Frequently asked
questions

Phished has implemented and maintains one of the world’s best-known Information Security Management Systems: ISO/IEC 27001. We are fully certified as compliant with this standard. Our certificate registration number is 30050399, valid from 27/09/2024 to 26/09/2027, with a Statement of Applicability dated 13/08/2024 (version 2.0).

In addition to ISO 27001, Phished holds an ISAE 3000 (SOC 2 Type II) report, a Cyber Essentials certificate, and operates in compliance with ISO/IEC 27701, NIS2, and DORA requirements.

Phished is also fully GDPR compliant, ensuring that all data processing activities meet the strict requirements of the General Data Protection Regulation. Furthermore, we apply industry best practices in areas such as data encryption, access control, and secure development processes, ensuring the protection of customer data at all times.

Read more on our compliance webpage.

Phished places a high priority on user privacy and data protection. The platform is fully GDPR compliant and adheres to core principles such as data minimization and purpose limitation. This means Phished only collects the personal data that is strictly necessary to deliver its services—such as phishing simulations, training modules, and reporting insights—and only uses it for that purpose.

While Phished does use certain user attributes (e.g. language, region, job role) to tailor simulations and training content, this is done through automated processes that do not result in decisions with legal or similarly significant effects on individuals. The goal is to offer relevant and realistic content while fully respecting user privacy and avoiding intrusive profiling.

For more details, you can consult our privacy policy.

Phished applies multiple layers of security to protect platform access and user authentication. All user sessions are secured with TLS/SSL encryption, ensuring safe data transfer between users and the platform.

Multi-Factor Authentication (MFA) is enforced for administrator accounts to prevent unauthorized access. The platform also supports Single Sign-On (SSO) via SAML 2.0, allowing organizations to integrate Phished with their existing identity provider for streamlined and secure user authentication.

Additionally, role-based access control (RBAC) ensures that users only have access to the features and data relevant to their role. Phished implements session management, login monitoring, and activity logging to help detect suspicious behavior. Regular security assessments and penetration tests are performed to proactively identify and mitigate potential vulnerabilities.

Our comprehensive approach to cybersecurity emphasizes a meticulous and proactive strategy. By closely aligning the patching process with the severity and potential consequences of vulnerabilities, we ensure a systematic and efficient response.

Furthermore, our strategy extends beyond mere patching, encompassing continuous monitoring and evaluation to stay ahead of emerging risks. We believe in a holistic cybersecurity framework that not only addresses immediate concerns but also establishes a foundation for long-term resilience.

In addition, Phished employs a multi-layered approach to vulnerability scanning:

- Automatic vulnerability scanning: An online vulnerability scanner that scans our digital infrastructure for cybersecurity weaknesses, both on a daily basis and as new threats emerge. Instant alerts empower us to address threats promptly, minimizing the window of exposure and enhancing overall cybersecurity resilience.

- Ethical hackers: We leverage a professional program that engages ethical hackers to continuously identify cybersecurity weaknesses within our digital infrastructure. Our program invites security researchers from around the world to actively participate in detecting and reporting vulnerabilities. This proactive and transparent approach fosters a continuous improvement cycle, enhancing the resilience of our systems against emerging threats.

- Responsible Disclosure Policy: We believe that collaboration with the security research community is crucial in identifying and addressing potential vulnerabilities in our systems and applications. We encourage responsible disclosure of any security issues discovered and appreciate the assistance of security researchers in maintaining a secure environment for everyone. Our Responsible Disclosure Policy outlines the guidelines for reporting security vulnerabilities to Phished, along with our security.txt.

- Physical penetration testing: In addition to digital protections, Phished conducts regular physical penetration tests to assess the resilience of our physical infrastructure and operational procedures. These tests simulate real-world intrusion attempts to evaluate access controls, employee awareness, and facility-level security protocols.

At Phished, all user data is stored in highly secure data centers located in both Europe and North America. This setup ensures compliance with the highest international standards for privacy, security and legal protection, including GDPR and other applicable regulations.

Phished applications are hosted as distributed container-based applications in Google Cloud Platform (GCP) in Belgium. Our backend production databases are hosted in the same region. High available failover database locations are in the same region, but in a different zone.

A detailed list of subprocessors is available in our Data Processing Agreement. We have data processing agreements in place with all our subprocessors in accordance with Article 28 of the GDPR. These agreements include standard contractual clauses for data transfers to third countries. Our sub-processors' primary data centers are located in the European Economic Area (EEA), but they may transfer data outside the EEA if their main office is in the USA. However, all personal data is always encrypted at rest and in motion to ensure its security. We have executed a Data Protection Impact Assessment (DPIA) and Data Transfer Impact Assessment (DTIA) for every subprocessor, and these are ISO27001 and SOC2 compliant.