ePayslip portal

Secure storage and access for employee documents, such as payslips, P60s, P45s, P11Ds, employee pension Automatic Enrolment letters, contracts of employment, terms and conditions of employment and employee handbooks.

Secure file transfer and secure file storage and access.

Secure document portals.

Secure email.


  • Secure employee access from any device - 24/7/365 access
  • Multi-factor authentication
  • Enterprise encryption of data in transit and in storage
  • ISO27001 accredited supplier
  • Cyber Essentials accredited supplier
  • Branded document portal web pages and email notifications
  • Each data fields encrypted with unique Data Encryption Keys (DEKs)
  • Each DEK encrypted with its own Master Encryption Key (MEKs)
  • MEKs hosted in separate data centers to hosting of DEKs
  • All access attempts are logged and logs are encrypted


  • Payslips and other employee information available through a secure portal
  • Any document can be stored securely in the portal
  • Any document can be accessed securely via the portal
  • 24/7/365 access to documents stored in the portal
  • Documents can be digitally approved in the portal
  • Portal documents can be downloaded to a local drive
  • Any Internet smart device can enable access to the portal
  • Employees do not have to request copy documents from payroll
  • Employer can send communications to employee via the portal
  • Employer can use Secure File Transfer and Secure Email


£0.60 to £1.20 a user a year

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

3 0 2 7 0 7 1 3 4 0 7 8 8 1 3


Telephone: 07516500676

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Any payroll software;

Any software that sends batch PDF documents;

Plug-in for MS Outlook and MS Outlook 365 to send secure files.
Cloud deployment model
Private cloud
Service constraints
Any planned maintenance is notified to all clients at least 48 hours before the planned maintenance starts.

Service levels are included as part of our service level agreement
System requirements
  • Sender must use SSLPost's Secure Send file transfer software
  • Sender must open port 443 to send documents over https
  • Sender must support using TLS vs 1.2 or higher
  • Sender must enable any proxy server to reach SSLPost endpoint(s)
  • Documents must always use the same unique reference ID
  • Recipients are indentified by their unique reference ID
  • Unique reference IDs cannot be re-used more than once

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 24 hours Monday to Friday
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Support levels
We provide a 99.95% service level uptime agreement.

Support queries are answered within 24 hours Monday to Friday or weekends if severe.

Critical support issues are reviewed by an account manager as soon as they are received.

Our service level agreement defines first, second and third level support issues and their resolution timescales
Support available to third parties

Onboarding and offboarding

Getting started
User documentation is provided on our website.

Online training is provided on the day of implementation.
Service documentation
Documentation formats
End-of-contract data extraction
On conclusion or termination of a contract, data extraction is requested in writing by the data controller. Data is transferred to data controller via secure file transfer. Data extractions for data subjects are then performed by the data controller on request from the data subject via written request.

Data would be extracted as a CSV file and sent to the data controller in an encrypted file.
End-of-contract process
When the contract terminates we may be asked to delete the data. This is requested in writing from the data controller. There is no charge for data deletion. Live data is deleted within 5 working days with backups completing their deletion cycle within 90 days from the live deletion.

If data access is required after termination of the contract and deletion is not required then we would agree an access and storage fee with the client.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Compatible operating systems
Designed for use on mobile devices
Differences between the mobile and desktop service
For a recipient of a secure document there is no difference if the recipient is using a mobile or desktop to access and view their documents.

For a sender to send batch documents they must install our Secure File Transfer software on a Windows desktop or Windows network server.

For a sender to send one off documents there is no difference if the recipient is using a mobile or desktop to send encrypted files.
Service interface
Description of service interface
Batch documents must be loaded and sent using our client side Secure Send software (which is a proprietary form sftp software).
Secure Send must be able to open port 443 on the Sender's outbound mail server and allow files to be sent over htpps using TLS version 1.2 or higher.
The Sender's outbound mail server must be able to make a secure connection with SSLPost's server endpoints.

For single documents the Sender can use the web application or a MS Outlook plug-in
Accessibility standards
None or don’t know
Description of accessibility
Service is accessible via an embedded web link in a notification email
Accessibility testing
Customisation available
Description of customisation
Clients can use their own logo and pantone colours on the application's web pages and on email notifications sent to recipients.

The customisation has to be done by SSLPost


Independence of resources
Infinite scaling through Amazon Web Services and Google Cloud


Service usage metrics
Metrics types
Uptime for Service Level Agreements
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Encryption of all digital media
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
For batch files we provide client side software called Secure Send. The client side software can be installed on a Windows desktop, laptop or network server.
The user can drag and drop a batch file into Secure Send, which will split the batch file into individual documents and stream them individually to the SSLPost end point servers securely by opening port 443 on the client's outbound mail server and streaming over https using TLS vs 1.2 or higher.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • Word
  • Excel
Data import formats
  • CSV
  • Other
Other data import formats
  • PDF
  • Word
  • Excel

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Service Level Agreement - 99.95% uptime

Values of contracts are not material to warrant refunds.
Approach to resilience
Available on request
Outage reporting
Email alerts

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
All administrative access requires authentication and authorisation. Access channels are protected with industry-standard encryption such as RSA, AES and EC. Infrastructure access endpoints use VPN and SSH. Access failures are monitored and proactively blocked. Where possible two-factor authentication is used. All successful and failed access attempts are logged and stored centrally.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
The Certification Group
ISO/IEC 27001 accreditation date
Next due 15/09/2020 last audit 13/09/2019
What the ISO/IEC 27001 doesn’t cover
Credit card payments are excluded from the statement of applicability as we do not handle them.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials
Information security policies and processes
The business processes are controlled by a full information management security system (ISMS) and PIMS for GDPR and data protection purposes. All policies and processes comply with the statement of applicability (SOA) for ISO27001 and GDPR/DPA data protection and privacy requirements.
These systems require extensive reporting and compliance policies, procedures and processes which are documented within our intranet. All SMT are members of the ISMS team.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Change management follows the Change Management policies, procedures and processes laid down in the ISMS ISO27001 standard. Changes are risk assessed, monitored, managed and authorised through the ticket system according to the policy. All changes applied to infrastructure are managed with either configuration-as-code or infrastructure-as-code tooling. All source code and platform configuration is managed in distributed version control systems.
The production application stack is deployed as immutable, container-based packages.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Infrastructure and web applications undergo industry-standard vulnerability scan every day - discovered vulnerabilities are managed in vulnerability management software. All patches are installed as soon as possible or delayed until low-traffic maintenance window if the patch installation would impact end-user service availability.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
IT infrastructure is monitored both externally and using monitoring agents. Health and performance metrics are collected constantly, stored and available for inspection when. Detected incidents result in automated alerts.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Under ISO27001 a full policy, procedure and process is defined within the ISMS for incident monitoring and management. Staff have access to flowcharts that detail the steps required in the event of an incident being reported internally or externally, broken down by type (breach/external attack/suspected breach/fire/flood/outage etc). The flowcharts can be provided on request.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£0.60 to £1.20 a user a year
Discount for educational organisations
Free trial available
Description of free trial
Single user, non-branded portal for sending and receiving individual files or documents.

Batch file processing is not included.

3 month trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.