Legal

Data Processing Agreement.

Name: SimuPhish
Brand: SimuPhish
Rating: 4.8 (410 reviews)

This DPA forms part of every SimuPhish customer agreement and governs the processing of personal data we handle on your behalf. Plain language summary below; the long form is available on request.

Last updated: January 2026

1. Roles.

Customer is the controller. SimuPhish is the processor. Where SimuPhish independently determines the purpose of any processing (for example, billing or our own security operations), SimuPhish acts as a controller for that limited scope.

2. Scope of processing.

We process personal data only to provide SimuPhish, deliver the modules in your order form, and produce the reporting you request. Categories include directory data (name, role, manager), behavioral signals (clicks, reports, completion), and aggregated posture (HDR Score).

3. Subprocessors.

Our current subprocessor list is published at simuphish.com/trust-center/subprocessors and updated 30 days before any change. You may object in writing; if we cannot resolve, you may terminate the affected service for cause.

4. Security.

We maintain SOC 2 Type 2 and ISO 27001 controls. Encryption at rest with AWS KMS managed AES-256. TLS 1.3 in transit. Annual third party penetration testing. Customers receive the latest reports under NDA.

5. International transfers.

EU SCCs, UK IDTA, and UAE PDPL aligned terms apply by default. Local data residency in 170+ countries available on Enterprise. Customers can pin storage to EU only, US only, UAE only, or India only.

6. Data subject rights.

Customer admins can fulfil access, rectification, erasure, restriction, and portability requests directly inside the product. We assist within 5 business days for any request that needs our help.

7. Breach notification.

Confirmed personal data incidents are reported to affected customers within 24 hours of confirmation, with a written follow up inside 72 hours. Reports include scope, root cause, and remediation.

8. Return and deletion.

On termination customers receive a full CSV export within 7 days. All customer personal data is deleted from production within 30 days and from backups within 90 days.

Questions on this policy?

Talk to a real person.

Email privacy@simuphish.com. We reply within one business day. No bots, no ticket queues.