Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Agreement between Wolfcore Ltd, a company registered in England and Wales (company no. 16308559), registered office at 72 Newbiggin, Malton, North Yorkshire, YO17 7JF (“Processor”, “Wolfcore”), and the Customer identified in the Agreement (“Controller”). It records the parties’ obligations in respect of personal data processed by Wolfcore on the Customer’s behalf through the Platform, and reflects Article 28 of the UK GDPR.
1. Definitions
1.1 “Data Protection Law” means the UK GDPR, the Data Protection Act 2018, and all other applicable laws relating to the processing of personal data.
1.2 “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach” and “Sub-Processor” have the meanings given in Data Protection Law.
1.3 “Customer Personal Data” means the Personal Data processed by Wolfcore on the Customer’s behalf under the Agreement, as described in Annex 1.
1.4 “Customer” and “Platform” have the meaning given in the Terms & Conditions into which this DPA is incorporated.
2. Roles and scope
2.1 The Customer is the Controller and Wolfcore is the Processor of the Customer Personal Data. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex 1.
2.2 Each party will comply with its obligations under Data Protection Law. The Customer warrants that it has a lawful basis for the processing and that its instructions are lawful.
3. Processor obligations
Wolfcore will:
3.1 process the Customer Personal Data only on the Customer’s documented instructions (including the Agreement and use of the Platform’s configuration options), unless required to do otherwise by law, in which case it will inform the Customer first unless legally prohibited;
3.2 ensure that personnel authorised to process the Customer Personal Data are bound by appropriate obligations of confidentiality;
3.3 implement and maintain the technical and organisational measures set out in Annex 2, appropriate to the risk in accordance with Article 32 of the UK GDPR;
3.4 not engage another Sub-Processor without the Customer’s general authorisation. The Customer authorises the use of the Sub-Processors listed in Annex 3. Wolfcore will inform the Customer of any intended changes to its Sub-Processors and give the Customer the opportunity to object on reasonable data-protection grounds; Wolfcore will impose data-protection obligations on each Sub-Processor that are no less protective than those in this DPA and remains liable for its Sub-Processors’ acts and omissions;
3.5 taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights;
3.6 assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data-protection impact assessments and prior consultation), taking into account the nature of processing and the information available to Wolfcore;
3.7 at the Customer’s choice, delete or return all Customer Personal Data on termination of the services and delete existing copies, unless storage is required by law;
3.8 make available to the Customer information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, on reasonable prior notice and subject to confidentiality; and
3.9 immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Law.
4. Personal data breach
4.1 Wolfcore will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer Personal Data, and will provide information reasonably available to it to assist the Customer in meeting its breach-notification obligations.
5. International transfers
5.1 Wolfcore will not transfer Customer Personal Data outside the UK except in accordance with the Agreement and Data Protection Law, relying on an appropriate transfer mechanism (such as UK adequacy regulations, the UK International Data Transfer Agreement or Addendum, or Standard Contractual Clauses) where required. Relevant Sub-Processor locations and safeguards are indicated in Annex 3.
6. Liability
6.1 Each party’s liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms & Conditions.
7. Term and governing law
7.1 This DPA takes effect on the same date as the Agreement and continues for as long as Wolfcore processes Customer Personal Data. It is governed by the laws of England and Wales as described in clause 17.1 of the Terms & Conditions.
Annex 1 — Details of processing
Subject matter: provision of the Phishy authorised phishing-simulation Platform to the Customer.
Duration: for the term of the Agreement and any retention period agreed thereafter.
Nature and purpose: delivering simulated phishing messages to Target Recipients; tracking and recording interaction (opens, clicks, simulated credential-submission events); breach-exposure lookups; generating reports; and providing security-awareness training.
Types of Personal Data: name; work email address; phone number; department; simulation interaction events (including IP address and timestamps of opens, clicks and submission events); and breach-exposure indicators derived from the email address. Submitted passwords are not stored.
Categories of Data Subjects: the Customer’s employees, workers and contractors, and any other individuals the Customer is lawfully entitled to include as Target Recipients.
Special category data: none is intended or required to be processed.
Annex 2 — Technical and organisational measures
- Encryption of data in transit (TLS) and encryption of sensitive data at rest;
- a design that discards submitted simulation passwords and does not store them;
- role-based access control and the principle of least privilege;
- audit logging of relevant administrative and security events;
- network and infrastructure controls, reverse-proxy and certificate management;
- automated data-deletion processes with a defined retention/cooling-off period (currently 30 days);
- regular backups and independent security testing of the Platform;
- staff confidentiality obligations.
Annex 3 — Authorised Sub-Processors
| Provider | Service provided | Location / transfer safeguard |
|---|---|---|
| Supabase | Database and storage | AWS eu-west-1 (Ireland, EU) |
| SendGrid (Twilio) | Email delivery | US — SCCs / UK IDTA |
| Twilio | SMS delivery | US — SCCs / UK IDTA |
| Stripe | Payment processing | US/EU — SCCs / UK IDTA |
| Anthropic | AI-assisted message personalisation | US — SCCs / UK IDTA |
| XposedOrNot | Breach-exposure lookup by email | Google Cloud / Cloudflare — outside UK |
| Hetzner | Cloud hosting / infrastructure | EU (Germany) |
← Back to the app