Trust & security

How we build and operate

• Change management — Production changes go through review and testing appropriate to risk. We separate duties where practical so that no single credential can silently ship untested code to production.
• Access control — Staff and contractors use least-privilege access to systems that host or administer the service. Multi-factor authentication is required for administrative and production-facing accounts.
• Logging & audit — We retain operational and security logs for a period consistent with incident investigation, abuse prevention, and legal obligations. Retention specifics for customer environments are described in your agreement or data processing addendum where applicable.

Data security

• Encryption in transit — Client connections to PhishEye web properties and APIs use TLS 1.2 or higher.
• Encryption at rest — Primary data stores rely on encryption at rest where supported by our cloud and database providers, with keys managed through those platforms' key-management facilities.
• Backups & resilience — We use provider-native backup and redundancy patterns appropriate to the service tier. Exact recovery point and time objectives may be specified in enterprise orders.

Subprocessors

We use carefully vetted vendors to run the service. The table below lists categories and examples we use today for the public marketing site and related communications. Customer-specific environments (for example hosted product deployments) may use additional or different vendors; we provide subprocessor lists and update mechanisms under contract where required.

We will update this page when we add or replace material subprocessors for the scopes described above. For procurement or diligence, email contact@phisheye.com.

Investigation & enforcement methodology

PhishEye helps teams prioritise abuse that impersonates brands or harvests trust, package evidence that registrars and platforms recognise, and track outcomes. Automation and machine-assisted analysis may suggest risk scores or next steps; humans remain accountable for decisions that affect third parties. We do not guarantee that any third party will accept a report or act within a given timeframe. Read more about how we think about automated takedowns in product terms.

Support & availability

We aim to keep the service available during UK business hours and maintain the site and APIs with commercially reasonable uptime. Scheduled maintenance is performed where possible outside peak European hours; emergency maintenance may occur without long advance notice. When we publish a public status page, we will link it from this section.

For product support, billing, or general security questions, use Contact or email contact@phisheye.com.

Vulnerability disclosure

If you believe you have found a security vulnerability in PhishEye-controlled systems, email security@phisheye.com with a clear description, steps to reproduce, and your preferred contact handle. We ask that you give us a reasonable time to investigate before public disclosure and that you avoid accessing or exfiltrating customer data. We do not operate a public bug-bounty programme today; we still appreciate responsible reports.

For abusive content on third-party infrastructure, use Contact so we can route your report appropriately.

Compliance roadmap

Formal certifications such as SOC 2 Type II or ISO 27001 may be pursued as customer demand and company scale require. When independent reports or summary trust packs become available, we will publish or share them through commercial channels as appropriate.