Today, more than ever, data and systems security matters.

Adequate security of systems and data assets is a fundamental management responsibility.

With some of the world's largest technology companies as PoliteMail customers, our data security is designed to meet their strict standards. With multiple service models available, you are able to achieve the level of security desired for your organization.

How we protect your data.

Security Overview

PoliteMail Software has implemented multiple levels of security to ensure any information and data we collect remains confidential and secured.

The PoliteMail Software handles potentially sensitive internal email communications, but does not store the email message body. The software and systems will contain the name, email address and IP address information of your employees. This is considered personally identifiable information (PII), and is handled appropriately.

If your organization has employees in Europe, PoliteMail maintains a SafeHarbor certification, as well as provides ePrivacy and HIPAA compliant tracking modes, which eliminate the connection of name and email address to interactions and does not store recipient IP address information.

ISO/IEC 27001:2005 standard framework

PoliteMail employs industry standard frameworks for information security policy and controls.

Strong password policy is enforced. Two-factor authentication is required for any systems level access. We have defined incident response, change management and diaster recovery processes.

In addition to policies and controls, PoliteMail carries technology errors & omissions insurance including cyber liability insurance with limits of not less than $2,000,000 per occurrence.

SSAE 16 compliant hosting with SOC reporting available

PoliteMail does not operate its own hosting data centers. PoliteMail partners with Amazon AWS and Microsoft Azure to provide secure, reliable and flexible cloud services infrastructure.

These large-scale data centers provide an enterprise class level of physical and network security, with redundant services to ensure the availability of systems, services and data. Monitoring, logging, antivirus/antimalware and intrustion detection and DDoS protections are provided at the network and virtual machine instance level.

PoliteMail maintains these systems, with systems and database access limited to the assigned Systems Administator for your account. Systems and services access is limited to our server maintenance team. Access to client servers is only accessible through our domain controller via two-factor (hardware) authentication.

SOC reporting is available under NDA.

Data encrypted in transit and at rest

All communication between the PoliteMail client software and server software is SSL/HTTPS encrypted.

All communication between the PoliteMail Server and Exchange is TLS/HTTPS encrypted.

All email recipient requests are SSL/HTTPS to the PoliteMail Server

All passwords and keys stored hashed with SHA256.

For cloud-services configurations, all PoliteMail data storage (SQL, logs, temp files, backup) is BitLocker AES128 encrypted

Message body not stored

Because potentially sensitive information may be provided within an email message, PoliteMail does not store the message body. Any message replication/individualization will occur on the PoliteMail server, and be temporarily stored in an SMTP queue until delivered to Exchange.

No SQL injection possible, stored procedures only.

The PoliteMail Server system is designed to prevent the most common attack methodologies, and will not execute ad-hoc SQL queries. All authorized queries are defined as stored procedures. To further reduce the attack surface, firewall rules may be defined with regular expressions to limit the incoming requests to only approved and properly formatted request structures.

PII (name, email & IP address) and non-PII tracking modes available

PoliteMail provides individual, anonymous and aggregate tracking modes to balance data accuracy and compliance.

Individual tracking gives you the most accurate data, but is also the most privacy invasive, as PoliteMail will store recipient name, email address and any related interaction data (opens click, read-time, etc.) which would include IP address, device and browser information.

Anonymous tracking gives you the same level of data accuracy, but dis-assocaites name and email from the interaction data. To be compatible with the EU ePrivacy directive and HIPAA, PoliteMail does not store IP address in anonymous mode

Aggregate tracking tracks the message by device, instead of by recipient, so the data is not as accurate. Aggregate is a non-PII tracking method, and does not store IP address information.

PoliteMail also stores the names and email addresses of the users/senders (communications team members using the PoliteMail for Outlook application), and for any tracked send, will store the from address, date/time sent, as well as the subject line. If you are running the on-premise PoliteMail Server software, none of this data will be stored or any PoliteMail operated systems. For PoliteMail Server software provided as a dedicated cloud services account, this data will be stored on the servers dedicated to service your users.

Third party penetration testing

The PoliteMail client/server software, and standard cloud service image, is penetration tested at least once per year, and upon any major upgrade.

Pen test results and any remediation process documentation is available under NDA.

Safe Harbor, EU ePrivacy and HIPAA compliance controls in place

For customers with global employees and for customers headquartered in the EU, PoliteMail maintains both EU and Swiss Safe Harbor certifications.

