Technical and Operational Security

e-shot™ by Forfront is built by design to protect your company and its data, in store and in transit. 

Forfront, has over 20 years’ experience of delivering services to the Public and Private sectors in the UK and globally. 

Our commitment to information security is reflected in strict policies, and robust application of processes and standards such as ISO 27001:2013, Cyber Essentials, National Cyber Security Centre (NCSC) 14 principles of Cloud security and NCSC Software as a Service (SaaS) security guidance. 

Detailed information on our security strategy and practices are not made publicly available, but the following information gives an overview of how we ensure information security and implement cybersecurity protection.

The information security challenge 


e-shot offers bulk email and SMS services to public and private sector organisations. There are two main focus points for information security; data stored and data in transit.


Data Stored 


e-shot stores each client’s data in their own database which ensure robust and complete separation of your data from other clients. All data is stored in secure data centre facilities with no unauthorised access. 

Data is encrypted and stored on industry standard, enterprise level database applications. Infrastructure, network equipment and servers are protected by enterprise grade firewalls, antivirus, antimalware, and anti-ransomware end point security protection. All equipment is kept up to date with firmware and critical software updates. 

Information and data are stored and controlled internally in the e-shot data store and processing facilities. 

Account data is backed up regularly. 

Data in transit 


We define two main categories of data in transit; internal systems, information processed in the e-shot facility, between the database, microservices and the MTAs (Mail Transfer Agents - responsible for sending communication externally), and external communication leaving e-shot to be delivered to its destination. 

e-shot internal and external data in transit uses cryptographic protocols with correctly configured certificates using Transport Layer Security (TLS) version 1.2 or higher to encrypt all traffic and ensure secure communications. 

e-shot operations and deliverability teams are responsible for correct infrastructure configuration and authentication. We manage and maintain SPF, DKIM, DMARC and TLS to ensure that every single email sent from the e-shot platform is correctly configured and authorised to send on behalf of the sending organisation. 

We use sophisticated forensic analytics to identify and monitor external activity. 

We use pseudonymisation in e-shot data management and de-identification procedures by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. 

Accounts (and the data within them) are deleted 30-90 days after cancellation. 

The e-shot platform is configured to enforce TLS 1.2 encryption (or higher) to all .gov.uk organisations. 

All other email campaigns are sent using opportunistic TLS to which offer a way to upgrade a plain text connection to an encrypted connection. 

Access to data 


e-shot offers its clients a variety of protection levels. 

User access 

  • Individual users are set up and managed by account administrators. 

  • Basic authentication uses complex strong one-way hashed passwords, and each user can set up themselves up to use MFA. 

The account administrator can: 

  • enforce MFA sign in across the organisation 

  • can enable and disable access to users 

  • set up MFA individually 

  • set up IP or IP range restricted access 

  • enable users to use SSO with their Microsoft 365 sign in credentials 

  • Prompt users to reset their passwords 


User privileges
 (roles) – account administrators set up e-shot users with low basic read only privilege or role-based privileges restricted to activities related to their job and responsibility. 


Audit users activity
 – account administrators have access to users sign in and main actions performed. 

e-shot Chief information security officer's (CISO) team have access to sign in activity, and constantly monitor our environment for unauthorised activity. 


API access – 
Protected by TLS 1.2 encryption and secured token authorisation. 

Internal Security  


Forfront and e-shot offices are secured by security access cards and monitored with infrared CCTV. 

Forfront employees have Government baseline personnel security standard (BPSS) clearance and access to data is controlled by role-based permissions. 

Forfront employees are subject to a strict onboarding process which introduces security policies and awareness from the moment they join the team. 

A CPD program is in place to maintain awareness throughout their term of employment. 

External Security – data centres 


Forfront uses world class, accredited data centres and cloud services located in the UK or UK regions. 

All data centres manage round the clock physical security, equipped with strict role-based biometric scanners for access and CCTV. 

All hold a broad set of industry standard accreditations such as ISO27001 and ISO9001. 

Application security 


Access to the sign in and application pages is protected by 

  • Encryption with TLS 1.2 or above 

  • DDoS protection 

  • All traffic generates security logs 

We perform annual penetration testing and improve security with new technology, policies and processes. 

Cybersecurity 


We deploy a variety of anti-cybercrime measures including 

  • DDoS protection  

  • DDoS mitigation 

  • Brute force protection 

  • Web Application Firewall  

  • Physical enterprise grade firewalls 


Business Continuity 


We maintain plans for disaster recovery that are reviewed and regularly tested 

  • Infrastructure continuity plan 

  • Regular backup of data securely kept at multiple UK sites, sufficiently distant to ensure data is not lost in the event of a disaster 

  • We operate policies for patching internal system and change control 

  • We maintain outage logs and incident response policies 

  • e-shot maintains service status live monitoring page 

  • e-shot uptime in the last 24 months: 99.9483% and 99.8315% including scheduled maintenance 

 

More detailed security information is available on request.