Policies

Security Overview

Document version 1.3 · Last updated: 30th April 2026

This document is provided to support customer vendor due diligence, including SOC 2, ISO 27001, and GDPR-related risk assessments. It summarises Jelly’s security posture, the controls Lazyatom Limited operates as the data processor, and the sub-processors used to deliver the service. It is not itself a SOC 2 report, and is offered alongside our published Privacy Policy, DPA, and sub-processor list.

For any questions, or to request a signed DPA or completed security questionnaire, contact security@letsjelly.com.

This overview is split into sections. For your convenience, links to each of those sections is as follows:

About Jelly and the Provider

Jelly is a shared inbox application that allows small teams to collaboratively triage, assign, and reply to email. It is provided by Lazyatom Limited, a private company registered in England and Wales. In the relationship with customers, Lazyatom Limited acts as a data processor; the customer is the data controller for end-user content (incoming and outgoing email, contact data, attachments) processed through Jelly.

At a glance

  • Provider: Lazyatom Limited (UK), trading as Jelly
  • Service: Jelly — shared inbox SaaS for small teams
  • Primary data location: European Union
  • Data in transit: TLS (HTTPS) for all access
  • Data at rest: Encrypted; sensitive customer data additionally encrypted at the application layer using AES-256-GCM
  • Backups: Encrypted
  • Authentication: Password (one-way hashed); 2FA available on all plans
  • Internal access controls: 2FA enforced on internal tooling; access logged before decryption
  • DPA available: Published at letsjelly.com/policies/dpa; binding on use of the Service
  • Sub-processor list: Published; updates available on request
  • SOC 2 / ISO 27001 report (Jelly): Not currently held
  • Customer data retention: Account content removed within 60 days of cancellation
  • Deleted item retention: Up to 45 days on active systems; up to 70 additional days in backups
  • Security contact: security@letsjelly.com

Hosting and Infrastructure

Jelly’s primary application infrastructure runs on Render, with cloud storage and supporting services on Amazon Web Services (AWS). Both providers hold SOC 2 Type II accreditation and ISO 27001 certification. Customer data is primarily stored in the European Union.

  • Application compute and deployment: Render
  • Object storage and supporting cloud services: AWS
  • Email transport (inbound and outbound): Postmark, with TLS supported on all inbound and outbound mail
  • Payment processing: Stripe (Lazyatom Limited does not store full card details at any point)

Data Protection

In transit

All access to Jelly — both browser/web app and email transport between Jelly and Postmark — is secured using TLS. Customer-facing access is HTTPS only.

At rest

Customer data is encrypted at rest, and backups are encrypted. Encryption is implemented at two layers:

  • Infrastructure layer. Database and object storage volumes are encrypted at rest via the managed encryption capabilities of our underlying providers (Render and AWS), using industry-standard AES-256.
  • Application layer. Sensitive customer data is additionally encrypted by the Jelly application itself before it is written to the database, using Rails 8.1’s Active Record Encryption. This uses AES-256-GCM, with encryption keys held in application credentials separately from the database, so the encrypted ciphertext stored in the database is not readable using only database access. Encrypted attributes are also automatically filtered from application logs, and the scheme supports key rotation.

Most encrypted attributes use non-deterministic mode (a random initialization vector per record). For a small number of fields where the application is required to look up existing records by exact value — specifically email addresses and email subjects — deterministic encryption is used so that equality lookups remain possible. Deterministic encryption is a documented trade-off in Active Record Encryption: it preserves the same ciphertext for the same plaintext under the same key, which makes equality matching work but does reduce resistance to certain forms of cryptanalysis relative to non-deterministic mode. The keys for deterministic and non-deterministic encryption are distinct.

This two-layer approach means that even in the event of compromise of an underlying storage volume or backup, sensitive customer fields remain protected by an independent application-managed encryption key.

Credentials

  • Customer passwords are stored using one-way cryptographic hashing.
  • Two-factor authentication is available to all customers on all plans, and is recommended.
  • Two-factor authentication is enforced on the internal tooling used by Lazyatom Limited staff.

Access Controls

Lazyatom Limited operates a small engineering team. Internal access to customer data is limited to support and operational tasks, and is governed by the following controls:

  • Staff can only access an individual account’s data with explicit permission from an account owner, or where the account is under review for compliance with the Jelly Terms of Use.
  • All such access is logged before any data can be decrypted for support purposes.
  • Two-factor authentication is required on all internal tools used to operate the service.
  • Production credentials and access tokens are rotated when staff change role or leave.

Sub-processors

The following sub-processors are used to deliver the Jelly service. We perform due diligence on each sub-processor and limit the type and quantity of information shared with them where possible. The current list is also published at letsjelly.com/policies/subprocessors and material changes are notified per the DPA.

