New terms of use - 2024

These terms will apply from Monday 3 June 2024.

If you use GOV.UK Notify on or after this date, you automatically accept the new terms.

These terms apply to the way you use GOV.UK Notify.

You accept our terms of use when you create an account.

You must keep to the terms. If you do not, we will stop sending your messages.

Before using Notify

Make sure that GOV.UK Notify meets your organisation’s standards for:

  • using, processing, storing and sending information
  • cyber security
  • data protection

You must complete this process:

  • before you submit a request to go live
  • at regular intervals once your service is live

To help you do this, we’ve published details of Notify’s approach to security.

When using Notify

  1. Report any security breaches immediately to report@digital.cabinet-office.gov.uk. This includes the suspected compromise of team members’ sign-in details or authentication factors, the suspected compromise of API keys and certificate warning messages.
  2. Make sure each live service you add is unique. If you add similar or duplicate services we will stop your allowance of free text messages.
  3. Check you have the appropriate consent from recipients before using their personal data.
  4. Make sure the data you add to Notify is accurate and complies with data protection legislation.
  5. Only send messages that meet the GOV.UK Service Manual standards for writing text messages and emails or writing effective letters.
  6. Do not send unsolicited messages. Only send messages related to a transaction or something the recipient has subscribed to be updated about.
  7. Do not send messages with abusive or offensive content.

Signing in to Notify

  1. You must sign in to the Notify website using a work-managed device. We recommend that, as a minimum, your device meets the requirements of the National Cyber Security Centre (NCSC) Cyber Essentials Scheme. If possible, your device should use a protective Domain Name System (DNS) service, for example the NCSC’s PDNS.
  2. You must sign in to Notify using a work email address. Your mailbox should be protected by multi-factor authentication (MFA). When you open emails sent by Notify, you should only do this from a work-managed device.
  3. Take reasonable care to protect your sign-in details. Choose a strong and unique password. Never share your password with anyone, including other members of your team.
  4. Remove team members promptly if they should no longer have access to Notify.

API keys

If you use the Notify API to send messages, you must protect your API keys from unauthorised access or disclosure. This includes encrypting the keys at rest and in transit. You should also rotate your keys:

  • at least once every year
  • when someone with access to a key leaves your team
  • whenever you suspect that a key may have been compromised

Do not hard-code your API keys.

We recommend that you use a cloud service provider’s key management service to keep your API keys secure. For more information, read the NCSC guidance.

What GOV.UK Notify will do

  1. Show our current status and details of any incidents on our status page.
  2. Provide up-to-date performance data.
  3. Keep your data secure.
  4. Give you 30 days notice by email if we change our terms of use or delivery providers.

Leaving Notify

You can contact us at any time to close your account.

Check our privacy notice to find out how long we keep your personal data.