diff --git a/app/templates/views/documentation.html b/app/templates/views/documentation.html index b23fd5772..99425686b 100644 --- a/app/templates/views/documentation.html +++ b/app/templates/views/documentation.html @@ -1,14 +1,25 @@ {% extends "withoutnav_template.html" %} {% block per_page_title %} - API documentation + Documentation {% endblock %} {% block maincolumn_content %}
-
- {{ body }} +
+ +

Documentation

+

Use our API documentation to integrate with GOV.UK Notify using the following clients:

+ +

You can also find out about integration testing and the different types of API keys that you can use.

diff --git a/app/templates/views/features.html b/app/templates/views/features.html index c7667cea6..ad053b1f5 100644 --- a/app/templates/views/features.html +++ b/app/templates/views/features.html @@ -1,5 +1,6 @@ -{% from "components/table.html" import mapping_table, row, text_field, edit_field, field %} {% extends "withoutnav_template.html" %} +{% from "components/table.html" import mapping_table, row, text_field, edit_field, field %} +{% from "components/sub-navigation.html" import sub_navigation %} {% block per_page_title %} Features @@ -8,86 +9,77 @@ {% block maincolumn_content %}
+
+ {{ sub_navigation(navigation_links) }} +
+

Features

+

GOV.UK Notify helps government services to:

+
    +
  • send emails
    • +
  • send and receive text messages (Uk and internationally)
    • +
  • send letters
    • +
+

You can use Notify if you’re running a service in:

+
    +
  • central government
    • +
  • a local authority
    • +
  • the NHS
    • +
+

You don’t need any technical knowledge to use Notify.

+

Create an account for free and try it yourself.

-

- Here’s a list of what you can do with GOV.UK Notify. We’re adding new features all the time, - so keep an eye on our roadmap to see what’s coming up. -

+

Customise your messages

+

With Notify, you control the content and format of your messages. You can:

+
    +
  • customise the content of your messages
    • +
  • change the formatting of emails and letters
    • +
  • create and update templates in real time
    • +
  • add your own branding
    • +
  • choose your text message sender name
    • +
  • choose an email account for users to reply to
    • +
  • preview messages before you send them
    • +
-
-

- You can create yourself a trial account now to see all - of these features in action. -

-
+

Send messages when you want to

+

You can send messages straight away, or schedule them in advance.

+

Service levels

+

Notify commits to:

+
    +
  • sending 95% of emails and text messages within 10 seconds
    • +
  • sending letters by 3pm the next working day (if you submit it through Notify before 5pm)
    • +
-

What you can do with Notify

-
    -
  • Send emails
    • -
  • Send text messages – UK and internationally
    • -
  • Receive text messages
    • -
  • Send letters
    • -
+

See your activity

+

Through the Notify dashboard, you can:

+
    +
  • check the delivery status of any emails and text messages
    • +
  • see a real-time dashboard of your activity
    • +
  • view your usage and reports
    • +
-

Notify service levels

-
    -
  • 95% of messages will be sent within 10 seconds
    • -
  • 24 hour online support
    • -
+

Send messages in bulk or individually

+

With Notify, you can:

+
    +
  • upload files with all your user data
    • +
  • send bulk messages to users
    • +
  • send messages to specific users
    • +
-

What Notify costs

-
    -
  • Email – free
    • -
  • Text messages – free allowance, then 1.58p + VAT
    • -
  • Letters – from 30p + VAT
    • -
-

- See our pricing page for more details. -

+

Manage user permissions

+

Through the Notify dashboard, you can:

+
    +
  • set different permission levels for different team members
    • +
  • invite contractors to use Notify
    • +
-

Managing your message content

-
    -
  • Personalise your messages
    • -
  • Format emails and letters
    • -
  • Choose email and letter branding
    • -
  • Specify an email account for replies
    • -
  • Specify text message sender name
    • -
+

Automate your messages

+

You can integrate with our API to automatically send messages through Notify when relevant data changes in your systems.

+

This means you don’t have to manually download data from your system and upload it to Notify to send a message.

+

Check our code libraries for more information on how to integrate with Notify.

-

Using Notify

-
    -
  • Create and update message templates in real time
    • -
  • Preview messages before sending them
    • -
  • Schedule when your messages are sent
    • -
  • Send individual emails or text messages
    • -
  • See the delivery status of emails and text messages
    • -
  • Manually upload batch files of recipient data
    • -
  • Automate sending with our API
    • -
  • Integrate using supported client libraries
    • -
  • Use different types of API key for your - integration testing
    • -
- -

Managing your Notify account

-
    -
  • Real-time dashboard of activity
    • -
  • View usage and reports
    • -
  • Manage your team members’ permissions
    • -
- -

Notify security

-
    -
  • Approved by the Cabinet Office Senior Information Risk Officer (SIRO)
    • -
  • Ongoing information risk management activities
    • -
  • Data is encrypted as it passes through the service and when it’s stored
    • -
  • Personal data is only held for the minimum period of time
    • -
  • Permissions model allowing different functionality to different team members
    • -
  • Using an advanced API key standard, JSON Web Tokens, providing a higher degree of protection for services
    • -
- -

- See our approach to information risk management for more details. -

+

Reliable and resilient

+

Notify sends messages through multiple providers. If one provider fails, Notify automatically switches to another so that your messages aren’t affected.

