Security & Compliance

At CanIPhish, we take data privacy and security seriously, and we are committed to safeguarding the sensitive information entrusted to us by our customers. As part of our cloud computing and infrastructure hosting services, we utilize Amazon Web Services (AWS) as a subprocessor to store and manage customer data securely.

As a subprocessor, AWS plays a crucial role in maintaining the reliability, scalability, and security of our platform. We store sensitive customer information, including Email Addresses, First Names, Last Names, Job Titles, Company Names, Countries, Phone Numbers, and Preferred Languages, within AWS infrastructure. This data is protected using industry-standard encryption and access controls to ensure its confidentiality and integrity.

In addition to customer data, CanIPhish also stores confidential information within AWS, such as campaign statistics, employee risk scores, and other tenant metadata. We understand the significance of this information and have implemented robust security measures to prevent unauthorized access, data breaches, and misuse.

We are committed to being transparent about our data processing activities and have implemented appropriate contractual safeguards with AWS to protect customer data. Our data processing practices adhere to applicable privacy laws and regulations, and we strive to exceed industry standards for data security and privacy protection.

Microsoft 365

As part of CanIPhish's commitment to providing reliable collaboration services, we utilize Microsoft 365 (M365) as a subprocessor to deliver various communication and storage solutions.

M365 offers a range of robust tools, including Exchange Online for email communication, Microsoft Teams for video conferencing, and OneDrive for cloud storage. These services enable us to enhance collaboration and productivity while maintaining the security and integrity of our customers' information.

Microsoft Azure

To support our innovative conversational phishing engine, we utilize Microsoft Azure as a subprocessor.

Microsoft Azure offers a range of Artificial Intelligence (AI) services, notably Azure OpenAI. It's important to note that when using Azure OpenAI, no data is shared with OpenAI, the organization. This service comprises the trained Generative AI models that OpenAI has developed.

By leveraging Azure OpenAI, CanIPhish is able to have highly realistic and contextually appropriate conversations with employees in support of simulated phishing activities. During the course of these conversations, employee information may be shared with the Azure OpenAI service as it will read employee responses to determine the best counter-response.

CanIPhish utilizes Azure's global infrastructure to ensure that the location where these requests are processed matches the storage location of CanIPhish customer tenants. Two exceptions to this are:

• Singapore Storage Location - Azure OpenAI processing is conducted out of Japan.
• United Arab Emirates Storage Location - Azure OpenAI processing is conducted out of Germany.

CanIPhish prioritizes the security and privacy of our customers' sensitive information, especially when it comes to payment processing and subscription management services. As part of our commitment to providing a seamless and secure payment experience, we rely on Stripe as a subprocessor to handle the collection, storage, and processing of customer payment information.

Stripe is a trusted and reputable payment processing platform that specializes in secure and reliable transactions. It enables us to securely collect and manage sensitive information, including email addresses, first names, last names, billing addresses, as well as payment details such as Credit Card Information and Bank Account Information.

We have chosen Stripe as a subprocessor due to their industry-leading security measures and dedication to protecting customer data. Stripe maintains a robust infrastructure and implements stringent security protocols to ensure the confidentiality and integrity of the information it handles.

When utilizing Stripe's services, CanIPhish adheres to best practices and industry standards to protect customer data throughout its lifecycle. We have implemented secure transmission protocols and encryption mechanisms to safeguard data in transit, and we store customer information securely within Stripe's infrastructure using industry-standard security measures.

We understand the importance of compliance with relevant data protection regulations and have established appropriate contractual safeguards with Stripe. These safeguards ensure that customer data is processed in accordance with applicable privacy laws and regulations.

At CanIPhish, we strive to provide exceptional customer support and ensure the security and privacy of our customers' sensitive information. To deliver efficient knowledge base and live chat services, we utilize Zendesk as a subprocessor.

