Data Processing Agreement pursuant to Article 28 GDPR

Contents

Definitions

Clauses

ANNEX I - List of Parties

ANNEX II - Description of the Processing

ANNEX III - Technical and Organisational Measures, Including Measures to Ensure the Security of the Data

ANNEX IV - List of Sub-processors

Definitions

  • "Customer": the company using the Service.

  • "Admin": person(s) designated by the Customer with administration rights in the Service.

  • "Participants/Employees": persons whose interactions are measured in the context of campaigns (e.g. recipients of simulations).

  • "Campaign": a phishing simulation configured by the Customer, including target group, content and schedule.

  • "Verified Domain": a domain (including enabled subdomains/hosts) for which the Customer demonstrates control/authorisation in the Service.

  • "Customer Data": data stored or processed by the Customer in the Service (e.g. campaign configurations, lists, reports).

  • "Employee Data/Personnel Data": personal data of employees/participants provided by the Customer or generated in the context of campaigns (e.g. email address, interaction data).

  • "Service", "Platform": the AutoPhish platform, including related functions, APIs and content.

  • "Plans/Subscription": the usage tier selected by the Customer, including billing period.

Clauses

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(b) The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679.

(c) These Clauses apply to the processing of personal data as specified in Annex II.

(d) Annexes I to IV are an integral part of the Clauses.

(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679.

(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679.

Clause 2

Invariability of the Clauses

(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.

(b) This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3

Interpretation

(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 respectively, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 respectively.

(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5 - Optional

Docking clause

Intentionally left blank

SECTION II

OBLIGATIONS OF THE PARTIES

Clause 6

Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7

Obligations of the Parties

7.1. Instructions

(a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.

(b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 or the applicable Union or Member State data protection provisions.

7.2. Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

7.3. Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

7.4. Security of processing

(a) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

(b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5. Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6. Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.

(c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.

(d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice. The costs of such audits shall be borne by the controller.

(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7. Use of sub-processors

(a) The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least four weeks in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.

(b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679.

(c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.

(d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.

(e) The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8. International transfers

(a) Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679.

(b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8

Assistance to the controller

(a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.

(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions

(c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:

(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;

(2) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;

(3) the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;

(4) the obligations in Article 32 of Regulation (EU) 2016/679.

(d) The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9

Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679, where applicable, taking into account the nature of processing and the information available to the processor.

9.1. Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

(b) in obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:

(1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(2) the likely consequences of the personal data breach;

(3) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(c) in complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2. Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);

(b) the details of a contact point where more information concerning the personal data breach can be obtained;

(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

SECTION III

FINAL PROVISIONS

Clause 10

Non-compliance with the Clauses and termination

(a) Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.

(b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:

(1) the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;

(2) the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679;

(3) the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679.

(c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.

(d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

ANNEX I - List of Parties

Controller:

Name of the controller Address of the controller Company registration number / register number of the controller VAT ID / tax identification number of the controller

Processor:

Name: QADS e.U. ("AutoPhish"), owner Lorenz Peter Lösch, MSc

Commercial register number: FN 668401v

Commercial register court: Commercial Court Vienna

Address: Wehleweg 6/30, 1030 Vienna, Austria

Name, position and contact details of the contact person: Lorenz Peter Lösch, MSc, owner

Email: support@autophish.io

Telephone: +43 664 5982768

Data protection contact: support@autophish.io

ANNEX II - Description of the Processing

Depending on the controller's use of the AutoPhish platform, the processing concerns the following categories of data subjects whose personal data is processed:

  1. Employees, freelancers, interns, trainees, temporary workers and other users of the controller who are included in target groups, target lists, campaigns, trainings, reports or security awareness measures.

  2. Administrators, IT/security officers, compliance/HR officers and other authorised users of the controller who configure AutoPhish, run campaigns, view reports or administer the platform.