+ {% endblock %} diff --git a/app/templates/views/information-risk-management.html b/app/templates/views/information-risk-management.html deleted file mode 100644 index 71724b479..000000000 --- a/app/templates/views/information-risk-management.html +++ /dev/null @@ -1,63 +0,0 @@ -{% from "components/table.html" import mapping_table, row, text_field, edit_field, field %} -{% extends "withoutnav_template.html" %} - -{% block per_page_title %} - Information risk management -{% endblock %} - -{% block maincolumn_content %} - -
-
-

Approach to information risk management

- -

- The information risk management approach taken by GOV.UK Notify is aligned to the guidance provided by the - National Cyber Security Centre (NCSC) on GOV.UK. -

- -

- The scope includes the risk assessment of: -

- -
    -
  • the GOV.UK Notify technical solution, infrastructure and supporting operations
    • -
  • the text message, email, and letter service providers used by GOV.UK Notify
    • -
- -

- The ongoing information risk management activities include: -

- -
    -
  • formal risk assessments using a methodology based on - ISO 27005:2011 - and supplemented by reference to NCSC standards and guidance documentation
    • -
  • CHECK-based - IT Health Check (ITHC) testing (annual and on major change)
    • -
  • residual risk statement preparation and active management of the risk treatment plan
    • -
  • regular updates to the Privacy Impact Assessment
    • -
  • security impact assessments
    • -
  • legal reviews of the service’s Privacy Policy, Terms of Use and Data Sharing and Financial - Agreement to ensure Data Protection Act (‘DPA’) compliance
    • -
  • Office of the Government’s SIRO (OGSIRO) offshoring approvals to host data within the EEA
    • -
  • annual reviews of the risk acceptance status with the Cabinet Office Senior Information Risk Owner (SIRO)
    • -
- -

- Controls implemented for the GOV.UK Notify technical solution and operational support team include: -

- -
    -
  • Data encryption in transit and at rest
    • -
  • Protective Monitoring
    • -
  • System administration staff SC cleared
    • -
  • Service subject to Cabinet Office and GDS security governance
    • -
- -

- Information within the GOV.UK Notify service is deemed to have a classification of ‘OFFICIAL’ under - the Government Security Classifications Policy. -

- -{% endblock %} diff --git a/app/templates/views/information-security.html b/app/templates/views/information-security.html deleted file mode 100644 index c358b398f..000000000 --- a/app/templates/views/information-security.html +++ /dev/null @@ -1,195 +0,0 @@ -{% from "components/banner.html" import banner_wrapper %} -{% extends "withoutnav_template.html" %} - -{% block per_page_title %} -Information security guidelines -{% endblock %} - -{% block maincolumn_content %} - -
-
- -

- Information security for text messages, emails and letters -

- - - - -

Use a practical approach to information security, one that balances a user’s need to be kept informed with being kept safe.

- - -
-

Contents

- - -
- -
-

Start with user needs, not government needs

- -

Start by writing the message you want to send. Don’t worry about the information security aspect just yet – write the message you want to convey as clearly and directly as possible.

- -

Use our design patterns along with the GOV.UK style guide to help you write clearly and convey the right information at the right time.

- -

Once you have a message which meets user needs, look at it in relation to the risks we outline. Use this to decide if you need to change the message in order to keep the users safe.

-
- -
-

Understand the risks

- -

There are 3 main risks involved in sending notifications by text message, email or letter:

- -
    -
  1. Someone accidentally sees the notification.
    2. -
  2. An attacker intercepts a message, or gains access to someone’s email inbox, phone messages or paper files.
    3. -
  3. An attacker tricks the user by sending a fake notification (phishing).
    4. -
- -

Someone accidentally sees the notification

- -

For some messages, the recipient would be unhappy if someone else accidentally saw the contents, for example, the results of a recent medical test.

- -

This is a privacy issue – in this case the unintended recipient isn’t trying to steal money or identity information.

- -

To address this risk, don’t reveal the important information in the subject line or opening sentence, or ask the user to sign in to see the information in full.

- -

An attacker intercepts a message, or gains access to someone’s email inbox, phone messages or paper files

- -

It’s possible for hackers to intercept messages. Text messages, emails and letters can all be intercepted.

