Security & Trust
How Phishaver handles your email data
Read-only API access. In-memory analysis. Minimal retention. Encryption in transit and at rest. This page explains exactly what Phishaver reads, what it stores, and how it's protected.
Data access model
Phishaver reads inbound email metadata and body content via read-only API. No SMTP access, no MX record involvement.
Microsoft 365 access
Phishaver connects via Microsoft Graph API with the Mail.Read delegated permission scope. This is a read-only scope — Phishaver can read inbound messages but cannot send, move, delete, or modify any email. Authorization is performed via standard OAuth 2.0 and can be revoked at any time from the Microsoft 365 admin center.
Google Workspace access
Phishaver connects via Gmail API with the gmail.readonly scope. This is a read-only scope — no ability to send, move, delete, or modify messages. Authorization performed via Google OAuth 2.0 and revocable at any time from the Google Workspace admin console.
What Phishaver does not do
No MX record changes. No email forwarding rules. No SMTP relay. No email delivery involvement. Phishaver is purely a read-only observer of your inbound mail stream. Your email delivery path is not altered in any way.
Data storage scope
Email body content is analyzed in-memory during the detection pipeline. Only threat event metadata is retained: sender address (not contact book data), subject line snippet (first 64 characters), threat type, confidence score, and detection evidence. Raw email bodies are not stored beyond the analysis window.
Encryption and transport security
Data in transit
All API communication between Phishaver and Microsoft Graph API / Gmail API uses TLS 1.3. All communication between the Phishaver dashboard and your browser uses TLS 1.3 with HSTS enforced. TLS 1.1 and below are not supported.
Data at rest
Stored event metadata (threat logs, confidence scores, sender metadata) is encrypted at rest using AES-256. Encryption keys are managed using envelope encryption with per-tenant key derivation.
Retention
Threat event metadata is retained for the period configured on your plan (14 days for Starter, 90 days for Growth, configurable for Enterprise). After the retention window, event records are permanently deleted. Deletion is irreversible — export before your window closes if you need longer records.
Authentication
Dashboard access uses OAuth 2.0 authorization. All analyst sessions require MFA where configured. Enterprise customers can enforce SSO via Okta or Azure AD / Entra ID with conditional access policies applied at your identity provider.
Compliance posture
The following describes how Phishaver's controls are designed to support compliance — not claims of formal certification.
SOC 2 controls
Phishaver is built with SOC 2 Type II controls in mind. Controls documentation is available to Enterprise prospects on request. This documents our access management, data retention, audit logging, and incident response controls — it is not a SOC 2 Type II audit report or certification claim.
NIST SP 800-53
Alignment notes for NIST SP 800-53 IA-4 (Identifier Management) and related controls are available to Enterprise customers on request. These notes document how Phishaver's controls are designed to support compliance — not a formal NIST assessment. Designed to support compliance with NIST SP 800-53.
CIS Controls
Alignment documentation for CIS Controls 9 (Email and Web Browser Protections) is available on request. Phishaver's email threat detection capabilities are designed to support implementation of CIS Controls 9 requirements for mid-market organizations.
DMARC/DKIM/SPF
Phishaver's header authentication analysis checks SPF, DKIM, and DMARC alignment on every inbound email, surfacing authentication gaps alongside threat detection. We also provide alignment with DMARC adoption best practices in our implementation guidance to customers.
Responsible disclosure
If you discover a security vulnerability in Phishaver's platform, API, or website, we ask that you report it to us responsibly before public disclosure. We commit to acknowledging receipt within 2 business days and providing a status update within 7 business days.
Please do not test against production customer environments or attempt to access data belonging to other customers. We ask for coordinated disclosure — allow us reasonable time to remediate before public disclosure.
[email protected]Questions?
Talk to us about your security requirements.
Enterprise customers can request our controls documentation, penetration test summary, and compliance alignment notes before signing.