Security & Compliance

A technical Overview of The SMS Works SMS API Platform

SMS Works Compliance

1. Cyber Essentials

The SMS Works Ltd is Cyber Essentials accredited. Our certificate number is 9972a030-8814-404d-8e88-06a536ac0d60.


The SMS Works is fully compliant with the GDPR and all aspects of data protection.

The SMS Works terms details our responsibilities as data processors.

3. Information Security Program

The SMS Works conducts regularly scheduled information security reviews and training as part of it's employees' contractual obligations. The program includes but is not limited to:

Information Security

  • Company laptop encryption policy
  • Password manager policy (Chrome / 1Password)
  • 2FA on source control repositories, cloud infrastructure and password manager accounts
  • Procedures ensure QA evaluates Confidentiality, Integrity & Availability risks for proposed changes
  • Penetration testing against test environments before point release to production
  • Open Source software vulnerability subscription service
  • OS upgrade policy & procedures
  • Environment variables not stored in source control
  • Separation of credentials for testing and production environments
  • Disaster Recovery Plan (backup & restore, application infrastructure) across cloud architectures, tested annually.

Employee formal security training

  • Securing developer equipment & credentials
  • Securing application credentials
  • Deployment procedures

1. Transfer of Data

All API calls to The SMS Works must be made over an HTTPS connection.

API calls require a JSON Web Token for authentication. Tokens are not stored on The SMS Works servers. The open source bcrypt library is used to decrypt tokens and authenticate each call, against encrypted and salted secrets. The generation of new API Keys/Secrets will invalidate any previously generated tokens, allowing customers to control their access to the platform.

Email sent from The SMS Works to customers uses TLS 1.2, with DKIM, DMARC and Reverse DNS lookups in place for domain verification by your email servers, to ensure the veracity of source.

Application email is removed from our servers in line with our data retention policy (i.e. after 3 months).

All SMS Works accounts are specific to a single login. Data is partitioned by customerid.

2. Physical Site Security

SMS Works application servers are hosted by Amazon Web Services, across redundant locations in the UK. AWS details their physical security policies and procedures here

3. Infrastructure

The SMS Works uses CloudFlare’s Web Application Firewall services to prevent DDoS, brute force and other attacks on its network infrastructure. Page rules govern access to resources to ensure maximal application availability and performance.

The SMS Works subscribes to feeds for open source software releases for its application software, ensuring that it maintains production code that is the most recent Long Term Support (LTS) version. Version updates are tested in our QA environment, with a package manager ensuring that other open source modules support application layer releases prior to deployment.

The SMS Works also subscribes to three independent feeds which inform us of prevalent cyber warnings ( and vulnerabilities in the open source packages (GitHub, Snyk) we use to provide the service. We retain a severity tracking system to ensure high severity issues are addressed and deployed through our testing infrastructure.

Application deployment occurs via Git, with a dedicated production deployment token, separate from developer credentials. Deployment tokens are renewed every 30 days, or whenever an employee leaves the company.

SSH connections to servers are controlled using public/private key pairs, with IP whitelisting, which are regularly reviewed.

Data access is logged and monitored by monthly reporting.

A procedure for application credentials revocation and service account resets is in place for when we have departing employees.

3. Data Storage

Production data access is controlled by providing dedicated, individual production credentials to authorised personnel, allowing for independent logging and revocation, as necessary.

Data is replicated across a redundant cluster, spanning data centres in multiple AWS Availability Zones, all within the UK

Recent data is backed up using Amazon EBS volume backup, to Amazon S3 storage. Physical media is not used, as it represents a single point of failure.

4. Breaches

The SMS Works has a data breach reporting policy for contacting both the Information Commissioner’s Office and customers, to inform them of data breaches. The SMS Works data protection officer is Philip Warner ([email protected])

1. AWS

Production data is backed up every 6 hours, with archiving occurring after 90 days. Launch Templates are maintained so that new instances can be deployed in different availability zones, if any of those in production become unavailable. Elastic IP addresses ensure consistency of access to external applications and DNS. An annual DR fire drill, typically conducted between Christmas and New Year, ensures procedures remain familiar to the technical team.

2. Siteground

Daily backups of application files and user data, allowing for the independent restoration of each. Website application code held in a Git repository, allowing for the site to be quickly deployed to another service provider.

1. Performance Overview

The following metrics detail the performance typically provided by the platform at the point of sending or receiving data from the mobile networks:

  • Minimum uptime of The SMS Works platform: 99.95%.
  • Average throughput of SMS API. 50 messages per second.
  • Average message delivery time. Around 5 seconds.
  • Receive SMS (dedicated virtual mobile number). Less than 15 seconds.
  • Receive SMS (using a keyword and short code). Less than 15 seconds.

Please note that the networks do not offer service level agreements for the delivery of SMS to handsets.

When messages have been submitted to the mobile network, they may be subject to additional delays similar to the delays you might occasionally expect sending a text from one mobile phone to another.

2. System Reliability

We operate a redundant server architecture across multiple UK data centres, with data replication, ensuring high availability.

Our servers are load balanced, ensuring a highly responsive service during peak demand periods.

The SMS Works website is hosted separately, in a separate data centre, to the SMS API. This means there is no dependency on the website availability for our API services to function.

There may be questions about our SMS API platform that this brief overview doesn't address. It's completely understable if that's the case.

Feel free to get in touch and ask us if you're unsure of anything. Our details are on the contacts page.