- -

It’s also possible for a criminal to gain access to someone’s entire email inbox, phone messages or paper files. Email accounts can be hacked, phones and paper files can be stolen, left lying around or picked out of the rubbish.

- -

In both cases, criminals are looking for information they can use to commit fraud. To address this risk, don’t send payment details, ID numbers or any other information that can be used for fraud.

- -

An attacker tricks the user by sending a fake notification (phishing)

- -

In this scenario, a hacker sends lots of messages pretending to be from an official government service, hoping to trick someone into revealing information of value.

- -

This is known as a ‘phishing attack’.

- -

To address this risk, don’t send requests for personal information of any kind, unless the request is directly connected with a transaction.

-
- -
-

Information security principles

- -

Protect the user’s privacy

- -

To avoid someone other than the recipient accidentally seeing a message that has sensitive or confidential information, either:

- -
    -
  • use a generic subject line and opening sentence, and only give the information in full within the body of the message
    • -
  • send a generic message which asks the person to sign in to see the information in full
    • -
- -

Remember that even the sender ID also reveals information. For example, don’t set your sender name as ‘STI clinic’.

- -

Don’t send information that can be used for fraud

- -

To reduce the risk if messages are intercepted, hacked or stolen, don’t send messages with:

- -
    -
  • payment details
    • -
  • passport, driving licence, or National Insurance numbers, or any other personal ID numbers
    • -
  • the person’s date of birth, mother’s maiden name or other information commonly used for identification
    • -
  • the person’s full address or previous addresses
    • -
  • passwords (c’mon team)
    • -
  • payment amounts – if you use them as a form of identification
    • -
- -

Payment details can be used for fraud straight away. Other information requires a bit more work. For example, an attacker might use one piece of information to get hold of another, eventually gaining enough information to commit fraud. Or a criminal might use information from several old messages to steal someone’s identity.

- -

Don’t send requests for personal information of any kind, unless the request is directly connected with a transaction

- -

To reduce the risk from phishing attacks, don’t send requests for personal information of any kind, unless the request is directly connected with a transaction.

- -

It’s OK to send a request for personal information if it’s directly connected with a transaction. For example it's OK to send a notification with a link asking users to reset their password if they've requested it by clicking on a ‘Forgot your password?’ link.

- - - - -

The same rules apply to links:

- -
    -
  • Don’t send links that reveal information that can be used for fraud.
    • -
  • Don’t send unsolicited messages that include a link requesting personal information of any kind (it’s OK to send a message with a link requesting information if the user has just requested it).
    • -
- -

There are additional rules that apply specifically to links.

- -
    -
  1. Links must point to a .gov.uk domain – for example, https://www.gov.uk or https://www.armslengthbody.gov.uk.
    2. -
  2. Links must show the URL in full – for example https://www.gov.uk/vehicle-tax, not gov.uk/vehicle-tax.
    3. -
  3. Don’t use redirects or tracking links – disguising the URL makes phishing easier. Just show the URL in full.
    4. -
  4. Don’t link directly to a sign-in page – this is a request for personal data. If the user needs to sign in to your service, link to your start page on GOV.UK.
    5. -
  5. It’s OK to deep-link into your service, as long as the user doesn’t have to sign in to view the information or take action.
    6. -
- -

Don’t send attachments

- -

If you want to communicate something, write it in the body of the email. This is more user-friendly. If the information is too sensitive to include in the email body, it’s too sensitive to include in an attachment.

- -

If you need to send someone a file, make the file available within your service, then link to it.

- - -

Include the user’s name – it makes phishing more difficult

- -

Start your message by addressing the user. For example, ‘Hi Alice Smith’, or ‘Dear Bob Jones’. Including this extra piece of information makes phishing more difficult.

- -

Use technical approaches to improve privacy and prevent phishing

- -

There are several technical approaches to preventing phishing. You must use SPF/DKIM, DMARC and TLS.

- -

SPF/DKIM and DMARC make sure your emails get delivered, whilst phishing and spam email gets filtered into junk mail.

- -

TLS makes sure that no-one can intercept your emails.

-
- -
-

Examples

- -

Example of an appointment reminder

-

“Dear Anne Smith, you’ve got a licence appointment tomorrow at 2:15pm at the Licence Office, 1 Chapel Hill, Heswall, Bournemouth BH1 1AA. To cancel your appointment, visit licensing.service.gov.uk/appointment/12345678/cancel. To change your appointment time, sign in to your account.”

-

This is a good example because:

-
    -
  • the message and link doesn't reveal any sensitive personal data
    • -
  • it doesn't ask for personal data, passwords or payment details
    • -
  • the reminder addresses the user by their name, making phishing attacks more difficult
    • -
  • the link just cancels the appointment which minimises what an attacker can do
    • -
  • users have to sign in to change the appointment time, making it harder for an attacker to know what their appointment time is
    • -
  • the topic is something the user is familiar with
    • -
- - -

Example to add a photo to an environmental permit

-

“Dear Andrew Jones, to add a location photo to your environmental permit application, visit environmentalpermit.service.gov.uk/12345678/add-photo. If you didn’t request this link, please ignore this message.”

