Phishivox
← All Documentation

Security & Compliance

How Phishivox protects your data. Security is not a feature -- it is the foundation of everything we build.

Security Overview

Phishivox is a security product. We hold ourselves to the same standards we help our customers achieve. Our core security principles:

  • Security over features — Features that compromise security or privacy are redesigned or dropped.
  • Data minimization — Process only what is necessary for detection. Store as little as possible, for as short as possible.
  • Least privilege — Minimal permissions for OAuth scopes, database roles, and internal services.
  • Tenant isolation — All queries and operations are scoped to a tenant/user. No cross-tenant data access is possible.
  • Defense in depth — Multiple layers of protection: validation, encryption, authentication, authorization, monitoring.
  • Transparency — Clear data retention policies, privacy controls, and disconnect flows.

Data Handling

What data is processed

When an email is scanned, Phishivox processes:

  • Sender address, display name, and Reply-To address
  • Email subject line
  • Email body (text and HTML)
  • Email headers (authentication results, routing, mailer)
  • URLs found in the email body
  • Attachment metadata (filename, MIME type, size, SHA-256 hash) -- attachment content is not stored

What data is stored

  • Scan results — Verdict, score, confidence, per-layer breakdown, findings, and recommendations. Retained based on tier (7 days Community, 90 days Professional, 1 year Enterprise).
  • Email content for rescan — Body text, HTML, and headers are stored temporarily to enable the rescan feature. Encrypted at rest.
  • Click audit logs (Enterprise) — URL clicks, justifications, timestamps, and IP addresses. Retained for 1 year.
  • User accounts — Email, hashed password (bcrypt), tier, MFA secrets (encrypted).

What data is NOT stored

  • Attachment file content is never stored -- only SHA-256 hashes for VirusTotal lookups
  • OAuth tokens are encrypted and never written to logs
  • Email content is never used for training or analytics
  • No data is shared with third parties except VirusTotal (URL/hash lookups) and Google Safe Browsing (URL checks)

Data retention

Scan results and email content are automatically purged based on tier retention limits. Enterprise customers can request immediate data deletion at any time.

Encryption

In transit

All data in transit is encrypted using TLS 1.2+ (TLS 1.3 preferred). This applies to API calls, webhook communications, OAuth flows, and email provider API interactions.

At rest

  • Database — Azure Database for PostgreSQL with encryption at rest enabled (AES-256).
  • Secrets — JWT signing keys, OAuth tokens, and MFA secrets are stored in Azure Key Vault with RBAC-based access control.
  • OAuth tokens — Gmail and M365 tokens are encrypted before storage using Fernet symmetric encryption. The encryption key is stored in Key Vault.
  • Passwords — Hashed with bcrypt (cost factor 12). Never stored in plaintext.

Authentication

User authentication

  • JWT tokens — Short-lived access tokens signed with HS256. Issued on login.
  • MFA support — Optional TOTP-based two-factor authentication with recovery codes.
  • Email verification — Required before account activation. Prevents account enumeration.
  • Password requirements — Minimum 8 characters. Bcrypt hashing with salt.

OAuth integrations

  • Gmail — OAuth 2.0 with gmail.readonly scope (user-level) or Mail.ReadWrite (enterprise gateway).
  • Microsoft 365 — OAuth 2.0 with delegated (user) or application (enterprise) permissions.
  • Token refresh — Tokens are refreshed transparently. Updated tokens are re-encrypted and stored.

Session management

Sessions are stateless (JWT-based). Tokens expire after 24 hours. There is no server-side session store. Logging out clears the client-side token.

Access Control

Role-based access

RoleScopeCapabilities
UserOwn accountScan emails, view own results, manage own profile and mailboxes
Org MemberOrganizationAll User capabilities + shared org scan pool
Org AdminOrganizationAll Member capabilities + manage users, view org analytics, configure gateway, manage quarantine
Super AdminPlatformAll capabilities + manage organizations, users, tiers, and coupons

Tenant isolation

Every database query is scoped to the authenticated user's tenant (user ID or organization ID). Cross-tenant data access is architecturally impossible -- there is no admin API that returns unscoped data.

Infrastructure

Hosting

Phishivox is hosted on Microsoft Azure with resources in the East US region.

  • Compute — Azure App Service (Linux containers) with auto-scaling.
  • Database — Azure Database for PostgreSQL Flexible Server with automated backups.
  • Secrets — Azure Key Vault with RBAC access policies.
  • Monitoring — Azure Application Insights and Log Analytics with 30-day retention.
  • Container registry — Azure Container Registry (private).

Compliance readiness

  • SOC 2 Type II — Architecture designed for SOC 2 compliance. Formal certification in progress.
  • GDPR — Data minimization, right to erasure, data portability supported.
  • ISO 27001 — Security controls aligned with ISO 27001 framework.

Data residency

All data is processed and stored in Azure East US. Enterprise customers can request specific region deployment. Contact us for data residency requirements.

Privacy & GDPR

Data minimization

We process only the data necessary for phishing detection. We do not mine, analyze, or monetize email content. Email body content is used solely for real-time detection and is retained only for the rescan feature (tier-dependent retention period).

Right to erasure

Users can delete their account at any time. Account deletion removes all personal data, scan results, and stored email content. Enterprise admins can request organization-wide data purge.

Disconnect flows

Disconnecting a mailbox (Gmail or M365) immediately revokes the OAuth token and removes all stored token data. Phishivox can no longer access the mailbox.

Third-party data sharing

Limited data is shared with these services for detection purposes only:

  • VirusTotal — URL lookups and file hash (SHA-256) lookups. No email content is shared.
  • Google Safe Browsing — URL reputation checks. No email content is shared.
  • Azure OpenAI / Anthropic — Email content (truncated to 6,000 characters) is sent for AI analysis when explicitly enabled by the user. Not stored by the AI provider.

Incident Response

In the event of a security incident:

  1. The incident is triaged and contained within 1 hour of detection.
  2. Affected customers are notified within 24 hours with details of the impact.
  3. A root cause analysis is published within 72 hours.
  4. Remediation steps are implemented and verified before the incident is closed.

Security incidents can be reported to security@phishivox.com.

Responsible Disclosure

We welcome reports of security vulnerabilities from the research community.

Scope

  • phishivox.com and all subdomains
  • The Phishivox API (api.phishivox.com)
  • The URL proxy (shield.phishivox.com)

How to report

Email security@phishivox.com with:

  • Description of the vulnerability
  • Steps to reproduce
  • Impact assessment
  • Your preferred contact information

We acknowledge receipt within 24 hours and aim to resolve confirmed vulnerabilities within 90 days. We do not pursue legal action against researchers acting in good faith.