Question 1

Is it legal to simulate phishing?

Accepted Answer

Yes, with management approval. Our contract clearly defines the legal framework. Employees are not warned in advance to ensure realistic results, but are informed after the campaign.

Question 2

How does OAuth access work?

Accepted Answer

We use the Gmail API with OAuth 2.0. Access is limited to sending emails via gmail.insert. We have no access to your existing emails, contacts, or other data.

Question 3

Is the data secure?

Accepted Answer

Absolutely. All data is hosted in Europe (Hetzner, Germany) and deleted 30 days after the campaign, in compliance with GDPR. We never store passwords entered on landing pages.

Question 4

How long does a campaign last?

Accepted Answer

A standard campaign lasts 7 days, capturing different behaviors across weekdays. You receive the PDF report within 48 hours after the campaign ends.

Question 5

Will my employees be warned?

Accepted Answer

No, to ensure realistic results. However, all employees who click are immediately redirected to a friendly awareness page. The goal is educational, not punitive.

Question 6

What happens if an employee enters credentials?

Accepted Answer

The landing page only captures that an attempt was made, not the credentials themselves. The employee is immediately redirected to the awareness page and informed it was a test.

Privacy Policy

Introduction

Data Controller

Data Collected

Use of Data

Data Retention

Data Security

Your Rights

Contact