Citipost Mail Limited


Cloud based Hybrid Mail services
Online drag and drop solution plus SFTP, API integration options


  • Desktop 'drag and drop' hybrid mail
  • Hybrid mail API, SFTP integration options
  • 1st Class, 2nd Class and International delivery
  • Letters, large letters and postcards
  • Online document archive, print and download features
  • High quality 100gsm paper for letters 350gsm for postcards
  • Optional leaflet and brochure inserts
  • Braille print is available
  • Unlimited user accounts
  • Documents can be 'held' for approval or removed


  • Very easy desktop access - cloud-based
  • No setup, license or maintenance fees
  • Easily integrated with existing systems
  • Saves up to 50% on the cost of mailing letters
  • Reduces labour time and costs due to simple upload
  • No need for franking machines - reduces cost
  • No training necessary - very intuitive thus high adoption rates
  • Access to postal discounts to reduce costs
  • No minimum volume requirement - simply pay for items posted
  • Range of billing options to enable easy reconciliation


£0.43 per unit

  • Free trial available

Service documents


G-Cloud 11

Service ID

4 0 7 0 5 5 6 5 7 6 3 8 6 2 9


Citipost Mail Limited

Tanith Samuels


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Our service can be linked to any number of legacy systems including (but not limited to) billing, CRM, marketing, revs and bens applications. Connection can be via API or SFTP to fully automate the creation of letters for mailing.
Cloud deployment model Private cloud
Service constraints No constraints. Easy access via Desktop or integration.
System requirements No licenses or special systems requirements

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Typical turnaround time is within 24 hours Monday to Friday.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels We are very happy to provide on-site support for user implementations and training if required.
We also provide on-site project management when APi and SFTP integrations are required.
We provide on-site technical support if required.
All support and assistance is provided at no extra cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started A full client analysis and information share needs to be undertaken, so that a full understanding of the clients business needs are gained and we can determine how we can best implement this service into your business. As part of the onboarding process for a bespoke solution, our chosen software partner SDL will work closely with both Digi-Mail and the client to understand the full requirements of the services required and how they can be integrated with the Digi-Mail platform.

Once the client analysis has been undertaken and the complexity of the requirements are understood, a draft proposal will be provided to the client for approval and once agreed, a schedule of work and an implementation timeline will be provided. Full training will be provided to users to ensure that a full understanding of the capabilities are gained.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction We will agree the data extraction process on a case by case basis, and in compliance with GDP regulations.
End-of-contract process The price of the service is fully inclusive. Being a portal based service means no had or software installations at the client end and therefore no decommissioning costs.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
Service interface Yes
Description of service interface Each user is provided with unique log in details to our cloud based user interface. Users simply drag and drop document files on to the portal for print production and mailing.
Accessibility standards None or don’t know
Description of accessibility The service is accessible via a web portal at the following address
Each user can access services according to their permissions which are set upon implementation and can also be updated at any time.

Users can upload documents for submission, they can also access a full archive of their documents sent within the last 90 days. All documents are deleted from the archive after 90 days in order to comply with GDPR.
Accessibility testing None
What users can and can't do using the API We will work with users to set up our services via API. Users can make change requests and there are no limitations to APi implementations. APi implementations are provided at no extra cost to the user.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Inserts can be customised. Template designs are all held in the user's own domain so there is freedom to make unlimited changes to templates without charge.


Independence of resources We currently have a small team on our Digi-Mail but as the product grows or our clients’ requirement peak for various times of the year we have a Client Services team of over 15 staff covering all our clients and these have all received training in respect of Digi-Mail therefore the skill set is transferable.

Capacity of our sorting machines is 192,000 items per 8 hour shift, on average we currently receive 100,000 items per day for sorting on the machines. We can staff from other areas of our South Normanton processing centre and have local contracts with staffing agencies.


Service usage metrics Yes
Metrics types We can provide service usage statistics at user level; department level and organisation level.
we can provide information on quantities, formats and costs mailed under each account.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users can download their data at an individual user level.