  3. Where multi-company, MSP or reseller functions are used: authorised users of IT service providers, MSPs, resellers or affiliated companies, insofar as they access tenant/customer data on behalf of the controller.

  4. Where "Report Phish" or similar reporting workflows are used: senders, recipients and other persons whose personal data may be contained in reported emails, email headers, metadata, free-text reports or attachments.

  5. Where domain monitoring, DNS security checks or security scanning functions are used: persons whose personal data may be apparent from public sources, DNS/domain data, contact information, website content, security findings or log data; this processing is limited to domains and systems verified or authorised by the controller.

Categories of personal data processed

Depending on the configuration and use of the AutoPhish platform, the following categories of personal data may in particular be processed:

  1. Identification and contact data of campaign participants: in particular email address, first name, last name, display name, associated organisation, associated target list, team/department/role information, insofar as provided or configured by the controller.

  2. Platform and administration data: user account, name, email address, roles and permissions, tenant/company assignment, language settings, login/session metadata, audit log entries and API key metadata, insofar as these are processed on behalf of the controller for platform administration.

  3. Campaign data: campaign name, subject, email content, template, scenario, language, difficulty level, target groups, schedule, sending interval, status, approvals, sending attempts, delivery/bounce information, sender/domain configuration used, login page configuration and other campaign settings.

  4. Interaction and behavioural data from simulations: sending status, opening events, click events, reported emails, time of interaction, link ID, original URL, report status, reporting time, repeat events, risk/training indicators, simulated login interactions, entered username or login identifier, technical event and interaction data.

  5. Technical data: IP address, user agent, browser/device information, timestamps, request/header information, referrer/origin, interaction type, detection signals used to distinguish human interactions from automated scans/bots, logs, monitoring and error messages.

  6. Training data: assigned awareness trainings, course/module assignment, training status, progress, completion time, repeated attempts, language, reminder status and reporting data.

  7. Report Phish data: reported email including email metadata such as subject, sender, recipient, headers, raw content/MIME content, reporting category, free text provided by the reporter, technical reporting data, Microsoft/Outlook submission status, insofar as the corresponding function is enabled.

  8. Domain, DNS and security scanning data: verified domains, subdomains, DKIM selectors, SPF/DKIM/DMARC records, scan results, security findings, severity, location of finding, technical details, IP addresses, scan time, scan history, changes, recommendations and alert status.

  9. Company context and personalisation data: company information provided by the controller as well as publicly available company information, such as website content, products, services, locations, public roles/functions and industry-specific terms, insofar as these are used to generate realistic simulations and trainings.

  10. Pseudonymised or anonymised representations: consistent internal identifiers, pseudonymous target identifiers, aggregated team/organisation metrics and anonymised reports, in particular where anonymised mode is enabled.

Sensitive data processed and restrictions or safeguards applied

The processing of special categories of personal data pursuant to Article 9 GDPR and data relating to criminal convictions and offences pursuant to Article 10 GDPR is neither intended nor a purpose of the AutoPhish platform and is not requested by the processor. However, any provision and transmission of such data to the processor by the controller or other third parties cannot be fully excluded or prevented, but is contractually restricted in the platform's General Terms and Conditions and Terms of Use.

Nature of the processing

The processing includes in particular:

  1. collection, import, storage, maintenance, modification and deletion of target groups, target lists, campaign participants and company/tenant data;

  2. creation, configuration, scheduling, sending and evaluation of simulated phishing campaigns;

  3. AI-supported and rule-based creation or variation of simulation content, landing pages, scenarios, red-flag analyses and micro-trainings;

  4. execution of autopilot, sprinkle, recurring and adaptive campaigns;

  5. collection and evaluation of openings, clicks, simulated login interactions, reports, training status, reporting rates, click rates, repeat events and risk indicators;

  6. automatic or manual assignment of awareness trainings and tracking of training progress;

  7. creation of dashboards, reports, exports, audit materials and aggregated analyses;

