Cyber Essentials certification at Exclaimer
Exclaimer has held Cyber Essentials certification continuously since January 2022. Our current certificate was issued by Cyber Aggress, an IASME-licensed certification body, on November 22, 2025, and covers our whole organization under the Profile 3.2 (Willow) requirements.
This page covers how Exclaimer meets the five Cyber Essentials controls in scope, and where to find the certificate and supporting evidence your security and procurement teams need.
Certifying body | Certificate number | Profile | Scope | Date of certification | Recertification due |
|---|---|---|---|---|---|
Cyber Aggress (IASME-licensed) | ecb1dcca-ef20-4306-beea-39087d1d9e51 | 3.2 (Willow) | Whole Organization | November 22, 2025 | November 22, 2026 |
How does Exclaimer meet the five Cyber Essentials controls?
Exclaimer's cloud-hosted email signature management platform runs on Microsoft Azure. The summaries below describe how each of the five Cyber Essentials control areas is implemented in production.
The five Cyber Essentials controls are:
Firewalls and internet gateways
Secure configuration
User access control
Malware protection
Security update management
Firewalls and internet gateways
Exclaimer protects the platform perimeter with web application firewalls and active DDoS protection at every gateway. Every gateway into the platform sits behind web application firewalls and active DDoS protection. Inbound and outbound traffic is encrypted with TLS, and the network perimeter is monitored continuously.
Secure configuration
Exclaimer builds and runs the platform on hardened, security-reviewed configurations from development through to production. DevSecOps engineers are involved in every build, so risk is addressed before code reaches production. Once deployed, the platform runs in a hardened Azure environment with continuous network scanning to identify and resolve vulnerabilities early.
User access control
Exclaimer enforces multi-factor authentication on every sign-in and synchronizes user identity from your existing directory. Access to the Exclaimer platform is authenticated through Microsoft and Google single sign-on, with multi-factor authentication required on every sign-in. Role-based access controls govern what each user can see and do, and user identity is synchronized from Microsoft Entra ID or Google Directory, so there's no separate password store to manage.
Malware protection
Exclaimer inherits Microsoft Azure platform-level anti-malware protections and runs continuous network scanning across the hosted infrastructure. Exclaimer is a SaaS platform with no customer-managed endpoints in scope of the service. Anti-malware and threat detection across the hosted infrastructure are provided by Microsoft Azure platform protections, with continuous network scanning applied at the application layer.
Security update management
Exclaimer releases security updates through a DevSecOps pipeline and rolls them out region by region to keep the platform patched without disrupting service. Updates are released through the DevSecOps pipeline, so vulnerabilities are identified and addressed before they reach production. Once approved, updates are rolled out region by region, out of hours, to minimize operational impact.
The Cyber Essentials scheme moved to the Danzell question set, aligned to v3.3 of the requirements, on April 27, 2026. Danzell tightens the rules around patching, multi-factor authentication on cloud services, and certification scope. Exclaimer's existing controls already align with these requirements, and we'll be assessed against Danzell at our next renewal in November 2026.
Where can I find Exclaimer's Cyber Essentials certificate?
The Exclaimer Trust Center is where our security documentation and audit evidence lives. You'll find our current Cyber Essentials certificate there, alongside the wider documentation procurement and security teams ask for during vendor reviews.
If your review needs context that isn't covered here or in the Trust Center, our security team can talk through specific controls, scope, or evidence directly with you.
Visit the Trust Center →Frequently asked questions about Exclaimer and Cyber Essentials
The certification covers Exclaimer's whole organization, including the cloud-hosted email signature management platform, the corporate IT systems that support it, and the people and processes that deliver the service.
Our current certificate was issued on November 22, 2025. Recertification is due by November 22, 2026 and will be assessed against the Danzell question set, which became the live version of the scheme on April 27, 2026.
Cyber Aggress, an IASME-licensed certification body, certifies Exclaimer against the scheme. IASME is the NCSC's official Cyber Essentials Delivery Partner and manages the network of certification bodies that deliver the scheme across the UK.
Exclaimer holds Cyber Essentials, the standard tier. Cyber Essentials is a verified self-assessment signed off by senior management and marked by an IASME-licensed assessor. Cyber Essentials Plus adds an independent technical audit on top of that assessment.
The current Cyber Essentials certificate (certificate number: ecb1dcca-ef20-4306-beea-39087d1d9e51) is available in the Exclaimer Trust Center.
Cyber Essentials is required by many UK organizations during procurement, including UK public sector buyers and UK regulated industries. Organizations bidding for UK government contracts involving sensitive or personal data must hold Cyber Essentials certification. As a global email signature management provider with significant UK customers, we maintain Cyber Essentials alongside our wider international certifications.
Talk to Exclaimer's security team
For deeper questions about our Cyber Essentials certification such as control implementation, audit scope, or how we map to your supplier security framework, speak with our security team.
Contact our security team →