-

This is a good example because:

-
    -
  • the message and link doesn't reveal any sensitive personal data
    • -
  • it doesn't ask for personal data, passwords or payment details
    • -
  • the reminder addresses the user by their name, making phishing attacks more difficult
    • -
  • the link only lets users add a photo to an environmental permit application – it doesn’t complete the process, which minimises what an attacker can do
    • -
  • it shows users what to do if the message doesn't apply to them
    • -
-
- -
-

You can do more if you want to

- -

These guidelines are the minimum requirement. You can take stricter measures for your service if you think it's necessary.

- -

Just make sure you’re balancing your users’ needs to be kept informed and kept safe.

-
- -
-
- -{% endblock %} diff --git a/app/templates/views/integration_testing.html b/app/templates/views/integration-testing.html similarity index 100% rename from app/templates/views/integration_testing.html rename to app/templates/views/integration-testing.html diff --git a/app/templates/views/pricing.html b/app/templates/views/pricing.html index 682dea668..aa4f063cb 100644 --- a/app/templates/views/pricing.html +++ b/app/templates/views/pricing.html @@ -11,56 +11,48 @@
+

Pricing

+

To use GOV.UK Notify, there’s:

+
    +
  • no procurement cost
    • +
  • no monthly charge
    • +
  • no setup fee to use
    • +

Emails

- -

- Sending email through GOV.UK Notify is completely free. -

+

It’s free to send emails through GOV.UK Notify.

Text messages

- -

- Text message rate: {{ '{:.2f}'.format(sms_rate * 100) }} pence + VAT -

- -

- Free allowance -

- -

- All services have a free allowance of text messages, per financial year: -

- +

You have a free allowance of text messages each financial year. You’ll get:

    -
  • 250,000 text messages for central government services
    • -
  • 25,000 text messages for local government services
    • +
  • 250,000 free text messages for a central government service
    • +
  • 25,000 free text messages for a local government service
- -

- Long messages -

- -

- Long messages count as 2 or 3 text messages depending on length: -

- -
    -
  • Up to 160 characters = 1 text message
    • -
  • Up to 306 characters = 2 text messages
    • -
  • Up to 459 characters = 3 text messages
    • -
- -

- International numbers -

- -

- Messages to international mobile numbers are charged at 1, 2, or 3 - times the cost of messages to UK mobile numbers. -

- +

It costs 1.58 pence (plus VAT) for each text message you send after your free allowance.

+

Long text messages

+

If a text message is beyond a certain length, it’ll be charged as more than one message:

+
+ {% call mapping_table( + caption='Letter pricing', + field_headings=['Message length', 'Charge'], + field_headings_visible=True, + caption_visible=False + ) %} + {% for message_length, charge in [ + ('Up to 160 characters', '1 text message'), + ('Up to 306 characters', '2 text messages'), + ('Up to 459 characters', '3 text messages') + ] %} + {% call row() %} + {{ text_field(message_length) }} + {{ text_field(charge) }} + {% endcall %} + {% endfor %} + {% endcall %} +
+

Sending text messages to international numbers

+

It might cost more to send text messages to international numbers than UK ones, depending on the country.

International text message rates @@ -95,18 +87,8 @@
-

- Letters -

-

- Letters are printed double sided in colour. Prices include - printing, paper, envelope, and postage. All letters are sent - second class post. -

-

- The price of letters increases with the number of sheets printed: -

- +

Letters

+

The cost of sending a letter depends on how many sheets of paper you need.

{% call mapping_table( caption='Letter pricing', @@ -127,22 +109,13 @@ {% endfor %} {% endcall %}
- -

No monthly charge or setup fee

-

- There are no other charges for using Notify. There’s no monthly charge - or setup fee. -

- -

- The Government Digital Service is funding the development and running - of Notify. We’re also covering the cost of the free emails and text messages. -

- -

- We simply charge you the costs we pay to our delivery partners. We - don’t mark these costs up in any way. -

+

Letter prices include:

+
    +
  • paper
    • +
  • double-sided colour printing
    • +
  • envelopes
    • +
  • 2nd Class postage
    • +
diff --git a/app/templates/views/roadmap.html b/app/templates/views/roadmap.html index 781790864..0060ac182 100644 --- a/app/templates/views/roadmap.html +++ b/app/templates/views/roadmap.html @@ -1,4 +1,5 @@ {% from "components/table.html" import mapping_table, row, text_field, edit_field, field %} +{% from "components/sub-navigation.html" import sub_navigation %} {% extends "withoutnav_template.html" %} {% block per_page_title %} @@ -8,55 +9,37 @@ {% block maincolumn_content %}
+
+ {{ sub_navigation(navigation_links) }} +
+

Roadmap

+

The GOV.UK Notify roadmap shows the things we’re working on and when we hope to have them ready for you to use.