  8. pseudonymisation, anonymisation or masking of personal data, in particular in reports and analyses, insofar as enabled by the controller;

  9. operation of multi-tenant, multi-company, MSP/reseller and role-based administration functions;

  10. domain verification, DNS monitoring, DMARC/SPF/DKIM checks, look-alike domain detection and optional security scanning for verified or authorised domains;

  11. processing of reported emails in the context of "Report Phish" or comparable reporting workflows;

  12. support, error analysis, security monitoring, abuse prevention, logging, monitoring, backup, restoration and incident response;

  13. export, return, deletion or anonymisation of data after contract termination or documented instruction from the controller;

  14. creation of a security score.

Purpose(s) for which the personal data is processed on behalf of the controller

Processing takes place exclusively for the provision and operation of the AutoPhish platform on behalf of the independently responsible controller, in particular for the following purposes:

  1. conducting realistic phishing simulations and security awareness measures;

  2. training, sensitisation and micro-training of employees and other users of the controller;

  3. measuring and improving security awareness based on click, report, interaction, training and risk indicators;

  4. provision of compliance, management, audit and security reports;

  5. automated campaign control, adaptive difficulty levels and risk-based training assignment;

  6. administration of target groups, company/tenant structures, roles and permissions;

  7. operation of MSP/multi-company functions for authorised service providers of the controller;

  8. support in detecting and reporting suspicious emails through "Report Phish" workflows;

  9. domain, DNS and security monitoring for domains verified or authorised by the controller;

  10. ensuring platform operation, availability, integrity, security, abuse prevention, error analysis and support;

  11. implementation of documented instructions from the controller and support with data subject rights, data protection incidents, audits and accountability obligations;

  12. creation of a security score.

Duration of the processing

Processing takes place for the duration of the contractual relationship between controller and processor, including test, pilot, trial, subscription, support and run-off phases, insofar as this is necessary for performance of the contract, implementation of documented instructions or compliance with statutory obligations.

Unless otherwise agreed or changed by documented instruction of the controller, the following applies by way of derogation:

  1. Customer data, campaign data, execution results, email content, interaction data, training data, security scan results, security scores and DNS monitoring logs are stored by default for up to three (3) years from creation and then deleted or anonymised, unless longer statutory retention obligations apply.

  2. Reported raw email content in the context of "Report Phish" workflows is stored only for as long as necessary for review, evaluation, support or security analysis; where technically provided, the standard retention period for reported raw email content is 90 days.

  3. Administrators of the controller may request deletion of employee data or adjustment of the retention period, insofar as technically and legally possible.

  4. Backups are overwritten or deleted in accordance with the applicable backup cycle; until deletion or overwriting, contractual and statutory protection obligations remain in force.

  5. Different deletion or retention periods may be specified in the relevant offer, contract, administration area or by documented instruction of the controller.

  6. Data relevant to tax and corporate law retention obligations is retained for seven (7) years.

Subject matter, nature and duration of processing by sub-processors

Sub-processors are used only insofar as this is necessary for the provision, operation, billing, sending, support, security or further development of the AutoPhish platform. The subject matter, nature and duration of processing by sub-processors are set out in Annex IV. Processing by sub-processors is generally carried out for the duration of their engagement by the processor or for the period during which their services are required for performance of the contract with the controller. After termination of the respective sub-processing engagement, data shall be deleted or returned in accordance with the relevant agreement, statutory requirements and deletion/backup cycles.

ANNEX III - Technical and Organisational Measures, Including Measures to Ensure the Security of the Data

Description of the technical and organisational measures implemented by the processor to ensure an appropriate level of security

Taking into account the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of data subjects, the processor implements in particular the following technical and organisational measures:

  1. Tenant separation and access restriction

The AutoPhish platform is designed for multi-tenant use. Data is processed logically separated by company/tenant. Users receive access only to companies, tenants, campaigns, reports and functions for which they are authorised. In the case of multi-company, MSP or reseller use, access is tenant-specific and role-based. Data of different customers is not combined into personal individual reports.

