Last modified: Thursday 25th September 2025
1. Parties and Structure
This Service Agreement (“Agreement”) is between:
- PhishTool Limited (“PhishTool”, “we”, “us”), a company registered in England and Wales (Company Number: 12126730), with registered office at International House, 36–38 Cornhill, London, EC3V 3NG, United Kingdom; and
- Customer (“Customer”, “you”), the organisation purchasing Enterprise access to PhishTool services.
This Agreement incorporates and supplements:
- The Terms of Service (applicable to all users);
- The Privacy Policy;
- The Data Processing Agreement (DPA) (controller–processor documentation for Enterprise customers);
- Any Proof of Value Agreement (if applicable).
Order of precedence: (1) this Service Agreement, (2) DPA, (3) Terms of Service, (4) Privacy Policy.
2. Definitions
All definitions set out in the Terms of Service apply to this Agreement. In addition, the following definitions apply:
- Downtime: Period during which the service is unavailable, excluding permitted maintenance windows and exclusions.
- Monthly Uptime Percentage: Percentage of total minutes in a calendar month that the service is available, calculated as (total minutes – downtime) / total minutes × 100.
- Service Credit: A credit applied to Customer’s account in accordance with the SLA remedy provisions of this Agreement.
- Business Hours: 09:00–17:00 UK time, Monday to Friday, excluding public holidays in England.
- Support Request Categories: The categories of incidents defined in Section 5 of this Agreement.
3. Provision of Services
PhishTool shall provide Customer with access to its phishing analysis and investigation platform, including but not limited to:
- In-tray system for triage and case management;
- Email ingestion via mailbox integrations, API, or Outlook add-in;
- Analyst collaboration features;
- Reporting and metrics.
All services are hosted in Amazon Web Services (AWS) Dublin (eu-west-1).
4. Service Levels (SLA)
Availability
PhishTool will use commercially reasonable efforts to ensure the platform is available 99.9% of each calendar month, excluding permitted downtime.
Scheduled Maintenance
Regular maintenance windows will be communicated in advance. Emergency maintenance may occur where required for security or stability.
Service Credits
If monthly uptime falls below the SLA, Customer may claim service credits in accordance with the SLA schedule provided by PhishTool. Service credits are Customer’s sole and exclusive remedy for breach of this SLA.
Exclusions
Downtime does not include:
- Failures due to Customer misuse or unauthorised changes;
- Issues with third-party services outside PhishTool’s control;
- Force majeure events as defined in Section 13.
5. Support
Channels & Hours
Support is provided through PhishTool’s ticketing system (HubSpot) during Business Hours, unless otherwise agreed.
Response Targets
- Critical issues: response within 2 hours.
- High severity: response within 4 Business Hours.
- Medium severity: response within 1 Business Day.
- Low severity: response within 2 Business Days.
Escalation
Escalation procedures are maintained by PhishTool to ensure prompt resolution of major incidents.
6. Customer Responsibilities
Customer shall:
- Ensure authorised users comply with the Terms of Service;
- Maintain security of accounts and integrations;
- Ensure it has a lawful basis under GDPR for submitting personal data;
- Respond to data subject rights requests, with PhishTool providing reasonable support.
7. Data Protection & GDPR
- Roles
- Customer is the data controller.
- PhishTool is the data processor, processing personal data only on documented instructions from Customer.
- DPA
- The parties agree to the Data Processing Agreement (DPA), which forms part of this Agreement.
- Hosting
- Services are hosted exclusively in AWS Dublin (eu-west-1).
- Subprocessors
- Customer authorises PhishTool to engage the following subprocessors:
- Amazon Web Services EMEA SARL (Ireland) – hosting and infrastructure;
- Stripe Payments Europe, Limited (Ireland) – card payment processing;
- National Westminster Bank Plc (UK) – bank transfer payment processing;
- HubSpot, Inc. (US, with EU/UK hosting where applicable) – inbound inquiries, CRM, and support ticket management;
- DocuSign, Inc. (US, with EU/UK hosting where applicable) – secure digital signatures and contract management.
- PhishTool will notify Customer of any intended changes to subprocessors and ensure subprocessors are bound by GDPR-compliant terms.
- Security
- PhishTool implements appropriate technical and organisational measures, including encryption in transit and at rest, access controls, monitoring, and logging.
- Breach Notification
- PhishTool will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer data.
- Retention & Deletion
- Upon termination of this Agreement, or at Customer’s written request, PhishTool will delete Customer data from active systems without undue delay and from backups within 30–60 days.
- Anonymised datasets may be retained for service improvement.
8. Fees and Payment
Fees are specified in the Order Form or invoice.
- Card payments are processed by Stripe Payments Europe, Limited (Ireland).
- Bank transfers are processed by National Westminster Bank Plc (UK).
- Fees are payable in full within the timeframe stated on the invoice.
9. Confidentiality
Each party agrees to maintain the confidentiality of non-public information disclosed under this Agreement and use it only for purposes related to this Agreement.
10. Intellectual Property
PhishTool retains all intellectual property rights in its services, software, and documentation. Nothing in this Agreement transfers ownership to Customer.
11. Liability
PhishTool shall not be liable for indirect, incidental, special, or consequential damages, including loss of profits, data, or goodwill.
PhishTool’s aggregate liability under this Agreement shall not exceed the total fees paid by Customer in the 12 months preceding the claim.
Nothing excludes liability for death, personal injury, fraud, or other liability which cannot be excluded by law.
12. Term and Termination
This Agreement commences on the Effective Date and continues for the Initial Term set out in the Order Form. It shall automatically renew for successive 12-month periods unless either party gives at least 60 days’ notice prior to renewal.
Either party may terminate immediately on written notice if the other party materially breaches and fails to cure within 30 days.
Upon termination, PhishTool shall delete Customer data in accordance with Section 7.7.
13. Miscellaneous
- Force Majeure: Neither party shall be liable for failure to perform due to events beyond reasonable control.
- Assignment: Neither party may assign without prior written consent, except in connection with a merger or acquisition.
- Severability: If any provision is invalid, the remainder remains in effect.
- Entire Agreement: This Agreement, together with referenced documents, constitutes the entire agreement.
- Notices: Notices shall be sent to the registered office addresses of the parties unless otherwise specified.
14. Governing Law
This Agreement is governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.