PoliteMail software provides tracking and measurement technology which is compliant with both the EU ePrivacy directive as well as the U.S. HIPAA regulations.

PCI compliant credit card processing

PoliteMail does not require credit cards for purchase. However, if a credit card is used, PoliteMail does not store your credit card information.

All credit card processing is performed throught our partner,, utilizing their secure billing and recurring billing infrastructure.

Credit card processing is performed in compliance with the Payment Card Industry Data Security Standard (PCI DSS)

PoliteMail is a N-tier, Microsoft Standard Architecture

PoliteMail is a .Net client/server application which runs on virtual (VM) or dedicated environments. The PoliteMail Server software installs on Windows IIS Server and may be attached to an existing SQL Server or Cluster.

System Requirements

On the client, end-user Outlook machine, PoliteMail for Outlook supports Windows Office Outlook, 2013, 2010 or 2007. PoliteMail requires the .Net 4+ components be installed on the desktop. IE10+ recommended.

On the server, PoliteMail Server software runs on Windows IIS Server. Minimum requirement is Windows Server 2008 R2. Windows Server 2012 is our standard cloud services platform. PoliteMail Server requires .Nets 4.5+ components, and requires a connection so a Microsoft SQL Server database or cluster. SQL Server 2008 R2 through 2014 is supported.

PoliteMail provides flexibile configurations to meet your specific network and organizational requirements, and the essential elements are:

  • SSL Port 443 traffic to PoliteMail Server software running on IIS Server
  • PoliteMail will write data on port 1433 (or any specificied port) to SQL Server
  • PoliteMail transfers SMTP messages via TLS port 25 to Exchange (or SMTP gateway)

System Architecture

PoliteMail provides several configuration options designed to reduce the attack surface and limit traffic to acceptable patterns.

PoliteMail's standard on-premise, dedicated cloud service, and Office 365 architecture diagrams are included below.

Documentation for other options, including DMZ reverse-proxy implementations and high-availability architectures are available under NDA, along with complete technical configuration and implementation guides.

PoliteMail on premise system architecture

PoliteMail dedicated cloud service architecture

PoliteMail dedicated cloud service with Office 365 architecture

Frequent questions and answers regarding PoliteMail

Do I have to install an Outlook add-in for all mailboxes in order to measure Outlook email?

No. Only the sender/communication team member who wants to send and measure the Outlook email will need the PoliteMal for Outlook add-in.

Are messages sent from our domain, or is PoliteMail "spoofing" our From addess?

Because the user is sending from Outlook, they can only send from authentic Outlook addresses which they have permissions to send from.

PoliteMail does not support "spoofing" of From addresses, so no one is going to send send from your CEO, unless the CEO is actually sending the email.

Do you support hybrid Exchange /O365 environments?

Yes. Many clients are in the process of migrating from on-premise Exchange to Office 365, and have hybrid or multi-forest Exchange implementations in the meantime. The key is simply knowing which Exchange server is the primary, as that is the one the PoliteMail Server will talk to. Typically that is the on-premise Exchange until the migration is complete. In which case, those setting just need be relicated on the Office 365 environment.

How does your product deal with the O365 500 recipients per day / 10,000 per day recipient limits?
With Office 365 accounts, Exchange online has volume limitations based on account type. PoliteMail users typicaly do not run into this limitations. When sending PoliteMail using individual or anonymous tracking modes, even when the user puts > 500 recipients in the To: or Bcc: fields, PoliteMail will send messages addressed to one recipient, avoiding the 500 recipients limit. When sending in volume, the PoliteMail configuration will typically route that send through the PoliteMail Server directly to Exchange, which does not impose the same 10,000 recipients per day limitation.
Does PoliteMail support sending to external recipients?
Yes. PoliteMail can be configured to support both internal and external recipient addresses. For retail and manufacturing cusotmers with a significant number of employees who recieve company email on their personal accounts, including gmail, hotmail, yahoo or other freemail addresses, PoliteMail can deploy a high-volume, whitelisted mail server dedicated for external delivery. This internal + external configuration is also useful for measuring partner, supplier or customer email. External sending requires compliance with our no-spam policy, see Terms of Service.
What resources have to be provided by our company IT/IS team?

For a corporate cloud service account, PoliteMail just needs 2-4 hours of Exchange Admin time to configure the service. No servers, systems or on-going maintenace is required from your IT team.

