Our Security Measures

Learn How We Keep Your Data Secure

We are committed to protecting the confidentiality, integrity, and availability of our information systems and our customers' data. We continuously improve our security controls and analyse their effectiveness to ensure confidence in our solution.

Below is an overview of some of the security controls in place to protect your data.

Data Center Physical Security

Facilities

We use IONOS for data centre hosting. IONOS data centres are certified as ISO 27001 compliant by the Technical Inspection Association (TÜV). They employ robust controls to secure the availability and security of their systems, including backup power, fire detection, suppression equipment, and secure device destruction.

On-Site Security

IONOS implements layered physical security controls, including vetted security guards, fencing, video monitoring, intrusion detection technology, and more.

Network Security

Threat Detection

Our platform leverages threat detection services within IONOS to continuously monitor for malicious and unauthorised activity.

Vulnerability Scanning

We perform regular internal scans for vulnerabilities. Identified issues are tracked until remediation.

DDOS Mitigation

The platform uses multiple DDoS protection strategies and tools to mitigate threats. We utilise IONOS’s DDoS protection and application-specific mitigation techniques.

Access Control

Access is limited to the least privileged model required for staff. This is subject to frequent internal audits, technical enforcement, and monitoring to ensure compliance. Multi-factor authentication (MFA) is required for all production systems.

Encryption

In Transit

Communication with GoldPhish is encrypted with TLS 1.2 or higher over public networks. We adopt best practices in terms of cipher adoption and TLS configuration. 

At Rest

Platform data is encrypted at rest with industry-standard AES-256 encryption. By default, we encrypt at the asset or object level. 

Credentials Encryption

Credentials for the production database are regularly rotated to ensure access restriction.

Availability and Continuity

Uptime

The Platform is deployed on public cloud infrastructure. IONOS offers close to 100% availability with multiple redundant connections to major Internet hubs. Our services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to load. Simulated load tests and API response time tests are part of our release and testing cycle.

Disaster Recovery

Our services are deployed in parallel at two separate data centres. In the event of a problem at one data centre, the system automatically switches to the second, ensuring continuous availability.

Database Recovery

Our database has point-in-time recovery for up to four days and is manually backed up daily, with a maximum of 30 backups.

UPS Power Supply

IONOS data centres maintain an uninterruptible power supply (UPS) due to emergency diesel generators and VRLA batteries

Application Security

Quality Assurance

Our Quality Assurance team reviews and tests code per pod basis. The security team investigates and recommends remediation of security vulnerabilities within code.

Environment Segregation

Testing, staging, and production environments are logically separated. No customer data is used in any development or test environment.

Application Scanning

Site Scan from SiteLock is used to protect our site from hackers, malware, and unauthorised access.

Penetration Testing

We carry out annual penetration tests to identify and address potential security vulnerabilities. These tests are performed by independent security experts to ensure the highest level of security for our systems and data.

Endpoint Security

Anti-Virus

We implement endpoint Antivirus and run daily scans on our machines.

Password Policy

We maintain a hard password policy on all servers, personal computers, and laptops. All passwords must be at least seven characters long and include one capital letter and one number.

Spam Checks

All incoming emails are filtered for SPAM and quarantined for checking before delivery to the network.

Remote Working

We operate a 100% remote working international team. Staff are not permitted to work on personal computers unless prior agreement has been stated.

Cyber Essentials Accredited

We are Cyber Essentials certified, demonstrating our commitment to maintaining robust cybersecurity standards and protecting against common cyber threats. 

Personal Security

Security Awareness

Our company delivers a robust Security Awareness Training programme within 30 days of new hires and continuously for all employees. Quarterly focused training is rolled out to key departments, including Secure Coding, Data Legislation, and Compliance obligations.

Information Security Programme

We have a comprehensive set of information security policies covering various topics. These are disseminated to all employees and contractors, with acknowledgement tracked on key policies such as Acceptable Use, Information Security Policy, and our Employee Handbook.

Employee Background Checks

All our employees undergo a background check covering 5 years criminal history (where legal) and 5 years employment verification before employment.

Confidentiality Agreements

All employees are required to sign Non-Disclosure and Confidentiality agreements.

Access Controls

Access to systems and network devices is based on a documented, approved request process. Logical access to platform servers and management systems requires two-factor authentication. Access is further restricted by system permissions using a least privilege methodology. Business need revalidation is performed quarterly to ensure access is commensurate with the users’ job function. User access is revoked upon termination of employment or change of job role.

Third-Party Security

Vendor Management

We understand the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors before engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them. Selected vendors are then monitored and reassessed on an ongoing basis, considering relevant changes.

Data Privacy

Below is some key information on how we securely store your data:

What We're Storing

We store only necessary information, as collected by you. We never store any of your users' credentials that are compromised during a phishing simulation. Our phishing simulation landing pages do not capture data entered on the phishing landing pages; it only tracks that the user failed the data entry portion of the test.

How We're Storing It

We encrypt your data both at rest and in transit. Our site and storage processes are designed for security.

Who Can Access It

We have extensive internal access controls and regulations for the GoldPhish team, who only have access to data under limited conditions. You can restrict admin access to sensitive materials.

Our Core Standards

Our core compliance with the act means that:

  • We have full awareness of where any of your data is being held, ensuring appropriate compliance outside of the UK.
  • We ensure that only those who require access to your data can access it and have the highest level of protection against unauthorised access.
  • We ensure you have the right to view, amend, export, or delete any information that we hold on your behalf, including anything held by 3rd party services.
  • We ensure that consent is given during the signup process for all who use GoldPhish and allow you to withdraw at any time.

Privacy Policy

Our privacy policy,  which describes how we handle data input into GoldPhish, can be found at Privacy Policy. For privacy questions or concerns, please contact info@goldphish.com.

Last Updated: 22 July 2024

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us