+

It’s only a guide and things might change.

+

You can contact us for more detail about these features, or to suggest something else you’d like Notify to offer.

-

- Here’s a list of the new functionality we’re planning to offer through GOV.UK Notify over the next 6 to 9 months. -

+

Sending and receiving messages

+

We’re working on new features so that you can:

+
    +
  • allow services to get text messages replies via the API (November 2017)
    • +
  • posting delivery receipts to services (December 2017)
    • +
  • sending of pre-compiled letters (January 2018)
    • +
  • customising the expiry time for text messages (February - April 2018)
    • +
  • sending of pre-compiled text messages and emails (February - April 2018)
    • +
  • distributing delivery of notifications over a period of time (May 2018 onwards)
    • +
  • Automated content scanning for banned content (May 2018 onwards)
    • +
  • Checking mobile numbers are valid before sending (May 2018 onwards)
    • +
-
-

- This roadmap is a only a guide and may change from month to month. -

-
+

Managing your account

+

We want to offer the functionality for:

+
    +
  • allow service owners to manage team members details (February - April 2018)
    • +
  • allowing people to request to join a service (February - April 2018)
    • +
-

- If you want to find out more about these features, or have some needs that Notify isn’t yet meeting, - please get in touch with us through our support page, or chat with us in our - cross-government Slack channel. -

- -

November 2017

-
    -
  • Allow services to get text messages replies via the API
    • -
- -

December 2017

-
    -
  • Posting delivery receipts to services
    • -
- -

January 2018

-
    -
  • Sending of pre-compiled letters
    • -
- -

February – April 2018

-
    -
  • Customising the expiry time for text messages
    • -
  • Allow service owners to manage team members details
    • -
  • Allowing people to request to join a service
    • -
  • Sending of pre-compiled text messages and emails
    • -
  • Retire version 1 of the API
    • -
- -

May 2018 onwards

-
    -
  • Distributing delivery of notifications over a period of time
    • -
  • Explore other channels (Facebook messenger, WhatsApp, Push Notifications)
    • -
  • Automated content scanning for banned content
    • -
  • Checking mobile numbers are valid before sending
    • -
+
+
{% endblock %} diff --git a/app/templates/views/security.html b/app/templates/views/security.html new file mode 100644 index 000000000..cd15677d4 --- /dev/null +++ b/app/templates/views/security.html @@ -0,0 +1,78 @@ +{% extends "withoutnav_template.html" %} +{% from "components/table.html" import mapping_table, row, text_field, edit_field, field %} +{% from "components/sub-navigation.html" import sub_navigation %} + +{% block per_page_title %} + Information risk management +{% endblock %} + +{% block maincolumn_content %} + +
+
+ {{ sub_navigation(navigation_links) }} +
+
+ +

Security

+

GOV.UK Notify is built for the needs of government services. It has processes in place to:

+
    +
  • protect user data
    • +
  • keep systems secure
    • +
  • manage risks around information
    • +
+ +

Data

+

On Notify, data is encrypted:

+
    +
  • when it passes through the service
    • +
  • when it’s stored on the service
    • +
+

Any user data you upload is only held for 7 days.

+

The Cabinet Office acts as data processor for Notify. Your organisation is the data controller.

+

Data Protection Act

+

Notify complies with the Data Protection Act. To make sure it stays compliant, there are regular legal reviews of the service’s:

+
    +
  • privacy policy
    • +
  • terms of use
    • +
  • approach to data sharing
    • +
+ +

Technical security

+

Other technical security controls on Notify include:

+
    +
  • protective monitoring to record activity, and raise alerts about any suspicious activity
    • +
  • using JSON Web Tokens, to avoid sending API keys when your service talks to Notify
    • +
+ +

User permissions

+

You can set different user permissions in Notify. This lets you control who in your team has access to certain parts of the service.

+ +

Information risk management

+

Our approach to information risk management follows National Cyber Security Centre (NCSC) guidance. It assesses:

+
    +
  • how Notify is built
    • +
  • the infrastructure Notify is built upon
    • +
  • support for the Notify service
    • +
+

This approach also applies to the service providers Notify uses to send messages.

+ +

How we manage risks on Notify

+

Things we do to manage risks on Notify include:

+
    +
  • formal risk assessments based on ISO 2700:2011 and National Cyber Security Centre guidance
    • +
  • CHECK-based testing, both annually and when any major changes are made to Notify
    • +
  • residual risk statement preparation and active management of the risk treatment plan
    • +
  • regular updates to the Privacy Impact Assessment
    • +
  • security impact assessments
    • +
+ +

Cabinet Office approval

+

Notify has been assessed and approved by the Cabinet Office Senior Information Risk Officer (SIRO). The SIRO checks this approval once a year.