  1. Roles and permissions concept

Access to the platform is based on role-based permissions. Roles and rights are separated at least according to admin/owner/user/support/superadmin functions or comparable permission levels. Rights are granted according to the need-to-know principle. Administrators of the controller manage their users and target groups within the scope of their permissions. Administrative access by the processor takes place only insofar as necessary for support, operation, security, troubleshooting or abuse prevention.

  1. Authentication and account protection

The platform uses individual user accounts. Passwords and authentication data are not stored in plain text but are protected according to the state of the art. The platform supports additional security mechanisms such as two-factor authentication, passkeys, session management, time-limited sessions and step-up checks for particularly sensitive administrative functions. API access is protected by API keys, scopes, secret hashing, token prefixes, revocation and rate limits.

  1. Pseudonymisation

AutoPhish supports a pseudonymised mode. When enabled, personal target identifiers such as email addresses are replaced in reports and campaign analyses by consistent pseudonymous identifiers. This allows security and training metrics to continue to be evaluated without analyses identifying individual employees by default. Disabling or changing such data protection functions is restricted to support processes.

  1. Data minimisation

Only personal data that is necessary for campaigns, trainings, reporting, support, security, billing or documented instructions is processed. Target groups can be maintained with email address and optional name and telephone numbers. Simulations do not store real passwords or production access credentials. For simulated login pages, storage is limited to necessary event data such as target address, entered username/login identifier, timestamp, campaign reference and technical metadata.

  1. Encryption and protection in transit

The platform uses encrypted transmission via HTTPS/TLS. External interfaces, APIs, webhooks, email sending, support and integration connections are operated exclusively via encrypted transport channels. Tokens, secrets and access credentials are managed separately from application code and protected by access restrictions. Sensitive keys and access credentials are not disclosed in repositories, logs or error messages.

  1. Protection at rest

Personal data is processed in a controlled server and database environment. Databases, backups, logs and stored content are protected by role-based access, access restrictions, network segmentation, secure configuration, secret management and monitoring. Passwords, API secrets and comparable authentication data are hashed, encrypted or otherwise protected according to the state of the art. Raw content of reported emails is retained for a limited period and processed only for defined purposes.

  1. EU/EEA-based operation and international transfers

Production processing takes place primarily within the EU or EEA. Sub-processors are selected and engaged so that processing generally takes place within the EU/EEA. A transfer of personal data to third countries or international organisations takes place only on the basis of documented instruction from the controller, an adequacy decision or appropriate safeguards under Chapter V GDPR, in particular standard contractual clauses, provided that their conditions are met. The controller is informed about relevant changes to sub-processors in accordance with the Clauses.

  1. Secure domain and campaign control

Simulations and security checks must be limited to domains and systems for which the controller has the required rights or demonstrates authorisation. AutoPhish provides for domain verification in order to prevent unauthorised campaigns, scans or abusive use against third parties.

  1. Logging and auditability

Security-relevant events, administrative actions, role/permission changes, API key usage, campaign events, support access and other relevant processing operations are logged appropriately.

  1. Monitoring, abuse prevention and rate limits

The platform uses monitoring, error logs, alerting and technical protection measures against abuse. Public or semi-public endpoints, such as tracking, report or API endpoints, are protected by input validation, size limits, rate limits, error handling and logging. Unauthorised use, testing against third parties, malware, real credential-harvesting activities and harmful payloads are prohibited, are technically prevented where possible and may result in blocking or restriction of the service.

  1. Input validation and secure processing

Inputs are validated, normalised and limited on the server side. Email addresses, target lists, campaign parameters, report data, login attempts, API requests and free-text fields are checked for permitted formats, lengths and data types. Incorrect or oversized inputs are rejected. HTML/content components, templates and dynamically generated content are processed in such a way that cross-site scripting, injection, unauthorised redirects and similar risks are minimised.

