Security & Compliance
CanIPhish has the responsibility of storing confidential information about employees and their phish click tendencies. We take great care to ensure that our security measures are sufficient for this sensitive task.
In this document we highlight our key security practices which we feel provide the most value to our clients.
Legal Documents & Compliance Statements
- Mutual Non-Disclosure Agreement (NDA)
- Terms & Conditions
- Modern Slavery Statement
- Data Processing Agreement
Data Processing Agreement
A data processing agreement is a legally binding contract that states the rights and obligations of CanIPhish (acting as a data processor) and your company (acting as a data controller) concerning the protection of personal data. It completes CanIPhish’s Terms and Conditions and applies to personal data processing activities subject to GDPR.
In accordance with GDPR Article 28, Section 3, our data processing agreement includes assurances that:
- CanIPhish agrees to process personal data only on written instructions of your company.
- Everyone who comes into contact with data at CanIPhish is sworn to confidentiality.
- CanIPhish uses appropriate technical and organizational measures are used to protect the security of the data.
- CanIPhish will not subcontract to another processor unless instructed to do so in writing by your company, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
- CanIPhish will help your company uphold its obligations under the GDPR, particularly concerning data subjects’ rights.
- CanIPhish will help your company maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
You can download our data processing agreement in PDF format: Data processing agreement 1.1 (02/12/2022)
Information assets can only be used in ways which ensure the integrity and safety of data and operational systems.
- We try to avoid disruptions. Activities that interfere with other users, create a security risk, or break the law are prohibited.
- The software we use is secure. Software installed on computers by employees must first be approved.
- We stay on top of malware. We make sure our software is always up to date to patch security exploits.
We use industry leading cloud infrastructure to keep the information you store in CanIPhish secure.
- Amazon Web Services (AWS) hosts our products. Our software and your data is hosted through AWS. AWS has a long list of data security certifications and extensive physical security controls.
- Your data is stored in a region you choose. We let you choose between data storage in Australia, United States of America, United Kingdom, Canada, South Africa, Germany, United Arab Emirates or Singapore.
- Your data is encrypted at rest and in transit. Our database is protected with encryption and our service doesn't allow non-HTTPS traffic.
- Our infrastructure is protected by a web application firewall (WAF). Anomalous actions and malicious payloads such as OWASP top 10 related threats are logged and monitored.
- Our infrastructure is scalable. When demand is high our service can acquire more computing resources to remain responsive.
- Administrative actions are logged. We are able to see what administrators access or change within AWS.
Information classification & handling
CanIPhish has a robust policy for classifying information such that it can be handled appropriately.
- We assign all our data a level of sensitivity. Each level has progressively stricter requirements for security.
- Our storage and transferal methods meet each level's requirements. We adapt our business processes to fulfil the security requirements of the information we are handling.
- We follow a due diligence process. We calculate a security score for every service we use. We use this score to decide what information can be stored on the service.
- Your data is the highest level of sensitivity. When handling your data we require 2 different factors to authenticate ourselves (i.e. something we know and something we have).
Data security & loss prevention
CanIPhish is a cloud service and relies heavily on other cloud services. This means that the integrity of our data is outsourced to dependable companies like AWS, Microsoft and Google.
- The data you store in CanIPhish is backed up regularly. We schedule automatic database backups to mitigate the unlikely event of loss or corruption. These backups are stored in various data centres across the region you configure during sign-up.
- Ransomware attacks are mitigated through cloud storage. We don't rely on local storage for important information. All our data is backed up with version history.
- DDoS attacks are mitigated through AWS. AWS has WAF infrastructure and CDN services capable of withstanding DDoS attacks.
- We encrypt our devices to secure the information on them. Information on our devices is unreadable without their decryption keys, even if they are stolen by a sophisticated party.
- We only use websites that serve HTTPS. Our web browsers prevent us from visiting websites that don't meet web security standards.
Passwords & authentication
At CanIPhish we closely follow the Australian ISM and NIST 800-53 compliance frameworks. Protection of our own passwords is important for maintaining the security of the infrastructure that stores and transfers your data.
- We use a password manager. Our password manager generates, stores and distributes our passwords for us. There are only a few circumstances were we need to create and remember a password ourselves.
- We never reuse passwords between services. Randomly generating passwords means this is very rarely a problem.
- Our passwords are secured with symmetric key encryption. They can only be decrypted by someone who possesses the correct master password, which isn't known to our provider.
- We use Multi Factor Authentication (MFA) whenever possible. Where possible we also enable additional authentication methods depending on the service.
- You can enable MFA for yourself on CanIPhish. We integrate with Google Authenticator to allow you to enforce MFA for everyone with access to your tenant.
Security incidents are managed through a standard process that allows us to use incidents as an opportunity to improve the business.
- We treat security vulnerabilities seriously. We speculate the impact of a vulnerability before it is exploited. This helps ensure that the weaknesses are never left unactioned before it is too late.
- Incidents have extensive assessment criteria. We are able to effectively assess the impact of an information security incident to parties involved
- Transparency is a part of the process. In compliance with the Australian notifiable data breaches scheme and Ausralian privacy law we report information security incidents to affected parties.
- We have a no blame security culture. Employees are encouraged to report security incidents with a reasonable expectation of impunity
We have multiple controls that ensure that we maintain a good level of personnel security.
- We abide by a clear desk and screen policy. We make sure our work spaces never have unattended sensitive items, including unlocked computers, phones, flash drives and keys.
- We connect to a Virtual Private Network (VPN) when working remotely. Some of our services have firewall rules that require us to be physically at the office or connected to the VPN. It also provides us with extra security when using less secure networks.
- Not downloading data is encouraged. We prefer to interact with business data through cloud services like Office 365. This prevents information from being permanently stored in unnecessary locations.
Reporting security issues
If you want to report a security issue with our software please send an email to firstname.lastname@example.org. You can also view our security.txt file.