API exports can be set up to transfer organisation level data transfers into a document management system
We will work with users to set up our services via API. Users can make change requests and there are no limitations to APi implementations.
APi implementations are provided at no extra cost to the user.
API documentation is available for data exports
Data export formats Other
Other data export formats PDF
Data import formats Other
Other data import formats
  • PDF
  • Word

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The two hosting environments we use are each available with a Monthly Uptime Percentage of at least 99.95%. We do not make a charge for access to the portal, and therefore do not offer a refund policy. Users only pay for what is physically mailed.

Elastic Load Balancing automatically distributes incoming application traffic across multiple instances to enable higher levels of availability and performance

Volume data is replicated across multiple servers in an Availability Zone to prevent the loss of data from the failure of any single component. 

Volumes are designed for an annual failure rate (AFR) of between 0.1% - 0.2%, where failure refers to a complete or partial loss of the volume, depending on the size and performance of the volume. This makes our hosting environment volumes 20 times more reliable than typical commodity disk drives, which fail with an AFR of around 4%.

The hosting environment is designed to provide 99.999999999% durability of objects over a given year.
Approach to resilience Citipost have a comprehensive IT Disaster recovery planning is a subset of the larger Business Continuity Process and includes planning for resumption of computer Applications, Company Data, Server Hardware, Communications & Telephony services and other IT infrastructure.
Our IT disaster recovery planning covers the protection of all data saved on company network, infrastructure and network services.
The following areas have been considered:
• Single disk failures
• Multiple disk failure
• Unauthorised modification of content
• Data loss
• Software failure for each key piece of software used
• Machine failure for each key piece of equipment on network or used to generate content;
• Multiple machine failure;
• Machine theft for each piece of equipment on network or used to generate content;
• Network security breaches for each device on the delivery network;
• Capacity overload;
• Loss of building through fire, flood etc.
• Local network failure;
• Power failure;
• Loss of internet connection;
• Denial of service attack (when deliberate - or occasionally accidental - action by a third party brings down part or all of our network services).
Outage reporting There is a public dashboard which each user has access to, any outage notifications are displayed on here. We would also provide email alerts in the event of any serious outages.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels User access is defined at the point of account creation, the level of visibility for individual users can be defined and agreed with the senior management team.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Alcumus ISOQAR
ISO/IEC 27001 accreditation date 04.07.2017
What the ISO/IEC 27001 doesn’t cover NA
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 20/07/2012
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover N/A
PCI certification Yes
Who accredited the PCI DSS certification Worldpay
PCI DSS accreditation date 27/04/2018
What the PCI DSS doesn’t cover N/A - PCI compliance is hosted by Worldpay
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes The environment we use has the following assurance and compliance programs.

o PCI DSS Level 1 Service Provider
o AICPA SOC 1 audits
o AICPA SOC 2 audits
o AICPA SOC 3 audits
o CSA STAR Registrant
o ISO 27001 certified
o ISO 9001 certified

The cloud platform provides several important benefits to UK organisations and enables you to meet the objectives of the Communications Electronics Security Group’s fourteen Cloud Security Principles for United Kingdom (UK) OFFICIAL classified workloads (whitepaper).

Citipost Mail operate a top down approach to all employees and cascade vital information on security policies to all staff in order to ensure compliance with our ISO27001 accreditation. The Head of Support Services for Citipost Mail is Chris Jones.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes are tested in a secure test environment. We communicate changes to customers and then publish changes.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Threats are all identified via our penetration testing. System is also fully secure, any failed login attempts will block the user and send a notification to our admin team. On receipt of the information we assess the risk.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Penetration testing and management processes are managed by our 3rd party supplier. Incidents are responded to within 24 hours.
Incident management type Supplier-defined controls
Incident management approach Email or online ticketing support
Support response times
We provide email support. We aim to provide an initial response within 1hr during working hours Our aim is to fully resolve customer issues within 24hrs
User can report and manage status and priority of support tickets online

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.43 per unit
Discount for educational organisations No
Free trial available Yes
Description of free trial We can provide limited access to trial the service. Any trial would be agreed on a case-by-case basis. there is no 'free access' version of the solution so we would agree terms for a test environment with the user.

Service documents

Return to top ↑