  1. AI and content guardrails

AI-supported generation of simulations, trainings, red-flag analyses or company context is carried out with guardrails, purpose limitation and data minimisation. Where possible, public company information, role/industry information, pseudonymised data or non-personal context data is used. Personal data is not deliberately transmitted to AI services. AI outputs are limited to safe training simulations and micro-trainings.

  1. Confidentiality of personnel

Persons who may receive access to personal data at the processor are obliged to maintain confidentiality or are subject to a statutory duty of confidentiality. Access is limited to personnel responsible for operation, support, development, security, billing or customer care. New employees and external supporters are instructed on data protection, information security, secure development and abuse prevention.

  1. Secure development and change control

The platform is operated using controlled development, testing and deployment processes. Changes are versioned, tested and reviewed before production deployment. Code reviews, automated tests, E2E tests, security checks, CI/CD processes, dependency checks and documented release processes are used insofar as technically and organisationally appropriate.

  1. Availability, backup and restoration

The processor takes measures to ensure the availability and recoverability of the platform. These include backups, restoration processes, monitoring, alerting, controlled maintenance windows, emergency maintenance in the event of security risks and technical measures to reduce downtime. Backups are deleted according to defined cycles and remain protected until then.

  1. Deletion, export and retention

The platform supports deletion, export, anonymisation or restriction of personal data in accordance with technical possibilities, contractual agreements and documented instructions from the controller. Campaign data and training data are stored for a limited period by default. Raw content of reported emails is stored for a limited period.

  1. Support with data subject rights

The processor assists the controller with access, rectification, erasure, restriction, objection and data portability insofar as the relevant data is processed in the platform and the assistance is technically possible.

  1. Data protection incidents and incident response

The processor maintains processes for detecting, assessing, containing and documenting security incidents. In the event of personal data breaches affecting processing on behalf of the controller, the processor informs the controller without undue delay in accordance with the Clauses and provides the available information, in particular the nature of the incident, affected data categories, likely consequences, measures taken or proposed and contact point for follow-up questions.

  1. Sub-processor management

Sub-processors are used only where a contract with substantially equivalent data protection obligations exists. The processor maintains a list of sub-processors and informs the controller of intended changes in accordance with the Clauses. Sub-processors receive access only to data that is necessary for the respective service.

  1. Physical security

Processing takes place in professional data centre or hosting environments within the EU/EEA. Physical security measures such as access control, fire protection, power supply, air conditioning, hardware protection and operational monitoring are provided by the respective hosting/infrastructure provider.

  1. Quality assurance and regular review

The effectiveness of the technical and organisational measures is reviewed regularly, in particular through monitoring, tests, security reviews, penetration tests or external audits, insofar as appropriate. Findings from incidents, support cases, customer feedback, audits, vulnerability reports and changes in the threat landscape are incorporated into further development of the platform.

Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller

The processor supports the controller in particular by:

  1. providing admin functions for managing users, target groups, campaigns, roles, domains, reports, trainings and deletion processes;

  2. providing reports, dashboards, exports and audit materials relating to campaigns, trainings, click/report rates, security scans and domain monitoring;

  3. implementing documented instructions for deletion, anonymisation, export, modification or restriction of data;

  4. supporting data subject rights through technical search, export, correction, deletion and anonymisation functions;

  5. providing information about sub-processors, data categories, security measures, retention periods and international transfers;

  6. supporting data protection incidents through prompt notification, technical analysis, containment, root cause analysis, recommendations for measures and documentation;

  7. providing privacy-friendly functions such as anonymised mode, role-based reports, data minimisation, tenant separation, deletion concepts and configurable retention periods.

