Privacy & security

Learn how we keep your data secure

Phished keeps your data safe: learn how we do that

Our core values

Phished is a cybersecurity company and therefore confidentiality, integrity and availability of customers data is of paramount importance and the primary focus of our organization. Phished partners with some of the best cloud providers in the world to guarantee the best confidentiality, integrity and availability levels for our applications and customer data.

Cybersecurity 01 1
Pillars of our cybersecurity strategy

Information security that scales with you

Security Shield

Prevention

  • Security education & awareness training for internal staff members
  • Automated vulnerability scanning and private bug bounty program
ISO SOC logos 27001

Compliance

  • Phished is ISO27001 certified
  • Application hosted on SOC2 certified infrastructure
Icon navy Scalable

Cloud Infrastructure Security

  • Network, perimeter and DNS protection by Cloudflare
  • Application hosted by leading cloud providers in the EU (Google and Microsoft)
Feature block Personalisatie navy

Customer Data Protection

  • Encryption in-transit (TLS 1.2, TLS 1.3) and at-rest (AES-256)
  • Logical tenant separation
Feature block Automatisatie navy

Disaster Recovery & Data Backup

  • Disaster Recovery scenarios annually tested
  • Production databases are highly available with read-only replica’s and “Point In Time” restore enabled
Icon navy Self service platform

Identity & Access Control

  • Role-Based Access Control (RBAC) for our application and infrastructure access
  • Multi-factor authentication is optional for our application and enforced for infrastructure access

Things you'll love

Want to know more?

Additional resources

Download our security statement

Read our privacy policy

Read our cookie policy

Download our ISO 27001 certificate

General Data Protection Regulation (GDPR)

Here is some key information on how we securely store your data.

1. What we're storing

We store only necessary information, as collected by you.

2. How we're storing it

We encrypt your data both at rest and in transit, and our site and storage processes are designed for security (you can learn more on how we store your data further down this page).

3. Who can access it

We have extensive internal access controls and regulations for the usecure team, who only have access to data under limited conditions. You are able to restrict admin access to sensitive materials.

4. Our core standards

Our core compliance with the act means that:

  • We have full awareness of where any of your data is being held & when outside of the EU, ensuring appropriate compliance is in place.
  • We ensure that only those who require access to your data are able to & we have the highest level of protection against unauthorised access.
  • We ensure you have the right to view, amend, export or delete any information that we hold on your behalf, including anything held by 3rd party services.
  • We ensure that consent is given during the sign up process for all that use usecure and allowing you to withdraw at anytime.

Frequently asked questions

If you have other questions we’re happy to help you at [email protected]

What compliance certifications does Phished have?

Phished has implemented and maintains one of the world’s best-known Information Security Management Systems: ISO/IEC 27001. We are fully certified as compliant with this standard. Our certificate registration number is 30050399, valid from 27/09/2024 to 26/09/2027, with a Statement of Applicability dated 13/08/2024 (version 2.0).

In addition to ISO 27001, Phished holds an ISAE 3000 (SOC 2 Type II) report, a Cyber Essentials certificate, and operates in compliance with ISO/IEC 27701, NIS2, and DORA requirements.

Phished is also fully GDPR-compliant, ensuring that all data processing activities meet the strict requirements of the General Data Protection Regulation. Furthermore, we apply industry best practices in areas such as data encryption, access control, and secure development processes, ensuring the protection of customer data at all times.

Read more on our compliance-webpage.

How does Phished treat user privacy?

Phished places a high priority on user privacy and data protection. The platform is fully GDPR-compliant and adheres to core principles such as data minimization and purpose limitation. This means Phished only collects the personal data that is strictly necessary to deliver its services—such as phishing simulations, training modules, and reporting insights—and only uses it for that purpose.

While Phished does use certain user attributes (e.g. language, region, job role) to tailor simulations and training content, this is done through automated processes that do not result in decisions with legal or similarly significant effects on individuals. The goal is to offer relevant and realistic content while fully respecting user privacy and avoiding intrusive profiling.

For more details, you can consult our privacy policy.

How is platform access and authentication secured?

Phished applies multiple layers of security to protect platform access and user authentication. All user sessions are secured with TLS/SSL encryption, ensuring safe data transfer between users and the platform.

Multi-Factor Authentication (MFA) is enforced for administrator accounts to prevent unauthorized access. The platform also supports Single Sign-On (SSO) via SAML 2.0, allowing organizations to integrate Phished with their existing identity provider for streamlined and secure user authentication.

Additionally, role-based access control (RBAC) ensures that users only have access to the features and data relevant to their role. Phished implements session management, login monitoring, and activity logging to help detect suspicious behavior. Regular security assessments and penetration tests are performed to proactively identify and mitigate potential vulnerabilities.

Does Phished perform audits or third party security reviews?

Our comprehensive approach to cybersecurity emphasizes a meticulous and proactive strategy. By closely aligning the patching process with the severity and potential consequences of vulnerabilities, we ensure a systematic and efficient response.

Furthermore, our strategy extends beyond mere patching, encompassing continuous monitoring and evaluation to stay ahead of emerging risks. We believe in a holistic cybersecurity framework that not only addresses immediate concerns but also establishes a foundation for long-term resilience.

In addition, Phished employs a multi-layered approach to vulnerability scanning:

- Automatic vulnerability scanning: Online vulnerability scanner that scans for cyber security weaknesses in our digital infrastructure on a daily and threat emerging base. Instant alerts empower us to address threats promptly, minimizing the window of exposure and enhancing overall cybersecurity resilience.

- Ethical Hackers: We leverage a professional program that engages ethical hackers in continuously identifying cybersecurity weaknesses within our digital infrastructure. Our program invites security researchers from around the world to actively participate in detecting and reporting vulnerabilities. This proactive and transparent approach fosters a continuous improvement cycle, enhancing the resilience of our systems against emerging threats.

- Responsible Disclosure Policy: We believe that collaboration with the security research community is crucial in identifying and addressing potential vulnerabilities in our systems and applications. We encourage responsible disclosure of any security issues discovered and appreciate the assistance of security researchers in maintaining a secure environment for everyone. Our Responsible Disclosure Policy outlines the guidelines for reporting security vulnerabilities to Phished, along with our security.txt.

- Physical penetration testing: In addition to digital protections, Phished conducts regular physical penetration tests to assess the resilience of our physical infrastructure and operational procedures. These tests simulate real-world intrusion attempts to evaluate access controls, employee awareness, and facility-level security protocols.

Where is user data stored?

At Phished, all user data is stored in highly secure data centers located in both Europe and North America. This setup ensures compliance with the highest international standards for privacy, security and legal protection, including GDPR and other applicable regulations.

Phished applications are hosted as distributed container-based applications in Google Cloud Platform (GCP) in Belgium. Our backend production databases are hosted in the same region. High available failover database locations are in the same region, but another zone.

How is the user data processed?

A detailed list of subprocessors can be consulted in our Data Processing Agreement. We have data processing agreements in place with all our sub-processors in accordance with Article 28 of the GDPR. These agreements include standard contractual clauses for data transfers to third countries. Our sub-processors' primary data centers are located in the EEA, but they may transfer data outside the European Economic Area if their main office is located in the USA. However, all personal data is always encrypted at rest and in motion to ensure its security. We have executed a Data Protection Impact Assessment (DPIA) and Data Transfer Impact Assessment (DTIA) for every subprocessor, and they are ISO27001 and SOC2 compliant.