Zendesk offers a robust platform that enables us to provide a comprehensive knowledge base and real-time assistance through live chat. As a subprocessor, Zendesk may store and process sensitive customer information communicated through live chat.

We understand the importance of safeguarding customer data and have implemented stringent security measures to protect it throughout its lifecycle. CanIPhish follows industry best practices and takes appropriate technical and organizational measures to ensure the confidentiality and integrity of customer information.

When utilizing Zendesk's live chat services, we prioritize the security and privacy of customer communications. We employ encryption protocols and secure transmission channels to protect the information exchanged during live chat sessions. Furthermore, we restrict access to customer data only to authorized personnel who require it to provide support and resolve queries.

CanIPhish maintains strict data protection standards and complies with applicable privacy laws and regulations. We have implemented appropriate contractual safeguards with Zendesk to ensure that customer data processed through their platform remains protected.

At CanIPhish, we are committed to safeguarding the security and privacy of our customers. To enhance our cybersecurity offerings, we use Have I Been Pwned as a subprocessor for our dark web monitoring services. This allows us to provide an advanced level of protection and awareness to our customers.

Have I Been Pwned are an Australian-based business that is widely recognized and trusted. It serves as a valuable resource for individuals and organizations to check if their email addresses and associated accounts have been compromised in data breaches or security incidents.

As part of our dark web monitoring service, we share employee email addresses with Have I Been Pwned. This is essential to effectively monitor and identify potential security threats. By sharing this information, we can compare it to data available on the dark web and in data breaches, enabling us to notify you if any employee email addresses are compromised.

It's important to note that the sharing of employee email addresses with Have I Been Pwned is encrypted in-transit, and conducted with the utmost concern for data privacy. We adhere to strict data protection standards and practices to ensure the confidentiality and integrity of the information shared.

We value the privacy of our customers and understand that not everyone may wish to participate in this service. Therefore, our dark web monitoring service is entirely opt-in. Customers have the choice to decide whether they want to take advantage of this additional layer of security.

No data is shared with Have I Been Pwned, unless you explicitly opt-in to use the dark web monitoring service.

CanIPhish utilizes ElevenLabs to provide Conversational AI services, specifically to power our outbound simulated voice phishing functionality. These AI-driven voice calls enable CanIPhish to conduct highly realistic and fully realistic voice phishing simulations that help our customers assess and improve employee awareness and response to voice-based phishing attacks.

ElevenLabs does not use or store any audio data processed during phone calls. Our use of ElevenLabs is structured to prioritize our customers' security and privacy. As part of this integration, ElevenLabs will process the following information:

• Call Audio Streams: Real-time audio of simulated calls, which are deleted immediately after the active call ends.
• Call Transcripts: Text transcripts generated live during the call, which are deleted immediately after the active call ends.
• Call Metadata: Timestamps, call duration, and anonymized session identifiers.
• Conversational AI Prompts: Which may include dynamically inserted information such as the employee's name and job title, which are deleted immediately after the active call ends.

CanIPhish has configured its ElevenLabs tenant in such a way that privacy is our most important priority. Specifically, the following configurations have been applied:

• CanIPhish’s workspace data is explicitly barred from being used to train any ElevenLabs AI models.
• CanIPhish’s AI agents have been configured to NOT store call audio once an active call is terminated.
• CanIPhish’s AI agents have been configured to immediately delete call transcripts once an active call is terminated.

These settings guarantee that no customer audio or transcripts persist within ElevenLabs beyond the live session, fully aligning with CanIPhish’s strict data-minimization and privacy-by-design principles.

No data is shared with ElevenLabs, unless you explicitly opt-in to use the simulated voice phishing service.

Twilio, Inc. is a leading cloud communications platform that enables developers and businesses to embed voice, messaging, video, and authentication capabilities into their applications via simple, scalable APIs. Trusted by millions of customers worldwide, Twilio’s global infrastructure powers billions of interactions each year, from SMS and voice calls to multi-factor authentication flows.

