Is my mail secure?

We place many security measures to protect your account, your identity, and your physical mail.  Here's a broad overview of our security management and policy.

Privacy and data use

Your account and identity is protected under our privacy policy: https://www.virtualpostmail.com/about-us/privacy-policy.  We do not share your personal information with third party unless we are served with proper documentation such as a subpoena or court order.  We do not sell, rent, or provide your data to outsiders unless you yourself grant them. We may use your information with 3rd party partners (ie. CRM systems, AWS, email system) to provide service that we offer to you.

Data access, logging, and auditing

We host our entire infrastructure on Amazon Web Service, which is fully SOC2 and HIPAA compliant. Access to production data is strictly controlled to only production-level systems admin, audited, and logged to a separate AWS security account purely for storing audit logs and cannot be altered or deleted (append-only).

By default, we do not open and scan the content of mail arriving at our facility, so if you wish to maintain privacy of your mail contents, you do not need to use our scanning service, but instead ship it out.  Should you opt to use the scanning service, the processing that mail go through is extremely fast paced, meaning that our mail scanners are not able to read the content of your documents. 

Physically, we protect your mail with 24/7 security monitoring at our facility and only authorized persons can access our mail storage and scanning rooms. Specific Customer Support personnel will also have access to your mail data but the access is also audited and logged and authorized on a per transaction level.

Physical mail purging and shredding

Physical mail are shredded on-site using a mobile shredding service. This means that mail does not leave our facility for shredding but is shredded directly on-site for security.

Data storage

All data is stored on AWS U.S. based servers. Specifically, the main region we work with is the AWS US East region.

Data leaves the U.S. if and when data is accessed by your users outside the U.S., ie. your user logs in from Asia, which then means that data now travels through the network to the user's location. You would need to ensure that your users do not access data from outside the U.S. if you wish to have data stay within the U.S. network.

All mail data are stored on AWS S3 and encrypted at rest using AES-256 through AWS KMS.

Data in transit uses SSL certificates generated by AWS ACM for all sites and apps hosted on AWS. Our customer portal site is hosted separately on Netlify and uses Netlify's own certificate system. Sites fronted by Cloudflare uses Cloudflare's certificate system.

Data breach

We will notify you in case of data breach. We will first assess and confirm the data breach and the extent of the breach through data forensics. Once the breach is confirmed, we will issue a notification within 30 days.

Vulnerability management policy

As our entire server infrastructure is hosted on AWS, we do the following:

• We go through Discovery phase, Planning, Remediation, and Validation phases for vulnerability assessments.
• We subscribe to technical vulnerability reporting databases, assess whether vulnerabilities apply, and then prioritize fixing these.
• We currently do not have penetration testing done, but we are preparing to get SOC2 certified in the near future along with penetration tests done at the same time.
• Our servers are always kept up-to-date and automatically patched on a periodic basis. We do this by bringing up new servers and taking down old ones rather than patching server, which keeps our servers in constant pristine state.
• All critical data (mail data, files and images) are hosted on S3 and RDS, which are fully managed by AWS and follow their vulnerability management. The AWS services we use are fully SOC2, HIPAA, and NIST compliant.