+

Notify also has approval from the Office of the Government’s SIRO to host data within the EEA.

+ +

Classifications and security vetting

+

Any information in Notify is classified as ‘OFFICIAL’ under the Government Security Classifications Policy.

+

All system administration staff working on Notify are cleared to Security Check (SC) level by United Kingdom Security Vetting.

+ +{% endblock %} diff --git a/app/templates/views/terms-of-use.html b/app/templates/views/terms-of-use.html index 33feef0b3..9add85681 100644 --- a/app/templates/views/terms-of-use.html +++ b/app/templates/views/terms-of-use.html @@ -1,5 +1,6 @@ {% extends "withoutnav_template.html" %} {% from "components/banner.html" import banner_wrapper %} +{% from "components/sub-navigation.html" import sub_navigation %} {% block per_page_title %} Terms of use @@ -8,170 +9,45 @@ Terms of use {% block maincolumn_content %}
+
+ {{ sub_navigation(navigation_links) }} +
-

- Terms of use -

+

Terms of use

+

To go live on GOV.UK Notify, you must accept the data sharing and financial agreement (memorandum of understanding).

+

Contact us to get a copy of the agreement or find out if your organisation has already accepted it.

+

To accept these terms of use, you must be the service manager for your service.

- {% call banner_wrapper(type='warning') %} -

You must accept the GOV.UK Notify data sharing and financial agreement (Memorandum of Understanding) before we can process data for you.

+

Notify’s side of the agreement

+

We agree to:

+
    +
  • send all the messages you pass to us, as long as they meet our guidelines
    • +
  • + show how Notify is performing (through our performance and status pages) +
    • +
  • keep your data secure
    • +
  • give you one month’s notice by email if we change our terms of use or delivery providers
    • +
-

- Contact the Notify team to get a copy of the agreement or to find out if your organisation has already accepted it. -

+

Your side of the agreement

+

You agree to:

+
    +
  • complete your organisation’s information assurance process (you don’t need to include Notify or our delivery partners, we’ve already done that)
    • +
  • tell us immediately if you have any security breaches
    • +
  • keep your API keys secure
    • +
  • get the right levels of consent (to send messages and to use data)
    • +
  • not send unsolicited messages, only ones related to a transaction or something the user has subscribed to be updated about (check the Service Manual if you’re not sure)
    • +
  • + send messages that meet the GOV.UK design patterns, style guide and information security guidelines
    • +
  • not send messages containing any personally or commercially sensitive information
    • +
  • check that the data you add to Notify is accurate and complies with Data Protection Act principles
    • +
+

If you don’t keep to your side of the agreement, we might have to stop sending your messages.

- {% endcall %} - -

To accept these terms, you must be the service manager for your service.

- -
-

- Summary -

- -

If we accept your service onto GOV.UK Notify, we agree to:

- - - -

You agree:

- - - -
- -
-

- Our side of the agreement -

- -

- We agree to send all the messages you pass to us -

- -

We’ll send all the messages you pass to us, as long as they meet our guidelines.

- -

We aim to provide a continuous service so you can use GOV.UK Notify 24 hours a day, 365 days a year.

- -

We’ve made sure that GOV.UK Notify can handle large volumes of messages. For text messages we use multiple delivery providers at any one time. If a provider’s service fails, GOV.UK Notify will automatically switch to a different provider.

- -

- We agree to keep you informed about the performance of GOV.UK Notify -

- -

You’ll be able to see how the service is performing on our status page.

- -

We have a ticketing system and escalation routes to address incidents. We also provide 24 hour support for high-priority issues.

- -

We also have a chat room for talking to the GOV.UK Notify team. We are available to discuss your needs, and to see how Notify is working for you.

- -

- We agree to keep your data secure -

- -

GOV.UK Notify has been through an information assurance process to assess information risks, to determine appropriate treatments for those risks and to obtain risk acceptance from the Cabinet Office Senior Information Risk Officer (SIRO). This work includes the completion of a privacy impact assessment to ensure compliance with the Data Protection Act.

- -

Cabinet Office act as data processor, as parent organisation of GOV.UK Notify. Your organisation remains the data controller.

- -

Contact us if you want more information about our approach to data protection and information risk management.

- -

- We agree to give you one months’ notice if we change these terms -

- -

We’ll email to tell you what is changing and when the change will come into effect.

- -

This includes when any of our email, text message or postal providers change.

- -
- -
-

- Your side of the agreement -

- -

- You agree not to compromise the security of GOV.UK Notify -

- -

You agree to get your service assured through your organisation’s information assurance (security) process. You don’t need to include assurance of GOV.UK Notify or our delivery partners, since we’ve already done that - we can share the work we’ve done.