CanIPhish uses Twilio’s Verify API to confirm participants’ phone numbers via a double opt-in SMS workflow, ensuring all users in outbound simulated voice-phishing exercises have explicitly consented.

Twilio process the absolute minimum amount of PII needed to perform the double opt-in verification workflow. This includes the processing of employee phone numbers once the consent process has been initiated, along with the status of their verification.

No data is shared with Twilio unless you explicitly opt in to use the simulated voice phishing service.

At CanIPhish, we are committed to safeguarding the security and privacy of our customers. To enhance our simulated phishing offering, we use Telnyx as a subprocessor for our callback simulated phishing functionality. Telnyx are a global communications provider that facilitates Voice over Internet Protocol (VoIP) calls.

Telnyx does not use or store any audio data processed during phone calls. Our use of Telnyx is structured to prioritize the security and confidentiality of your data. As part of this integration, Telnyx will process the following information:

• Caller Phone Numbers: Telnyx processes the phone numbers involved in voice calls to route and connect calls correctly.
• Call Metadata: This includes information such as timestamps, call duration, and call status (e.g., connected, disconnected).
• Audio Data: During active voice calls, Telnyx handles the audio stream to facilitate real-time communication between participants. Telnyx does not store the audio data processed on these calls; it is only used for the duration of the call.

Telnyx processes the data mentioned above strictly for the purpose of enabling and managing voice communications within our security awareness training exercises. Telnyx adheres to stringent data protection and security measures to safeguard any data that is transmitted through its network. Telnyx's primary processing facilities are in the United States of America.

Depending on the origin and destination of a call, the call will be routed through the most appropriate Telnyx Point of Presence (PoP) to reduce latency.

At CanIPhish, we are dedicated to maintaining the highest standards of data privacy and security. To support our innovative conversational phishing engine, we utilize OpenAI as a subprocessor.

OpenAI is a leading artificial intelligence research lab known for its commitment to safe and responsible AI deployment. By leveraging the OpenAI API, CanIPhish interprets employee responses and seamlessly delivers contextually appropriate simulated phishing content. This interaction is powered by generative AI, providing a realistic and educational experience without actual risk.

Employee information is shared with OpenAI if the conversational phishing engine is used, and only for the specific employees targeted.

Data Privacy and Security Commitments:

• Data Usage: OpenAI does not use the data gathered through our usage of the OpenAI API to train their models or for any other purpose. The data is strictly used to provide the services requested by CanIPhish.
• Data Security: OpenAI upholds stringent security measures, evidenced by their SOC 2 Type 2 report. This report is maintained annually and reflects their commitment to the highest standards of security and operational excellence.

We value the privacy of our customers and understand that not everyone may wish to participate in this service. Therefore, our conversational phishing engine is entirely opt-in. Customers have the choice to decide whether they want to take advantage of functionality.

No data is shared with OpenAI, unless you explicitly opt-in to use the conversational phishing engine.

CanIPhish is committed to delivering effective email marketing automation services while upholding the highest standards of data privacy and security. To achieve this, we utilize Klaviyo as a subprocessor to support our email marketing campaigns.

Klaviyo is a trusted platform that enables us to efficiently manage and automate our email marketing efforts. As a subprocessor, Klaviyo may communicate and store sensitive customer information, including email addresses, first names, and last names.

We understand the importance of safeguarding customer data and have implemented robust security measures to protect it throughout its lifecycle. CanIPhish adheres to industry best practices and employs appropriate technical and organizational measures to ensure the confidentiality and integrity of customer information.

When utilizing Klaviyo's services, we prioritize the security and privacy of customer data. We have implemented industry-standard encryption and access controls to protect the information shared and stored within Klaviyo's platform.

We continually review and update our security practices to align with evolving industry standards and mitigate potential risks. CanIPhish remains committed to the responsible handling of customer information and strives to maintain the trust you place in us.