Security & Compliance
At simUphish, we securely manage employee data, including phishing incidents and training stats, with tailored controls.
GDPR Compliance
simUphish has conducted a privacy assessment and updated its Privacy Policy to meet GDPR requirements. We only request and collect necessary data for our service. Our subprocessors are documented, audited, and data sharing is closely monitored. We ensure:
- Confidentiality commitment from all personnel.
- Implementation of appropriate security measures to safeguard customer data.
- Assistance in upholding GDPR obligations, including data subjects’ rights.
- Support in maintaining GDPR compliance, especially regarding Article 32 (security of processing) and Article 36 (consulting with data protection authorities for high-risk processing).
Legal Documents
- Mutual Non-Disclosure Agreement (NDA)
- Terms & Conditions
- Privacy Policy
- Subscription & Service level Agreement
- Data Processing Agreement
Security Policies
- Information Security Policy
- Data Classification, Handling and Retention Policy
- Acceptable Use Policies
- Access Control Policy
- Incident Response Plans
Security Controls
Security measures and capabilities implemented by simUphish ensure appropriate protections are applied where most crucial.
Data Security
- Data Classification Policy
- Access Control Policy
- Daily Database Backups
- Database Access Restricted
- Database Encrypted At-Rest
Network Security
- Web Application Firewall
- Direct Access Disabled (SSH/RDP)
- Network Logging & Monitoring
- Managed DDoS Protection
- Data Encrypted In-Transit
Application Security
- Responsible Disclosure Process
- Annual Penetration Testing
- Daily Vulnerability Scanning
- Secure Development Practices
- Change Management Practices
Infrastructure Security
- Hardened Infrastructure
- Automated Security Patching
- Multiple Availability Zones
- MFA on Administrator Console
- Auto-Scaled & Load-Balanced
Product Security
- Cloud Anomaly Detection
- Cloud Configuration Security
- Cloud Identity Security
- Cloud Workload Protection
- System Availability Monitoring
Organisational Security
- Monthly Phishing Simulations
- Annual Security Awareness Training
- Endpoint Configurations Hardened
- Endpoint Anti-Malware Protection
- MDM Managed Endpoints
Frequently Asked Questions
Under no circumstances will simUphish engage in the sale of your data to third parties.
simUphish utilizes multiple subprocessors to facilitate the essential functions of the simUphish Cloud Platform. Details about these subprocessors, including their purpose, data shared, security measures, and storage locations, can be found in the Subprocessors section of the Security & Compliance page.
Data stored or transmitted is consistently protected using industry-standard cryptographic cipher suites, algorithms, and protocols. In transit, data is safeguarded with TLSv1.2 encryption, while at rest, it is secured with AES-256 encryption.
simUphish mandates MFA for all users through AWS SSO when accessing the production AWS environment. This policy extends to all our subprocessors, where MFA is required for all user access.
simUphish offers configurable data storage options during the account setup process. You have the flexibility to select your preferred location from a range of choices including Australia, the United States of America, the United Kingdom, Canada, South Africa, Germany, the United Arab Emirates, or Singapore. The data stored in the chosen location encompasses employee lists, phishing campaign statistics, training campaign statistics, employee risk scoring, and scheduled reports.
As part of the simUphish onboarding process, national police checks are conducted in the jurisdiction where the employee is based. Since all simUphish employees are located in Australia, this involves a national Australian police check, with no adverse outcomes reported for any employee.
Additional Information
simUphish is a privately held software company specializing in the development of the simUphish Cloud Platform. The platform aims to simplify the delivery of simulated phishing and security awareness training to employees by reducing complexity and associated costs. Our data collection practices are limited to the information necessary to provide this service to our customers. For further inquiries, please contact us at [email protected].
Our policies, standards, procedures, and guidelines are aligned with the NIST Cybersecurity Framework (NIST CSF) and ACSC Information Security Manual (ACSC ISM). Additionally, we incorporate supplementary guidance from ISO27002, CIS Top 18 cyber controls, CIS benchmarks, and the OWASP Application Security Verification Standard (OWASP ASVS).