Compliance.
SimuPhish operates against SOC 2 Type 2, ISO 27001, GDPR, and CCPA. Our latest audit reports are available under NDA. We also support customer-led pen-testing on a 30-day notice.
Security
Security built for serious teams.
SimuPhish is built by security operators, for security operators. Below is a clean, no-marketing-spin breakdown of how we run.
SOC 2 Type 2
ISO 27001
GDPR
CCPA
Hosting.
Primary infrastructure runs on AWS across us-east-1 (Virginia) and eu-west-1 (Ireland). Customer data is encrypted at rest with AWS KMS-managed keys (AES-256) and in transit with TLS 1.3. Enterprise customers can request EU-only or US-only data residency.
Data handling.
We collect only what's needed to coach employees and report posture. Phishing-drill password inspection runs in memory.submitted credentials are hashed for weakness analysis and discarded immediately, never persisted. Customer data is deleted within 30 days of contract end.
Access.
SAML SSO and SCIM provisioning across Okta, Google Workspace, Microsoft Entra, and Azure AD. Role-based permissions, full audit log, and break-glass admin recovery.included on every plan.
Incident response.
Our security team operates a 24-hour disclosure SLA on confirmed incidents. Reach us at contact@simuphish.com. PGP key available on request.
Privacy.
We don't sell, share, or train third-party models on customer data. Full privacy policy and DPA on request. We support EU SCCs and the UK IDTA out of the box.
Cookies.
Strictly-necessary cookies only on the marketing site. No tracking pixels. The product itself uses session and preference cookies.no third-party analytics or advertising tags.
Terms.
Commercial terms, MSA, and DPA are available before contracting. Standard agreements are negotiated on a 30-day cycle; we redline like adults.