Compliance & Security

Security & Compliance Practices

SOC 2 Aligned Practices

Our cloud infrastructure and operational controls follow SOC 2 Type II framework principles for security, availability, and confidentiality.

Status: Framework Aligned
Practices: Security controls, monitoring, incident response
Note: Formal certification in progress

ISO 27001 Aligned Practices

Information security management practices following ISO 27001 framework for systematic approach to managing sensitive information.

Status: Framework Aligned
Practices: ISMS policies, risk management, controls
Note: Formal certification in progress

HIPAA Compliance

Our products can be deployed in HIPAA-compliant configurations for healthcare organizations. Business Associate Agreements (BAA) available.

Status: Supported
Features: Encryption, audit logging, access controls
BAA: Available upon request

PCI-DSS Support

GoPhish Cloud supports organizations meeting PCI-DSS Requirement 12.6 for security awareness training and phishing simulation programs.

Status: Supported
Use Case: Security awareness training
Documentation: Auditor-ready reports

GDPR Compliance

Our products support GDPR requirements through data minimization, encryption, access controls, and data subject rights. Self-hosted deployment ensures data stays within your jurisdiction.

Status: Supported
Features: Data sovereignty, right to deletion, encryption
Documentation: GDPR-ready data processing agreements

Security Hardening Controls

All HailBytes products are deployed with security hardening controls that align to CIS benchmarks, following industry-standard configuration best practices for secure infrastructure.

Status: Implemented
Alignment: CIS benchmarks and security best practices
Scope: All cloud deployments

Security Best Practices

We follow SOC 2 Type II and ISO 27001 security practices and controls, including systematic risk management, security monitoring, and incident response procedures.

Frameworks: SOC 2, ISO 27001 practices
Status: Following industry standards
Note: Practices implemented, certification in progress

NIST Cybersecurity Framework

Our security operations align with NIST CSF guidelines for identifying, protecting, detecting, responding to, and recovering from cybersecurity threats.

Status: Aligned
Framework: NIST CSF v1.1
Coverage: All five core functions

Security Practices

Data Encryption

TLS 1.2+ for data in transit
AES-256 encryption at rest
End-to-end encryption for sensitive data
Key management via Azure Key Vault / AWS KMS

Access Controls

Role-based access control (RBAC)
Multi-factor authentication (MFA)
Principle of least privilege
Regular access reviews and audits

Infrastructure Security

Private network segmentation
Web Application Firewall (WAF)
DDoS protection via cloud providers
Regular vulnerability scanning

Monitoring & Logging

24/7 security monitoring
Comprehensive audit logging
Real-time alerting for anomalies
SIEM integration support

Incident Response

Documented IR procedures
24/7 security operations center
Regular tabletop exercises
Customer notification protocols

Vendor Management

Third-party security assessments
Regular vendor reviews
AWS & Azure compliance inheritance
Subprocessor transparency

Data Privacy & Control

Data Sovereignty

With self-hosted deployment on your AWS or Azure infrastructure, your data never leaves your control. Choose your deployment region to meet data residency requirements for GDPR, CCPA, and other privacy regulations.

Data Retention & Deletion

Configurable data retention policies allow you to automatically purge old campaign data, scan results, and logs according to your compliance requirements. Support for data subject access requests and right to deletion under GDPR and CCPA.

Privacy by Design

Our products implement privacy-first architecture with data minimization, purpose limitation, and built-in consent management. All data processing occurs on your infrastructure, ensuring maximum privacy and control.