- -

You must tell us immediately if you have any security breaches. This is so we can make sure other services are not affected.

- -

You must follow industry best practices for keeping your API keys secure.

- -

You must ensure you have obtained correct levels of consent - both to send messages but also for how data is shared, stored, and processed in order to do so.

- -

- You agree not to use GOV.UK Notify to send unsolicited messages -

- -

GOV.UK Notify is for sending transactional messages and subscription based alerts or reminders.

- -

Transactional messages relate directly to something the user did. For example:

- -
    -
  • they completed a transaction, and you’re sending them a confirmation email
    • -
  • they paid for an annual service a year ago, and you're reminding them that it’s about to expire
    • -
  • their application has been approved, and you're sending them a text message to let them know
    • -
- -

You don’t need to ask permission to send messages that directly relate to a transaction. By making a transaction and providing their contact details, a user is implicitly agreeing to receive messages about that transaction.

- -

Subscription based messages relate to something a user has explicitly asked to be updated with. For example:

- -
    -
  • they subscribed to travel advice alerts
    • -
  • they asked to be updated when guidance was updated
    • -
  • they opted in for information about new procurement frameworks
    • -
- -

All subscription based messages must, by law, contain a way for users to unsubscribe.

- -

If you do use GOV.UK Notify to send unsolicited messages, we may refuse to accept further messages for delivery.

- -

- You agree to send messages consistent with our design patterns, style guide and information security guidelines -

- -

Your messages must follow our design patterns, style guide and information security guidelines.

- -

Your messages must not contain any personally or commercially sensitive information.

- -

- You agree to use GOV.UK Notify delivery data to continuously improve the quality of your contact data -

- -

When you send messages through GOV.UK Notify, we provide feedback on the status of every text message, email and letter you send.

- -

You agree to use our delivery data to check (and potentially remove) bounced email addresses, mobile numbers, and postal addresses from your database.

- -

You agree to ensure your user’s personal data is kept accurate and up to date, in line with Data Protection Act principles.

- -

If you have consistently high bounce rates, we will investigate and may refuse to accept further messages for delivery. This is to protect delivery rates for other services using GOV.UK Notify.

- -
- -
-

- Leaving GOV.UK Notify -

- -

You can remove your service from GOV.UK Notify at any time. Contact us and we’ll delete your account.

- -

Any data that you have already processed through GOV.UK Notify will be deleted as part of the existing data deletion processes and data retention periods.

- -
+

Leaving Notify

+

You can leave Notify at any time. Just contact us and we’ll close your account.

+

When you leave Notify, all your data will be deleted.

diff --git a/app/templates/views/using-notify.html b/app/templates/views/using-notify.html index 92b4b5e8c..d0d8d834c 100644 --- a/app/templates/views/using-notify.html +++ b/app/templates/views/using-notify.html @@ -1,174 +1,70 @@ {% extends "withoutnav_template.html" %} +{% from "components/sub-navigation.html" import sub_navigation %} {% block per_page_title %} - Using GOV.UK Notify + Using Notify {% endblock %} {% block maincolumn_content %}
+
+ {{ sub_navigation(navigation_links) }} +
-

Using GOV.UK Notify

+

Using Notify

-
    -
  • Trial mode
    • -
  • Email and text message sending flow
    • -
  • Receiving messages
    • -
  • Delivery and failure
    • +

    Writing and sending text messages, emails and letters

    +

    Check the Service Manual for guidance on how to:

    +

    Trial mode

    +

    When you sign up to GOV.UK Notify, you’ll start in trial mode. In trial mode, you can send up to 50 text messages and emails a day. You can only send them to yourself and other people in your team.

    +

    You can’t send letters in trial mode.

    +

    When you request to go live on Notify, we’ll remove these restrictions.

    -

    - All new accounts on Notify start off in trial mode. -

    -

    - This means: -

    -
      -
    • - you can only send text messages and emails to yourself -
      • -
    • - you can add people to - {% if current_service %} - your team, - {% else %} - your team, - {% endif %} - then you can send text messages and emails to them too -
      • -
    • - you can only send 50 text messages or emails per day -
      • -
    • - you can’t send any letters -
      • -
    - -

    - When you’re ready we can - {% if current_service %} - remove these restrictions. - {% else %} - remove these restrictions. - {% endif %} - -

    - -

    Email and text message sending flow

    - +

    Sending messages

    +

    When you send a message, it moves through different states in Notify.

    A picture of the sending flow of messages in Notify, showing the three states of Sending, Delivered, And Failed. Also shows the next - steps when messages fail, deleting data and trying a new channel for permanent failures, and trying again or trying a new channel for - temporary failures - -

    Resending failed messages

    - -

    If a message fails because the inbox or phone ‘isn’t accepting messages right now’ then it’s up to you to decide if you want to send the message again or not.

