GDPR Policy

What is GDPR?

The General Data Protection Regulation (GDPR) is legislation designed to give individuals in the European Union (EU) greater control over use of their personal data, as well as assurances regarding the security involved with protecting their data when it is volunteered to a business, organisation, or other entity.

What is PhishingBrains?

PhishingBrains is a web-based platform that gives businesses the ability to send email phishing simulations to their employees and/or clients. PhishingBrains markets to, and works with, companies either based in the EU or with those that have customers and/or employees living in the EU. Accordingly, PhishingBrains is required to comply with GDPR.

Is PhishingBrains compliant with GDPR?

Yes. As a Processor of personal data, PhishingBrains has met the applicable GDPR sections related to Data Processors. We also provide required components for Controllers to meet their GDPR requirements.

How do we know that PhishingBrains is GDPR compliant?

Article 42 provides for the establishment of data protection certification mechanisms for the purpose of demonstrating compliance with GDPR. PhishingBrains has attested to the Code of Conduct from the Cloud Security Alliance. Learn more about the CSA GDPR Code of Conduct at Cloud Security Alliance.

What steps has PhishingBrains taken for GDPR compliance?

PhishingBrains is a Processor of personal data as described by GDPR. To fulfil our obligations as a Processor, we have undertaken many steps, including, but not limited to, the following:

  1. We have undertaken an audit of our data protection policies and procedures and ensured they meet or exceed the standards described in GDPR Article 28 and Article 32.
  2. We have self-certified for the Privacy Shield Certification.
  3. PhishingBrains has self-attested to the Cloud Security Alliance Code of Conduct.
  4. PhishingBrains has established and/or reviewed contracts with our Sub-Processors and
    Affiliates.
  5. We have written, and can provide, a Data Processing Agreement that establishes contractual relationships with our clients in the EU.

Who is the Processor and who is the Controller with regards to GDPR?

PhishingBrains is the Processor of information and you, the client, are the Controller of the information.

Where do the PhishingBrains servers/data reside?

PhishingBrains servers are located within the United States. We adhere to Article 46 and have obtained Privacy Shield Certification.

Does data have to reside in the EU for compliance with GDPR?

No. Information does not need to reside in the EU. The regulation provides for transfers of data outside of the EU if applicable safeguards are in place.

“Article 46 – Transfers subject to appropriate safeguards” outlines the specific instances in which data transfer in the, “absence of a decision pursuant to Article 45(3)” may occur. PhishingBrains provides for the following safeguards:

  1. “Standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2).” Our Data Protection Addendum is a contract between PhishingBrains , the Processor, and our client, the Controller. This contract contains several items outlined in GDPR, including the Standard Data Protection Clauses.
  2. “An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the Controller or Processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.” PhishingBrains has attested to the Code of Conduct from the Cloud Security Alliance. As outlined in Article 42, an approved Code of Conduct is one method of demonstrating compliance with GDPR. Learn more about the CSA GDPR code of conduct at Cloud Security Alliance.
  3. “An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the Controller or Processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.” PhishingBrains has self-certified for Privacy Shield Certification.

What is Privacy Shield certification?

Privacy Shield certification is a formal attestation in which PhishingBrains agrees to abide by the requirements established between the United States and EU member states with regards to the transfer of data from the EU to the United States. Learn more at privacyshield.gov

Does PhishingBrains have a data processing addendum that includes the EU standard contractual clauses?

Yes. The DPA can be requested by emailing sales@phishingbrains.com. Once signed, please email to privacy@phishingbrains.com.

What if we have additional questions?

Please contact us if you have additional questions or concerns regarding our role as a Processor of personal data for data subjects in the European Union.

Thank you,

PhishingBrains
info@phishingrains.com

 

CONTACT US ABOUT PRIVACY
If you have any questions or concerns with regards to these our privacy policies, please contact us by mail, email, or phone.

PhishingBrains
Email: info@phishingbrains.com
Phone: +357 22485607