firewalls. 

 

Business Continuity 

  • We maintain disaster recovery plans that are regularly reviewed and tested. 

  • This includes an infrastructure continuity plan and regular, secure backups of data at multiple, sufficiently distant UK sites to prevent data loss in the event of a disaster. 

  • We operate policies for patching internal systems and change control. 

  • We maintain outage logs and incident response policies. 

  • e-shot also has a live service status monitoring page. 

  • Our uptime in the last 24 months has been 99.9678%, and 99.9920% for API including scheduled maintenance. 

 

Last Updated: June 1, 2025