    - -

    Notify attempts to send messages for up to 72 hours before it returns that status.

    - -

    Using multiple channels

    - -

    If your user has provided you with multiple contact channels, you should send messages to the channel they’ve chosen as their preference. However there are some scenarios where you might want to send messages to more than one channel:

    - -
      -
    • If a message fails to be delivered, you could try a different channel
      • -
    • If a message is delivered but the recipient hasn’t taken the action they need, you could try a different channel
      • -
    • If you need to urgently contact someone, you could email them and send them a text message at the same time
      • -
    - -

    If you’re using the Notify API these scenarios could be automated.

    - -

    Receiving messages

    - -

    Replies to emails that you’ve sent will go directly to the reply-to address that you have set up for your service.

    - -

    If you’re set up to receive text messages then your users can reply to messages you’ve sent, or can start an interaction by sending you a text message.

    - -

    Receiving inbound text messages can allow your service users to:

    - -
      -
    • confirm, cancel or change an appointment
      • -
    • register for a simple service
      • -
    • provide follow-up information for an application
      • -
    • report something
      • -
    • provide feedback
      • -
    - -

    You’ve then got the option to automate the processing of the messages you receive, or to view them in Notify.

    - -

    If you automate the processing of text messages you receive, then you should have a manual process in place to deal with messages that can’t be automatically processed.

    - -

    If you’d like your service to receive text messages, then let us know.

    - -

    Delivery and failure

    - -

    Our delivery states are:

    - - - -

    Sending

    - -

    All messages start in the ‘Sending’ state.

    - -

    This means that we have accepted the message. It’s waiting in a queue to be sent to our email or text message delivery partners.

    - -

    Delivered

    - -

    This means the message is in the person’s email inbox or on their phone.

    - -

    We can’t tell you if they’ve read it – to do so would require invasive and unreliable tracking techniques.

    - -

    Sent internationally

    - -

    This means the text message has been sent to a valid international phone number, but delivery receipts aren’t provided by mobile networks in that country.

    - -

    Phone number or email address does not exist

    - -

    You’re still billed for text messages to non-existent phone numbers.

    - -

    You need to remove these email addresses or phone numbers from your database.

    - - - -

    Inbox not accepting messages right now

    - -

    This can happen for a number of reasons, eg the user’s inbox was full.

    - -

    You can choose to retry these messages later or not.

    - -

    Phone not accepting messages right now

    - -

    This means the user’s phone was full or hasn’t been switched on in the last 72 hours.

    - -

    You’re still billed for these messages.

    - -

    You can choose to retry these messages later or not.

    - -

    Technical failure

    - -

    This means there is a problem with the connection between Notify and our email or text message delivery partners.

    - -

    Messages still being retried are marked as ’Sending’. We mark messages as ‘Technical failure’ once we’ve given up.

    - -

    You won’t be billed for these messages.

    - -

    You need to retry these messages yourself later.

    +

    Sending

    +

    This means that we’ve accepted the message and are sending it to our delivery providers.

    +

    Delivered

    +

    You’ll see this when Notify has successfully delivered a message to user’s email inbox or phone.

    +

    Notify won’t tell you if a user has opened or read a message.

    +

    Sent internationally

    +

    You’ll see this when Notify sends a text message to an international number, but mobile networks in that country don’t provide delivery receipts.

    +

    Phone number or email address does not exist

    +

    You’ll see this when Notify couldn’t deliver a message because the email address or phone number was wrong.

    +

    You should remove these email addresses or phone numbers from your database.

    +

    You’ll still be charged for text messages to numbers that don’t exist.

    +

    Inbox/phone not accepting messages right now

    +

    You’ll see this if Notify can’t deliver an email or text message after trying for 72 hours.

    +

    This might happen for a number of reasons. For example, the user’s inbox might be full, or their phone might be turned off.

    +

    You can try sending the message again if you want.

    +

    You’ll still be charged for text messages to phones that aren’t accepting messages.

    +

    Technical failure

    +

    A technical failure means there’s a problem between Notify and our delivery providers.

    +

    You’ll have to try sending your messages again.

    +

    You won’t be charged for text messages that are affected by a technical failure.

    +

    Receiving messages

    +

    Email replies

    +

    You can choose an email address you want replies to go to.

    +

    Text messages

    +

    You can contact us if you want to be able to receive text messages.

    +

    When you’ve done this, users will be able to reply to text messages you send them. They’ll also be able to start an interaction by sending you a text message.

    +

    You’ll be able to see and reply to text messages you receive. You can also create automated processes to manage replies.

    +

    You’ll still need to have a manual process in place for any messages that can’t be dealt with automatically.