PHISHINGBOX GDPR FORMAL STATEMENT & FAQs

Updated: 05/22/2018
 
What is GDPR?
 
The General Data Protection Regulation (GDPR) is legislation designed to give individuals in the European Union (EU) greater control over use of their personal data, as well as assurances regarding the security involved with protecting their data when it is volunteered to a business, organization, or other entity.  
 
What is PhishingBox?
 
PhishingBox is a web-based platform that gives businesses the ability to send email phishing simulations to their employees and/or clients. PhishingBox markets to, and works with, companies either based in the EU or with those that have customers and/or employees living in the EU. Accordingly, PhishingBox is required to comply with GDPR.
 
Is PhishingBox compliant with GDPR?
 
Yes. As a Processor of personal data, PhishingBox has met the applicable GDPR sections related to Data Processors. We also provide required components for Controllers to meet their GDPR requirements.
 
How do we know that PhishingBox is GDPR compliant?
 
Article 42 provides for the establishment of data protection certification mechanisms for the purpose of demonstrating compliance with GDPR. PhishingBox has attested to the Code of Conduct from the Cloud Security Alliance. Learn more about the CSA GDPR Code of Conduct at Cloud Security Alliance.
 
What steps has PhishingBox taken for GDPR compliance?
 
PhishingBox is a Processor of personal data as described by GDPR. To fulfill our obligations as a Processor, we have undertaken many steps, including, but not limited to, the following:
 
  1. We have undertaken an audit of our data protection policies and procedures and ensured they meet or exceed the standards described in GDPR Article 28 and Article 32.
  2. We have self-certified for the Privacy Shield Certification.
  3. PhishingBox has self-attested to the Cloud Security Alliance Code of Conduct.
  4. PhishingBox has established and/or reviewed contracts with our Sub-Processors and Affiliates.
  5. We have written, and can provide, a Data Processing Agreement that establishes contractual relationships with our clients in the EU.
 
Who is the Processor and who is the Controller with regards to GDPR?
 
PhishingBox is the Processor of information and you, the client, are the Controller of the information.
  
Where do the PhishingBox servers/data reside?
 
PhishingBox servers are located within the United States. We adhere to Article 46 and have obtained Privacy Shield Certification.
 
Does data have to reside in the EU for compliance with GDPR?
 
No. Information does not need to reside in the EU. The regulation provides for transfers of data outside of the EU if applicable safeguards are in place.  
  
“Article 46 - Transfers subject to appropriate safeguards” outlines the specific instances in which data transfer in the, “absence of a decision pursuant to Article 45(3)” may occur. PhishingBox provides for the following safeguards:
 
1. “Standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2).”
 
Our Data Protection Addendum is a contract between PhishingBox, the Processor, and our client, the Controller. This contract contains several items outlined in GDPR, including the Standard Data Protection Clauses.  
 
2. “An approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the Controller or Processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.”
 
PhishingBox has attested to the Code of Conduct from the Cloud Security Alliance. As outlined in Article 42, an approved Code of Conduct is one method of demonstrating compliance with GDPR. Learn more about the CSA GDPR code of conduct at Cloud Security Alliance.
 
3. “An approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the Controller or Processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.”
 
PhishingBox has self-certified for Privacy Shield Certification.
 
What is Privacy Shield certification?
 
Privacy Shield certification is a formal attestation in which PhishingBox agrees to abide by the requirements established between the United States and EU member states with regards to the transfer of data from the EU to the United States. Learn more at privacyshield.gov
 
Does PhishingBox have a data processing addendum that includes the EU standard contractual clauses?
 
Yes. The DPA can be requested by emailing sales@phishingbox.com. Once signed, please email to privacy@phishingbox.com.
 
What if we have additional questions? 
Please contact us if you have additional questions or concerns regarding our role as a Processor of personal data for data subjects in the European Union.
 
Thank you,
 
PhishingBox