  • Amazon Web Services (AWS) — Cloud storage and infrastructure. SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, PCI DSS.
  • Render — Application hosting and compute. SOC 2 Type II, ISO 27001.
  • Postmark — Inbound and outbound email delivery (TLS in transit). SOC 2 Type II, GDPR; EU region available.
  • Stripe — Payment processing (card data never touches Jelly). PCI DSS Level 1, SOC 1 & SOC 2.
  • Sentry — Application error reporting. SOC 2 Type II, ISO 27001.
  • PostHog — Product analytics and error tracking. SOC 2 Type II, GDPR.
  • Papertrail (SolarWinds) — Application log aggregation. SOC 2 Type II.

Additional services (Basecamp, GitHub, Google Workspace, Slack) are used internally by Lazyatom Limited and are not considered sub-processors of customer data; they may incidentally contain account-identifying information when handling support requests.

Data Retention and Deletion

  • Deleted items may remain on active systems for up to 45 days.
  • Backups may retain deleted data for up to 70 days beyond that.
  • On account cancellation, account content becomes immediately inaccessible and is generally removed within 60 days.
  • Customers may export their data prior to cancellation.

Personal data is retained only as long as necessary for the purposes set out in the Privacy Policy, including legal obligations, dispute resolution, and enforcement of agreements.

Reliability and Business Continuity

Jelly relies on the redundancy and availability features of Render and AWS. Backups are taken regularly and are encrypted. In the event of a service-affecting incident, status updates are provided through Jelly’s support channels and customers can reach security@letsjelly.com directly.

Incident Response and Breach Notification

Lazyatom Limited maintains an incident response process appropriate to the size of the service. In the event of a personal data breach affecting a customer’s data, Lazyatom Limited will notify the affected customer without undue delay in line with the obligations set out in the DPA and applicable UK GDPR / EU GDPR requirements, providing the information necessary for the customer to meet its own regulatory notification obligations.

Security issues, suspected vulnerabilities, and disclosure reports may be sent to security@letsjelly.com.

  • Jelly is operated by a UK company; customer data is primarily stored in the EU.
  • Customer data is not sold and has never been sold.
  • Lazyatom Limited does not provide direct access to customer data unless legally compelled by valid UK or EU legal authority, and reviews and challenges improper or overly broad requests.
  • Where allowed, customers are notified before disclosure.
  • Foreign law-enforcement requests are not voluntarily honoured outside established mutual legal assistance channels.
  • International transfers, where they occur, rely on appropriate safeguards including adequacy decisions, Standard Contractual Clauses, and the UK International Data Transfer Agreement.

Customers may exercise rights under applicable data protection law (access, correction, deletion, portability, etc.) via the in-product controls or by contacting security@letsjelly.com.

Compliance Posture and Known Gaps

In the spirit of transparency, Lazyatom Limited is providing the following honest summary of where Jelly currently stands relative to common compliance frameworks:

  • SOC 2 / ISO 27001: Lazyatom Limited does not currently hold its own SOC 2 Type II report or ISO 27001 certification. Underlying infrastructure providers (AWS, Render, Postmark, Stripe, Sentry, PostHog, Papertrail) do hold SOC 2 Type II and, in most cases, ISO 27001.
  • GDPR / UK GDPR: Lazyatom Limited offers a Data Processing Addendum, maintains a published sub-processor list, and primarily stores data within the EU.
  • Encryption: Customer data is encrypted in transit and at rest. Sensitive customer data is additionally encrypted at the application layer using Rails 8.1 Active Record Encryption (AES-256-GCM), with keys held separately from the database and key rotation supported. Deterministic encryption is used only on email addresses and email subjects to permit equality lookups.
  • Penetration testing: Available on request — please contact security@letsjelly.com to discuss scope and current status.

Customers conducting a SOC 2 audit who use Jelly typically rely on a combination of: this overview, a signed DPA, the sub-processor list with the underlying providers’ SOC 2 reports, and a documented vendor risk assessment. For most use cases of a shared inbox tool with a small team, this is a defensible position; customers in more heavily regulated industries should contact security@letsjelly.com to discuss their specific control requirements.

Customer Responsibilities

Jelly operates a shared responsibility model. Customers are responsible for:

  • Maintaining the security of their account, password, and user list, including prompt removal of users who no longer need access.
  • Enabling two-factor authentication for their users.
  • Ensuring that the data they choose to send through a shared inbox is appropriate to that environment.
  • Performing their own legal assessment regarding the categories of personal data processed through the service.

Contact and Document Requests

For specific control questions, vendor security questionnaires, or to discuss your requirements, contact security@letsjelly.com.