PhishFortress
    Features

    Phishing Simulation

    Test employee awareness with realistic phishing campaigns

    Security Training

    Interactive modules to educate your team

    Threat Detection

    AI-powered detection of sophisticated phishing attempts

    Incident Response

    Automated workflows to contain and remediate threats

    Solutions

    Financial Services

    Protect sensitive financial data and customer trust

    Healthcare

    Secure patient data and medical systems

    Government

    Defend critical infrastructure and sensitive data

    Education

    Protect student data and research

    Enterprise

    Comprehensive protection for large organizations

    Pricing
    Resources

    Blog

    Latest insights on phishing and security

    Documentation

    Detailed guides and API references

    Webinars

    Educational sessions with security experts

    Case Studies

    Success stories from our customers

    About
    Sign inSign up free

    Data Processing Agreement

    PhishFortress Data Processor Terms

    Last Updated: February 2024

    1. Introduction & Definitions

    This Data Processing Agreement ("DPA") supplements the PhishFortress Terms of Service and governs how PhishFortress processes personal data on behalf of customers ("Controllers") who use our phishing simulation and threat detection platform.

    Data Controller: Your organization that determines the purposes and means of processing personal data in PhishFortress

    Data Processor: PhishFortress, which processes personal data on your behalf per your instructions

    Personal Data: Any information relating to identified or identifiable individuals, including email addresses, user IDs, engagement metrics, and metadata

    Processing: Any operation on personal data such as collection, storage, analysis, transfer, or deletion

    2. Scope & Applicability

    This DPA applies to all personal data processed by PhishFortress in connection with providing the Service, including:

    • Phishing simulation campaign data
    • User engagement metrics and behavioral data
    • Email metadata and threat intelligence
    • Integration data from third-party security tools
    • Account administrator information
    3. Your Responsibilities as Controller

    You are responsible for:

    • Determining lawful basis for processing and obtaining necessary consents
    • Providing accurate instructions to PhishFortress regarding data processing
    • Ensuring data processing complies with applicable laws (GDPR, CCPA, HIPAA, etc.)
    • Notifying affected individuals about phishing simulations
    • Handling data subject requests (access, deletion, etc.)
    • Reporting security incidents and breaches
    • Maintaining data security on your end
    4. PhishFortress Responsibilities

    PhishFortress commits to:

    • Process personal data only according to your documented instructions
    • Maintain data security using industry-standard safeguards
    • Restrict employee access to personal data based on need-to-know
    • Implement technical and organizational security measures
    • Assist you in fulfilling data subject rights requests
    • Notify you of suspected breaches without undue delay
    • Delete or return personal data upon contract termination
    • Allow audits and compliance assessments
    5. Data Security & Technical Measures

    PhishFortress implements:

    • AES-256 encryption for data at rest
    • TLS 1.2+ encryption for data in transit
    • Multi-factor authentication (MFA) for all accounts
    • Role-based access controls (RBAC) limiting employee access
    • Regular security audits and penetration testing
    • Vulnerability management and patch procedures
    • Intrusion detection and monitoring systems
    • SOC 2 Type II compliance and certification
    • Data loss prevention (DLP) controls
    6. Sub-Processing & Vendors

    PhishFortress may engage sub-processors (cloud hosting providers, analytics services, email delivery partners) to deliver the Service. We maintain a list of authorized sub-processors:

    • Amazon Web Services (AWS) for infrastructure
    • Supabase for database services
    • SendGrid for email delivery
    • Datadog for monitoring and logging

    You will be notified of any material changes to sub-processors with at least 30 days' notice.

    7. Data Subject Rights

    PhishFortress assists you in fulfilling data subject requests for:

    • Right to Access: Providing copies of personal data
    • Right to Rectification: Correcting inaccurate data
    • Right to Erasure: Deleting personal data upon request
    • Right to Data Portability: Exporting data in portable format
    • Right to Restrict Processing: Limiting processing pending verification
    • Right to Object: Opting out of processing

    Requests should be submitted through your PhishFortress account or directly to privacy@phishfortress.com.

    8. International Data Transfers

    PhishFortress may transfer personal data internationally. To ensure GDPR compliance for EU data:

    • We use Standard Contractual Clauses (SCCs) for data transfers
    • We implement Binding Corporate Rules (BCRs) where applicable
    • We conduct Transfer Impact Assessments (TIA)
    • Data is protected by equivalent security in destination countries
    9. Data Retention & Deletion

    Retention periods:

    • Campaign Data: 24 months or until campaign deletion
    • Account Information: Duration of agreement plus 90 days
    • Audit Logs: 7 years (per compliance requirements)

    Upon contract termination or your request, PhishFortress will securely delete all personal data unless retention is required by law.

    10. Breach Notification

    PhishFortress will notify you of any confirmed or suspected security breach involving personal data:

    • Without undue delay (target: within 24 hours)
    • With details of affected data and individuals
    • With information about the scope and nature of the breach
    • With recommendations for protective measures

    Notification email: security@phishfortress.com

    11. Audits & Compliance Assessments

    You have the right to audit PhishFortress's data processing practices:

    • Request SOC 2 Type II audit reports
    • Request compliance certifications (GDPR, ISO 27001, etc.)
    • Conduct security assessments (with prior notice)
    • Request DPA attestations for regulatory compliance

    Requests can be submitted to: compliance@phishfortress.com

    12. Term & Termination

    This DPA is effective upon signature and continues for the duration of the PhishFortress Service agreement. Upon termination:

    • PhishFortress will securely delete all personal data
    • You may request data export in portable format
    • Audit logs may be retained per legal obligations
    13. Amendments

    PhishFortress may modify this DPA to comply with new regulations or enhance security. Material changes will be communicated 30 days in advance. Continued use of the Service indicates acceptance of amendments.

    14. Contact Information

    For DPA-related inquiries:

    PhishFortress Data Protection Officer (DPO)
    Email: dpo@phishfortress.com
    Response time: Within 5 business days

    For Compliance Issues:
    Email: compliance@phishfortress.com

    This Data Processing Agreement ensures PhishFortress meets GDPR, CCPA, and international data protection standards.

    PhishFortress

    Protecting organizations from sophisticated phishing attacks with AI-powered detection, simulation, and response capabilities.

    Product

    • Features
    • Pricing
    • Security
    • Enterprise
    • Customer Stories

    Resources

    • Documentation
    • Guides
    • API Reference
    • Blog
    • Community

    Company

    • About Us
    • Careers
    • Contact
    • Partners

    © 2026 PhishFortress. All rights reserved.

    Privacy PolicyTerms of ServiceCookie PolicyData Processing Agreement