For on-premise installations, your IT/IS team will be responsible for the Windows Servers PoliteMail runs on, as well as the SQL Server backend and Exchange configuration. The resources required typically involves several hours each from members of network team (firewall rules/ports), the systems/servers team (Windows IIS Server VMs and installation of PoliteMail Server software), a SQL admin (creation of databases and connection) and an Exchange admin (Exchange Service account and settings).

How long does it take to implement?

PoliteMail will typically spin up a dedicated cloud service for your account within a week to 10 days.

Configuration with your Exchange Admin takes about 2-4 hours, depending upon the nature of your distribution lists and messaging environment.

On-premise installations typically take about a month to get up and running, primarily due to the availablity of the various in-house technical resources required. To set-up and install the server software typically involves someone from the systems and network side, a SQL Admin, and an Exchange Admin.

What assistance do you provide during implementation?

PoliteMail will assign a technical admin from our team to work with your IT team during the implmentation, via email, screen share and phone, to ensure the system is properly configured and fully functional

Once the system is ready, PoliteMail will provide user admin training to help the primary user get the account set-up, including users, groups and preferences. In addition, we will provide an end-user group training session to show your team to use utilize the product. Recordings will be provided.

What systems maintainence is required?

With our corporate cloud service account, PoliteMail will provide all the systems maintenance processes, so beyond initial configuration, no IT resources are required from your side. We budget on 2-4 hours of maintenance per server per month.

For on-premise installations, the application should be monitored and maintained like any application. IIS and Windows Services should be monitored. The SQL databases should be included in your backup and recovery systems, and indexes should maintained and rebuilt on a recurring basis. Windows Server and any security software should be updated according to your company policies.

List permissions and the Exchange Service account should also be actively managed, in the event of changes which would impact use of the system.

If a user leaves the company, will they still have access to the application?

No. There is no web interface, so the only access to the system is through their Outlook account. When they no longer have access to Outlook, they do not have access to PoliteMail.

Does PoliteMail work with a proxy?

Yes. Depending upon your proxy environment, sometimes the PoliteMail Server will need to be added to the allowed sites within your proxy controls.

Does PoliteMail work with Windows 10?

Yes, PoliteMail is currently running on Windows 10 preview machines and we expect full compatibility with the latest Windows and IE offerings.

Does PoliteMail work with Office 2016?

Office 2016 is currently available in preview, and although PoliteMail runs in 2016, we will not perform any formal testing until 2016 reaches pre-release beta.

Do you support Outlook for Mac?

Microsoft currently does not provide add-in support for Office for Mac.

For the sender, the communications person who wants to measure the email, this requires they run the Microsoft Outlook for Windows software.

From a measurement perspective, it doesn't matter what email program the recipients are using.

Mac users can run the Windows version of Outlook via a virtual machine, like Parallels or VMFusion, or use Bootcamp to start-up in WIndows. , or via a Citrix remote desktop.

Can we segregate users into groups or by region, and see view reports at the corporate level?

Yes. PoliteMail user groups may be organized by business unit (say, department or brand) and/or by region.

Manage level users will be able to view reports for all users within their group, and Admin level users will be able to see across all groups.

Can templates be enforced, meaning we require their use, and limit what can be changed?

The PoliteMail template builder and content library tools enable the creation, standardization and sharing of responsive HTML pages in Outlook.

As this are just templates, like any Outlook OFT file, once the user loads them into Outlook, they will be able to edit them as they see fit. There is no enforce or controls over use or editing.

In practice, while PoliteMail doesn't help you to "lock-down" a page, we have found people will use what is given to them. If they recognize the page was well designed within brand guidelines, they will run with those elements and simply add in their specific content, which is the intent of the template(s).

What happens when a tracked email is forwarded outside of our company?

PoliteMail will track that email, as-if it were sent to the original recipient. In most cases, and depending upon tracking mode utilized, this will track as another device access the email intended for that recipient (e.g. will count as a multiple open).

For Technical Inquiries, Engage a PoliteMail Sales Engineer

For additional information, documents and documentation requests or specific implementation questions, please talk to a PoliteMail Sales Engineer.

Technical Inquiry Form
Microsoft Partner Logos

©2006-2015 PoliteMail Software. All Rights Reserved.
PoliteMail is a registered trademark of Bootstrap Software Partners, LLC. Microsoft, Windows, Office, Office365, Exchange, SQL Server and Azure are registered trademarks of Microsoft Corporation. Amazon, Amazon Web Services (AWS) and EC2 are trademarks of Inc.