Skip to main content

Security features

GOV.UK Notify is built for the security needs of government services.

This page describes our approach to:

Running a secure service

GOV.UK Notify:

We regularly assess and review our security in line with:

We monitor the threat landscape and conduct regular CHECK penetration testing so we can:

  • continue to improve our security
  • deal with common threats like Distributed Denial of Service (DDoS) attacks

Storing and processing your data

GOV.UK Notify uses Amazon Web Services (AWS) as our cloud service provider.

Data on Notify is stored and processed in:

  • AWS data centres in the UK and Ireland
  • locations where our sub-processors store and process data (UK and EEA)

How long we keep your data

GOV.UK Notify keeps a temporary record of:

  • the content of the emails, text messages and letters you send
  • recipient email addresses, mobile numbers and addresses

By default, we keep this data for 7 days.

Once your service is live, you can choose the number of days you want Notify to keep details of the messages you send.

For more information, see data retention period.

Who can access your data

Your data could be accessed by:

  • the Notify team
  • our sub-processors
  • law enforcement agencies (where legally required)

Teams using GOV.UK Notify can only access their own data.

You can set different permissions for each member of your team.

AWS provides logical separation between different AWS customers.

Data centre security

AWS provides a description of their:

How text messages are stored and processed

Text messages are stored and processed in:

  • the UK and Ireland
  • the country where the recipient’s phone is
  • the phone’s country of origin (for international numbers)

Protecting data in transit

GOV.UK Notify uses Transport Layer Security (TLS) version 1.2 to encrypt data when:

  • users access the Notify website or API
  • data passes through Notify
  • we exchange data with our sub-processors

Emails

We always try to encrypt emails using TLS 1.2, 1.1 or 1.0. If the recipient’s mail server does not support TLS, we will send the email without protection.

Email cannot provide end-to-end encryption.

Text messages

Text messages cannot provide end-to-end encryption.

Protecting data at rest

GOV.UK Notify encrypts the data stored in our databases and backups using AES-256 encryption.

This includes any files that you upload to Notify when you:

Sending files by email

When you upload a file we encrypt it with AWS SSE-C, which uses AES-256 encryption.

We will only share the unique link with the intended recipient. We cannot access or decrypt your file.

For more information about this feature, see send files by email.

Building and managing GOV.UK Notify

We follow an Agile software development lifecycle.

To protect our code, we:

  • run separate development, testing and production environments
  • deploy code through a continuous integration/continuous delivery (CI/CD) pipeline
  • track vulnerabilities for any third-party libraries we use
  • store production secrets in a secure environment with audited access

How we manage code changes

To manage GOV.UK Notify, we use:

  • GDS-managed devices
  • multi-factor authentication (MFA)

We manage Notify through the www.notifications.service.gov.uk website.

AWS manages the hardware we use.

We use infrastructure as code (IaC) to manage the systems and services that host Notify.

All code changes must be reviewed by the team before we can deploy them.

We monitor our production environment for unauthorised changes.

We give our users appropriate notice before:

  • any planned outages or downtime
  • making significant functional changes

We announce planned downtime on the Notify status page.

Finding and fixing security issues

GOV.UK Notify:

We use Web Check and other services to:

  • scan for vulnerabilities
  • prioritise which software patches to test and deploy first

AWS is responsible for patching our infrastructure:

  • firmware
  • hardware
  • operating system (OS) kernel

Security incidents

We provide a 24-hour response in case of an incident.

If there is a data loss event, we will contact you directly.

If there is another type of incident, we’ll publish details and updates on the Notify status page.

Sign in and API access

Signing in to Notify

GOV.UK Notify uses two-factor authentication for sign-in.

Team members can sign in with a text message code or a link that’s sent in an email.

For security, you’ll need to confirm that you still have access to your email address every 3 months.

Find out more about our sign-in methods.

You must keep to our terms of use for signing in to Notify.

Accessing the GOV.UK Notify API

Services access the GOV.UK Notify API with an API key, encoded using JSON Web Tokens.

For more information, see our API documentation.

Protecting our website and API

The GOV.UK Notify website, API and any files sent by email are protected by:

We use publicly-verifiable digital certificates, so you’ll always know you’ve connected to the real GOV.UK Notify.

Email security

To help recipient’s email services tell the difference between our emails and spam, we use:

Security classifications

We have designed GOV.UK Notify for sending messages classified as ‘OFFICIAL’, including ‘OFFICIAL-SENSITIVE’, under the Government Security Classifications policy.

Before you send any messages classified as ‘OFFICIAL’, you must make sure that GOV.UK Notify meets your organisation’s standards for:

  • using, processing, storing and sending information
  • cyber security
  • data protection

Notify must not be used to process data classified as ‘SECRET’ or ‘TOP SECRET’.

GOV.UK Notify staff

We restrict the number of people that can access your data on GOV.UK Notify.

We follow the principle of least privilege. This means we give our team members the lowest level of permissions needed to do their job.

All our staff:

Team members who need greater access to the data stored on Notify must complete National Security Vetting to Security Check (SC) level.

We only give additional access to GOV.UK Notify’s production environment to privileged users:

  • by exception
  • on a temporary basis
  • in relation to a specific change request or support ticket

The GDS security operations team logs and tracks privileged users’ access to our production environment.

Suppliers

GOV.UK Notify uses third-party providers to send emails, text messages and letters.

Suppliers sign a contract or memorandum of understanding that includes our security requirements.

All our suppliers:

GDS assesses suppliers:

  • before we decide whether to use them
  • at regular intervals to make sure they still meet our requirements