ANNEX IV - List of Sub-processors

The controller has authorised the use of the following sub-processors:

1. Stripe

Name:

Stripe Payments Europe, Limited

Address:

1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland

Name, position and contact details of the contact person: privacy@stripe.com

Description of processing:

Stripe is used for payment processing, invoicing, subscription management and tax calculation. The processing concerns in particular customer, company, invoice, payment, contract, subscription and billing contact data of the controller or its administrators or billing contacts. Data from phishing simulations, campaigns, trainings, reports or simulated login interactions is not processed via Stripe.

Allocation of responsibilities:

Stripe processes only such personal data as is necessary for payment processing, invoicing, subscription management, tax calculation, payment status, fraud prevention in payment transactions and related support or compliance processes.

2. Contabo GmbH

Name:

Contabo GmbH

Address:

Aschauer Straße 32a, 81549 Munich, Germany

Name, position and contact details of the contact person:

Support / Privacy Contact: support@contabo.com

Data protection contact: datenschutz@contabo.de

Description of processing:

Contabo is used for infrastructure, hosting, server operation, database/application operation, storage, network operation, technical logs, backups, monitoring and operational support of the AutoPhish platform. Processing may include customer data and personnel data insofar as these are provided by the controller. In particular, company/tenant data, administrator and user accounts, target lists, campaign and training data, email content, simulation results, interaction data, reporting data, domain/DNS/security scan data, technical logs, audit data and support-relevant technical metadata are affected.

Allocation of responsibilities:

Contabo provides the technical hosting and infrastructure environment. Contabo is not responsible for the substantive configuration of AutoPhish campaigns, selection of target groups, creation of simulations, evaluation of reports or decisions on retention periods. These activities are performed by the processor on the controller's instruction.

3. World4You Internet Services GmbH

Name:

World4You Internet Services GmbH

Address:

Hafenstraße 47-51, 4020 Linz, Austria

Name, position and contact details of the contact person:

Support / Privacy Contact

Email: office@world4you.com

Data protection contact: datenschutz@world4you.com

Description of processing:

World4You is used for email delivery, platform notifications and transactional email communication. Processing may include in particular recipient address, sender address, subject, email content, technical sending data, delivery status, error messages, bounce information and sending/system logs. This primarily concerns platform notifications, authentication/account communication, support-related notifications and, where applicable, campaign-related email communication, insofar as World4You is used for the relevant sending path.

Allocation of responsibilities:

World4You is solely responsible for the technical transmission or delivery of emails and notifications sent via its services.

4. SMTP.DK ApS

Name:

SMTP.DK ApS

Address:

Refshalevej 163A, 1432 København K, Denmark

Name, position and contact details of the contact person:

Support / Privacy Contact

Email: support@smtp.dk

Description of processing:

SMTP.DK is used for email sending, SMTP relay, technical delivery, bounce/error handling, sending logs and delivery statistics. Processing may include in particular recipient address, sender address, subject, email content, sending time, delivery status, provider message ID, bounce information, technical sending data and log data. This may also concern simulated phishing emails and transactional platform emails.

Allocation of responsibilities:

SMTP.DK is solely responsible for technical email sending and the related sending, delivery and error processing.

5. Crisp IM SAS

Name: Crisp IM SAS

Address:

2 Boulevard de Launay, 44100 Nantes, France

Name, position and contact details of the contact person:

Email: privacy@crisp.chat

Description of processing:

Crisp is used for customer communication, support chat, support tickets, helpdesk functionality and support-related communication. The processing concerns in particular contact data of administrators, IT/security contacts or other support contacts of the controller, communication content, chat histories, support requests, technical support metadata, timestamps, IP address, user agent and other information necessary to handle a support case.

Personnel data from phishing simulations, target lists, campaigns, reports or trainings is processed via Crisp only if and insofar as such data is actively provided in the specific support case by the controller or its authorised administrators or is strictly necessary for error analysis. Systematic processing of personnel data by Crisp does not take place.

Allocation of responsibilities:

Crisp is solely responsible for the technical provision of support and communication functionality. Crisp is not responsible for hosting, campaign execution, email sending, payment processing, training delivery, simulation tracking or reporting.