StayPrivate Secure Email and File Sharing

StayPrivate ensures safe and secure 2-way communication between businesses and external contacts, enabling companies of any size to send and receive personal data in a convenient, secure and GDPR-compliant manner.
Our plug-and-play solution is compatible with all email accounts, making it incredibly easy to encrypt emails and share files securely.


  • Data encrypted in transit using TLS/SSL with forward secrecy
  • Data encrypted at rest using multi-layer AES 256
  • Individually distinct, dynamically generated key for each file
  • Servers housed in EU secure Tier3+ data centres protected 24/7
  • Servers actively monitored 24/7, enterprise grade firewalls and anti-virus
  • On-premise solution for organisations with 1000+ users
  • Compatible with any corporate and accessible via any email account
  • Professional, white-labelled user interface via web browser or native app
  • iOS and Android mobile apps
  • Full audit history ensures governance and control of all information


  • Secure email and file sharing outside the corporate network
  • Ensures that emails and documents remain safe at all times
  • Works automatically with any existing email account
  • Convenient and easy-to-use for you AND your clients
  • Add-ins enable company users to work directly from email client
  • Send large files and e-sign documents
  • Makes your external emails GDPR-compliant
  • Company retains complete control and exclusive ownership of all information
  • Free, easy-to-use and uniquely scalable for external company users
  • Works out-of-the-box with existing systems and processes


£4 to £10 per licence per month

Service documents

G-Cloud 10



StayPrivate Sales

+44(0)20 7101 5000

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Add-in for Microsoft Outlook, Office 365 and Gmail for business. Plus support for all web-based email clients.
Cloud deployment model Private cloud
Service constraints N/A
System requirements An existing email account

User support

User support
Email or online ticketing support Email or online ticketing
Support response times This is dependent on the SLAs agreed with the customer. When an incident is logged it is prioritised accordingly, which is based on resolution, not response time.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels - Full Support (online and telephone between 08:00-18:00 weekdays)
- 24x7 Support for emergency issues

Support includes a StayPrivate dedicated account and technical services account manager, and is included in the service subscription and not charged as a separate item.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started StayPrivate is deisgned to work with your corporate email and is very quick and easy to deploy. We offer
- a dedicated technical account manager to configure the add-in to best fit your current email set-up;
- support to assist through the pre and post deployment phases;
- tailored technical documentation and user guides;
- communications to enable user on-boarding.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Data can be extracted into an appropriate format (CSV, ZIP, PST) as required, either on an ongoing basis or at the end of the contract.
End-of-contract process At the end of the contract the system will become read only. No further creation of new encrypted content will be permitted. StayPrivate will work with the company to deliver their data in a usable format prior to the infrastructure being securely decommissioned.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Our service is accessible via an app (iOS and Android) or direct through the browser on mobile devices.
All web interfaces are fully responsive for all device types and screen resolutions.
Accessibility standards None or don’t know
Description of accessibility Accessible via any email client or web browser and compatible with assistive features.
Accessibility testing There has been ad hoc testing, but nothing formalised.
What users can and can't do using the API Users can use the API to programmatically send emails, to access communication histories, and to add/edit user details (admin users only).

We also provide an email-based interface which enables users to send secure emails directly from another application, making use of SPF authentication and TLS connections to ensure authenticity.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Branding (colour and logos), company-specific URL.
Notifications settings, at a company, user type and user level, for when users receive certain notifications.
Primary channel configuration options - to enable companies to make the system more secure/less flexible than normal email, as required.
Deletion options - to enable auto-deletion of communications


Independence of resources Service performance is guaranteed due to the unique tenancy configuration for each customer.


Service usage metrics Yes
Metrics types A wide range of customisable reports on usage for both organisation, group and user based transactions
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Either using the API, or via bulk back-up over a secure, encrypted connection.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network All data travels over a dedicated physical link.

Availability and resilience

Availability and resilience
Guaranteed availability StayPrivate Services is provided "as is".
Approach to resilience Available on request
Outage reporting A public dashboard and email alerts are available

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Access to management interfaces and support channels are restricted by both procedural and technical enforced security including infrastructure restrictions and privileged access management software.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Certified International Systems Limited
ISO/IEC 27001 accreditation date 06/03/2015
What the ISO/IEC 27001 doesn’t cover The entire business is certified
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes StayPrivate are ISO27001 certified, and apply a financial services compliance and governance framework across the business. The Senior Management Team (incluging a designated compliance office) meet regularly to ensure all policies and procedures are undertaken and reviewed. In addition, a compliance and transparency report is undertaken every 6 months.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach StayPrivate develops software following the Agile Framework methodology. All requests are added and prioritised by the Product Owner. The client service and development teams discuss each item on the backlog discussing the requirements, acceptance criteria, security testing requirements and any potential security considerations. All commits to the source code repository are accompanied with a ticket which can then be tracked from inception through to completion. During the release phase regression testing takes place to ensure configuration or code changes do not adversely affect the production system.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We conduct regular penetration tests, plus whenever there is a major change to the network or if there were to be a significant information security incident. Security threats are assessed via alerts from security bulletins from a wide range of vendors as well as independent information security providers. System and software patches are applied within two days of being available. Depending on the severity, patches may be applied quicker. The StayPrivate Change Control Process ensures that the security impact of changes is considered. Roll-back procedures ensure that the service is not adversely impacted by a change.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Threads are assessed by monitoring system logs and server usage patterns for suspicious behaviour, as well as media & security-related online publications. Regular software and OS patches are installed if available. Critical security patches are installed at the earliest opportunity, typically within 24 hours. Incident response is immediate.
Incident management type Supplier-defined controls
Incident management approach StayPrivate customers report incidents via email or telephone. An engineer will immediately grade the issue and report an incident. Incident reports will be issued to those reporting or affected by the incident.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £4 to £10 per licence per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial StayPrivate offers a free forever, single user unbranded environment with 1GB storage. This can be used for unlimited external contacts.
In addition, we offer a 14-day supported trial with full functionality.
Link to free trial


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