Phishy

Security & trust

This page is intentionally conservative. It describes the current early-access operating posture, not the enterprise marketing version of what the product may become later.

What we can substantiate today

  • Phishy is currently sold as an early-access service, not a finished enterprise platform.
  • Customer billing is handled through Stripe and transactional email is routed through configured third-party providers.
  • The app records campaign, training, and administrative activity so teams can review what happened and export results.
  • Release and operational readiness are tracked with explicit checklists, smoke tests, and backup or restore procedures.

EU-first operating posture

  • The product is positioned for EU and NIS2-minded buyers who need evidence of training activity and human-risk workflows.
  • Privacy, refund, support, and commercial terms are written to match the current operating model rather than an aspirational future state.
  • If you have strict residency, DPA, or procurement requirements, we handle those through a qualification step before go-live.
  • We do not claim certifications, attestations, or uptime guarantees unless they are published and supportable.

How to evaluate risk with us

  • Request the current support contract, commercial readiness checklist, or incident-handling approach before purchase.
  • Use the 14-day trial to validate onboarding, campaign launch, reporting, and training flows in your own environment.
  • Treat enterprise-specific requirements such as private hosting, custom procurement, or bespoke controls as a scoped engagement.
  • Email security@phishy.dk when you need a direct answer instead of marketing shorthand.

Need a direct answer?

Email security@phishy.dk for current security answers, a DPA request, or the early-access support contract.

If a requirement is not supported today, we will say so directly instead of promising a later backfill.