Technical and Operational Security

e-shot is built to protect your company and its data, when managing your communications. We’ve worked hard to ensure our infrastructure and the team behind it is world class. By using the NCSC’s 14 principles of Cloud security and the framework of ISO 27001:2017, our team of experts work tirelessly to ensure the safety and security of your data. 

If you would like further detail than the below, you can also read our full response to the NCSC principles document.


  • Network Firewalls rules govern what can access our infrastructure. 

  • Web Application Firewalls detect and block malicious web requests. 

  • Role based permissions are used to control staff access to systems and data. 

  • Our web login page and API enforce rate limiting to protect against brute force attacks. 

  • Web portal login can be further protected by optional two-factor authentication. 

  • Staff administrative access to infrastructure is tightly controlled and employs multi-factor authentication protection. 

  • A monthly patching cycle is in place to ensure the latest security updates have been applied. 

  • Your account access rights (import, export, read, write and send) are configurable to your needs and managed by your administrator user. 

  • All your users are set up in the platform by your administrator. Verification is by email and SMS. 

  • Annual independent penetration testing is performed. 

  • We are Cyber Essentials Certified.  

  • Accounts (and the data within them) are deleted 90 days after cancellation. 


  • All data is virus scanned when uploaded to the platform. 

  • Virus scan technology is implemented throughout our infrastructure. 

  • As well as data security, reputation management and authentication, we also continually monitor data and campaigns to keep our system clean as part of our abuse prevention work. 

  • Employees are BPSS checked. 

  • Event logging and account auditing is in place. 



  • Only Cloud Service Providers with industry leading uptime SLAs are used 

  • Our data centres are connected to the internet with redundant internet links and bandwidth can be easily upgraded on requirement. 

  • We use secure data centres within the UK. All hold a broad set of industry standard accreditations such as ISO27001 and ISO9001.  

  • Business Continuity and Disaster Recovery policies and procedures are in place and are tested. 

  • There is redundancy at every component and service level, as well as spare capacity, so we can scale our servers on demand. This means we can continue to run for prolonged periods even after experiencing major component failures, and we don’t run out of space. 

  • Backup data is securely kept at multiple UK sites, sufficiently distant to ensure data is not lost in the event of a disaster. 

  • The platform employs anti-DoS and DDoS technology. 


Pseudonymisation and Encryption 

  • Data is transferred over TLS. 

  • Data is secured at rest using AES encryption. 

  • Email campaigns are sent using opportunistic TLS, using authentication and validation systems such as DKIM and DMARC 

  • Platform passwords are one-way hashed. 

If you would like any additional information regarding our security measure, just contact us via the live chat with any details on your request.