Our Security Measures

We are committed to protecting the confidentiality, integrity and availability of our information systems and our customers' data. We are constantly improving our security controls and analysing their effectiveness to give you confidence in our solution. We are a Cyber Essentials accredited business.

Here we provide an overview of some of the security controls in place to protect your data.

Data Center Physical Security

Facilities

We use IONOS for data center hosting. IONOS data centers are certified as ISO 27001 compliant by the Technical Inspection Association (TÜV).

IONOS employs robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection, suppression equipment, and secure device destruction amongst others.

On-Site Security

IONOS implements layered physical security controls to ensure on-site security including, vetted security guards, fencing, video monitoring, intrusion detection technology and more.

Network Security

Threat Detection

Our Platform leverages threat detection services within IONOS to continuously monitor for malicious and unauthorised activity.

Vulnerability Scanning

We perform regular internal scans for vulnerability of infrastructure. Where issues are identified these are tracked until remediation.

DDoS Mitigation

The Platform uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilise IONOS’s DDoS protection to safeguard our site from incoming attacks, as well as application specific mitigation techniques.

Access Control

Access is limited to least privilege model required for our staff to carry out their jobs. This is subject to frequent internal audit, technical enforcement and monitoring to ensure compliance. MFA is required for all production systems.

Encryption

In Transit

Communication with the Security Awareness Platform is encrypted with TLS 1.2 or higher over public networks. We monitor community testing & research in this area and continue to adopt best practices in terms of Cipher adoption and TLS configuration.

At Rest

Platform data is encrypted at rest with industry standard AES-256 encryption. By default we encrypt at the asset or object level.

Credentials Encryption

Credentials for the production database are regularly rotated to ensure access restriction.

Availability and Continuity

Uptime

The Security Awareness Platform is deployed on public cloud infrastructure. Thanks to multiple redundant connections to major Internet hubs, IONOS can offer close to 100% availability. Our services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to measured and expected load. Simulated load tests and API response time tests are incorporated into our release and testing cycle.

Disaster Recovery

Our services are deployed in parallel at two separate data centres. In the event of a problem at one data centre, the system automatically switches to the second, ensuring our site remains available.

Database Recovery

Our database has point-in-time recovery for up to four days, and is manually backed up everyday for a maximum of 30 backups.

UPS Power Supply

IONOS data centres maintain uninterruptible power supply (UPS) due to emergency diesel generators and VRLA batteries.

Application Security

Quality Assurance

Our Quality Assurance team reviews and tests code based on a per pod basis. The security team has resources to investigate and recommend remediation of security vulnerabilities within code.

Environment Segregation

Testing, staging and production environments are logically separated from one another. No customer data is used in any development or test environment.

Application Scanning

Site Scan from SiteLock is used to protect our site from hackers, malware, and unauthorised access.

Endpoint Security

Anti-Virus

We implement endpoint Antivirus and run daily scans on our machines.

Password Policy

We maintain a hard password policy on all servers, personal computers and laptops. All passwords must be at least seven characters long, and include one capital letter and one number.

SPAM Checks

All incoming emails are filtered for SPAM and quarantined for checking before they are delivered onto the network.

Remote Working

We operate a 100% remote working international team. Our remote working policy requires that staff may not undertake work on personal computers (unless prior agreement has been stated).

Personal Security

Security Awareness

Our company delivers a robust Security Awareness Training programme which is delivered within 30 days of new hires and continuously for all employees. In addition, we roll out quarterly focused training to key departments including Secure Coding, Data Legislation and Compliance obligations.

Information Security Program

We have a comprehensive set of information security policies covering a range of topics. These are disseminated to all employees and contractors and acknowledgement tracked on key policies such as Acceptable Use, Information Security Policy and our Employee Handbook.

Employee Background Checks

All our employees undergo a background check prior to employment which covers 5 years criminal history, where legal, and 5 years employment verification.

Confidentiality Agreements

All employees are required to sign Non-Disclosure and Confidentiality agreements.

Access Controls

Access to systems and network devices is based upon a documented, approved request process. Logical access to platform servers and management systems requires multi-factor authentication. Access is further restricted by system permissions using a least privilege methodology and all permissions require documented business need. Exceptions identified during the verification process are remediated. Business need revalidation is performed on a quarterly basis to determine that access is commensurate with the users job function. Exceptions identified during the revalidation process are remediated. User access is revoked upon termination of employment or change of job role.

Data Privacy

Here is some key information on how we securely store your data.

What we're storing

We store only necessary information, as collected by you. We never store any of your users' credentials that are compromised during a phishing simulation. By design, our phishing simulation landing pages do not have any functionality to capture the data entered on the phishing landing pages, meaning that whatever data they enter will not be tracked or stored in any way. The landing page will only ever track that the user failed the data entry portion of the test.

How we're storing it

We encrypt your data both at rest and in transit, and our site and storage processes are designed for security.

Who can access it

We have extensive internal access controls and regulations for our Team, who only have access to data under limited conditions. You are able to restrict admin access to sensitive materials.

Our core standards

Our core compliance with the act means that:

  • We have full awareness of where any of your data is being held & when outside of the EU, ensuring appropriate compliance is in place.
  • We ensure that only those who require access to your data are able to & we have the highest level of protection against unauthorised access.
  • We ensure you have the right to view, amend, export or delete any information that we hold on your behalf, including anything held by 3rd party services.
  • We ensure that consent is given during the sign up process for all that use our Platform and allow you to withdraw at any time.

Privacy Policy

Our privacy policy, which describes how we handle data input into the Security Awareness Platform, can be found at Privacy Policy. For privacy questions or concerns, please contact info@goldphish.com.

Third Party Security

Vendor Management

We understand the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them. Selected vendors are then monitored and reassessed on an ongoing basis, taking into account relevant changes.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us