Everything you need to evaluate PhishFence in one place — privacy, terms, security posture, sub-processors, and our compliance roadmap. Procurement teams: this is the URL you want.
Every third party that touches customer data is listed here. Customers will be notified at least 30 days before a new sub-processor is added.
| Sub-processor | Purpose | Data shared | Region |
|---|---|---|---|
| Google Cloud Platform | Application hosting (Cloud Run, Cloud SQL, Cloud Storage, Cloud Logging, Cloud Scheduler, Secret Manager) | All customer data at rest and in transit through the application tier | United States |
| Stripe | Payment processing & subscription management | Billing email, subscription & invoice metadata, last 4 digits of payment method (card data handled by Stripe, never seen by PhishFence) | United States |
| Resend | Transactional email delivery (account verification, password reset, alert notifications) | Recipient email address & the message body of system mail we send | United States |
| Sentry | Application error monitoring | Stack traces and request metadata, scrubbed of PII before transmission | United States |
| Cloudflare | CDN, DDoS protection, Turnstile bot challenge on signup | Request metadata (IP, user agent, headers); no application database data | Global edge network |
| AWS Route 53 | Authoritative DNS for phishfence.io | No customer data — DNS records for our domain only | United States |
| Anthropic | LLM-backed analysis features (DMARC assistant) | Only the specific DMARC record / report excerpt sent for the requested analysis; no auth credentials or persistent identifiers | United States |
Last updated 2026-05-15. Subscribe to trust@phishfence.io for change notifications.
What we hold today, what we're working toward, and what we don't plan to pursue. See /security for the long-form context.
Data deletion implemented end-to-end; sub-processors disclosed; EU-resident customers treated as data subjects. No formal certification yet.
Targeted Q4 2026. Executive summary published publicly; full report shared under NDA.
Once revenue and customer count justify the audit cost (~$15–25K plus ongoing).
Follow on from Type 1 by the standard 6-month observation period.
PhishFence is not designed for protected health information or US Federal Government use.
Status page at status.phishfence.io is being stood up. Until it goes live, incident communication goes via email to the address of record on each affected account. For service-level questions in the meantime: support@phishfence.io.
Send vulnerability reports to security@phishfence.io. Coordinates are published per RFC 9116 at /.well-known/security.txt. Full disclosure policy and SLAs on the Security page.
DPAs, security questionnaires, and custom MSAs all get same-week turnaround given the solo-operator model. The fastest way to close out your review is to email the founder directly.