Security & Compliance

CanIPhish has the responsibility of storing confidential information about employees such as phishing interactions and training statistics. We take great care to ensure that we have fit-for-purpose controls.


Verification of our compliance against global standards achieving certifications, attestations or audit reports.


We rely on various subprocessors to handle data on our behalf. These providers are carefully selected and regularly audited.

Security Controls

Security controls and capabilities CanIPhish implement to ensure fit-for-purpose protections are applied where they're needed most.

Data Security

Data Classification Policy
Access Control Policy
Daily Database Backups
Database Access Restricted
Database Encrypted At-Rest

Network Security

Web Application Firewall
Direct Access Disabled (SSH/RDP)
Network Logging & Monitoring
Managed DDoS Protection
Data Encrypted In-Transit

Application Security

Responsible Disclosure Process
Annual Penetration Testing
Daily Vulnerability Scanning
Secure Development Practices
Change Management Practices

Infrastructure Security

Hardened Infrastructure
Automated Security Patching
Multiple Availability Zones
MFA on Administrator Console
Auto-Scaled & Load-Balanced

Product Security

Cloud Anomaly Detection
Cloud Configuration Security
Cloud Identity Security
Cloud Workload Protection
System Availability Monitoring

Organisational Security

Monthly Phishing Simulations
Annual Security Awareness Training
Endpoint Configurations Hardened
Endpoint Anti-Malware Protection
MDM Managed Endpoints

Frequently Asked Questions

Under no circumstances will CanIPhish sell your data to third-parties.

CanIPhish use various subprocessors to provide functionality necessary to operating the CanIPhish Cloud Platform. These subprocessors are documented in the Subprocessors section of the Security & Compliance page. This section includes the reason for their use, data shared, data security practices, and data storage locations.

Data stored or communicated is always secured using industry accepted cryptographic cipher-suites, algorithms, and protocols. For data in-transit, this is secured with at least TLSv1.2 encryption. For data stored at-rest, this is secured with at least AES-256 encryption.

CanIPhish enforces MFA for all users via AWS SSO when accessing the production AWS environment. This same practice is followed across all our subprocessors, with MFA enforced for all user access.

CanIPhish provide configurable data storage options during the account setup process. You can choose between data storage in Australia, United States of America, United Kingdom, Canada, South Africa, Germany, United Arab Emirates or Singapore. Data stored in the selected location include employee lists, phishing campaign statistics, training campaign statistics, employee risk scoring and scheduled reports.

As part of the CanIPhish onboarding process, national police checks are performed in the jurisdiction in which the employee is located. As all CanIPhish employees are within Australia, this is a national Australian police check and no adverse outcomes have been observed for any employee.

Additional Information

CanIPhish is a privately held software company that develops the CanIPhish Cloud Platform. The platform is designed to reduce the difficulty, complexity and cost associated to delivering simulated phishing and security awareness training to employees. The data we collect is limited to what is required to deliver this service to our customers. For more information you can send us a message at

Our policies, standards, procedures and guidelines are based on the NIST Cybersecurity Framework (NIST CSF) and ACSC Information Security Manual (ACSC ISM). Supplementary guidance is taken from ISO27002, CIS Top 18 cyber controls, CIS benchmarks, and the OWASP Application Security Verification Standard (OWASP ASVS).

If you would like to report a security issue, please send an email to You can also view our security.txt file.