Security and Compliance Overview

Last modified: Thursday 25th September 2025

1. Introduction

PhishTool is designed for security analysts and enterprise teams to investigate phishing threats. We recognise that customers entrust us with sensitive data, and we are committed to protecting that trust through strong security controls, clear governance, and compliance with international standards such as the UK GDPR and EU GDPR.

This document provides a comprehensive overview of PhishTool’s approach to security and compliance, including infrastructure, data protection, operational controls, and our compliance roadmap.

2. Hosting & Infrastructure

  • Services are hosted exclusively in Amazon Web Services (AWS) Dublin (eu-west-1).
  • S3 is used for file storage.
  • MongoDB is hosted in a private AWS VPC in Dublin.
  • Elasticache (Redis) provides caching.
  • EC2 and AWS Lambda support compute and serverless functions.
  • All workloads run within PhishTool’s dedicated AWS account.

Availability & Resilience

  • Services are deployed across multiple availability zones to ensure resilience.
  • AWS provides infrastructure redundancy and data durability (e.g., S3 with 99.999999999% durability).
  • Stateless EC2 instances are reprovisioned regularly to maintain integrity and ensure timely application of security patches.

3. Data Security

Encryption

  • At rest: All data are encrypted using AES-256.
  • In transit: All data are encrypted using TLS 1.2/1.3.

Access Controls

  • Role-based access control (RBAC) applies across AWS, MongoDB, and Redis.
  • The principle of least privilege is enforced at every level.
  • A dedicated provisioning account, protected by hardware token MFA (YubiKey), is used solely for account and role creation.

Logging & Audit

  • All administrative actions are logged.
  • Logs are stored centrally and monitored for anomalous activity.

4. Access Management

  • MFA enforced for AWS, database access, and PhishTool internal management functions.
  • Staff accounts are provisioned only as needed, with formal onboarding/offboarding controls.
  • Access rights are reviewed regularly to ensure they remain appropriate.
  • Sensitive administrative access requires a YubiKey hardware token.

5. Monitoring & Vulnerability Management

  • Backups: Performed hourly, daily, and weekly for the PhishTool database. Backup restoration is tested to ensure recoverability.
  • Monitoring: Uptime, performance, and anomalies are continuously monitored via AWS APIs and custom alerting integrated into a centralised log management platform.
  • Vulnerability Management:
    • Regular web application vulnerability scans (at least annually).
    • Patch Management: Stateless EC2 instances are updated with security patches on provisioning and are regularly reprovisioned.
    • Penetration Testing: Independent third-party penetration testing is planned in alignment with our certification roadmap.

6. Compliance & Certifications

Current Position

PhishTool does not yet hold formal certifications. However, many of our practices exceed baseline requirements, including:

  • Hardware token MFA for administrative accounts.
  • Stateless, regularly reprovisioned compute instances.
  • Strict least privilege access enforcement.

Roadmap

  • Cyber Essentials Plus (target: near-term).
  • SOC 2 Type II (target: mid-term).
  • ISO 27001 (target: mid-term/long-term).

7. Incident Response & Breach Handling

  • PhishTool maintains a documented incident response process.
  • Incidents are led by internal PhishTool staff, with the option to engage external providers if escalation is required.
  • Customers are notified without undue delay in the event of a personal data breach, in line with GDPR Article 33.
  • Incident response covers detection, containment, eradication, and post-incident review.

8. Business Continuity & Disaster Recovery

  • Resilience: Multi-AZ deployments within AWS Dublin.
  • Backups: Hourly, daily, weekly database backups with tested restoration.
  • Recovery Objectives:
    • RPO (Recovery Point Objective): ≤ 1 hour.
    • RTO (Recovery Time Objective): ≤ 24 hours.
  • Continuity Testing: Backup restoration and failover are tested periodically.

9. Employee Security & Awareness

  • Staff are required to use MFA and least privilege accounts.
  • All employees with access to customer data or infrastructure receive security awareness training during onboarding and at least annually.
  • Internal policies (Information Security, Acceptable Use, Breach Response) govern employee behaviour and access.

10. GDPR & Data Protection

  • Role Allocation: Customers act as data controllers, PhishTool acts as data processor.
  • Subprocessors: AWS, Stripe, NatWest, HubSpot, DocuSign. All subprocessors are bound by GDPR-compliant terms.
  • Data Location: All data remain in the EU (AWS Dublin).
  • Retention & Deletion: Data can be deleted on request; backups are purged within 30–60 days.
  • Data Subject Rights: PhishTool assists customers in fulfilling GDPR rights requests.

11. Customer Responsibilities

  • Customers are responsible for managing their own user accounts and access controls.
  • Customers should enable MFA on PhishTool accounts.
  • Customers are responsible for secure configuration of mailbox integrations and API usage.

12. Conclusion

PhishTool is committed to ensuring the confidentiality, integrity, and availability of customer data. While we are still progressing toward formal certifications, our security practices already exceed common standards.

We maintain strong encryption, strict access controls, comprehensive monitoring, and a defined incident response process. We are transparent with customers about our subprocessors and data handling, and we provide clear deletion and retention guarantees in line with GDPR.

Customers can be confident that PhishTool is built with security at its core.

Cookies on PhishTool

We use necessary cookies to make PhishTool work. We'd also like to set analytics cookies that help us make improvements by measuring how you use PhishTool.