Compliance
What the architecture gives your auditors
PhishArmory isn't a certification and doesn't replace your own audit process — this is the evidence our architecture contributes to the program you already run.
| Framework | What we contribute |
|---|---|
| SOC 2 Type II (CC7.2) |
An append-only, tamper-resistant log of every campaign action and every view of sensitive per-recipient data — the system-monitoring evidence CC7.2 audits request. |
| HIPAA / HITECH (45 CFR § 164.308(a)(5)) |
Continuous, timestamped simulation delivery evidence tracked directly against the Security Awareness and Training safeguard, plus role-gated access to per-employee results with the act of viewing itself logged. The platform's data model never includes patient records, EHR data, or any clinical system integration in the first place, so awareness testing stays entirely outside PHI scope rather than needing to be carved out of it. See the healthcare deep dive →. |
| CMMC 2.0 (Level 2 Advanced, AT family) |
Continuous compliance tracking against the Awareness & Training (AT) control family, plus an append-only audit trail and three-tier RBAC (Admin / Operator / Read-only) mapping directly to the Audit & Accountability (AU) family Defense Industrial Base assessors check for. See the government & defense deep dive →. |
| NERC CIP-004-6 (R2) |
Tenant-isolated headers and persistent pretext domains keep simulation traffic cleanly identifiable at the mail layer — supporting Personnel Risk Assessment and Training requirements with zero footprint on OT/ICS networks. See the energy & critical infrastructure deep dive →. |
| PCI DSS 4.0 (Req 12.6.3.1) |
Continuous compliance tracking against the Social Engineering Validation requirement, and tenant-isolated simulation headers that let your fraud-detection and transaction-monitoring systems reliably tell simulated phishing traffic apart from real threat signal, so awareness testing never pollutes Requirement 12.6 evidence. |
| GLBA Safeguards Rule (16 CFR Part 314) / FFIEC IT Handbook |
Continuous compliance tracking against the Information Security Program requirement, aligned to the FFIEC IT Handbook's workforce-training expectations, plus maker-checker dual approval on every launch and host-isolated envelope-encrypted credential storage supporting the Safeguards Rule's access-control documentation requirements for financial institutions. |
| SEC Rule 17a-4 | Our audit log is insert-only at the application layer — no code path updates or deletes a written record — which supports the spirit of Rule 17a-4's non-rewritable, non-erasable recordkeeping expectation. This is an application-layer guarantee, not a WORM storage certification; pair it with your own WORM-compliant retention backend for full Rule 17a-4 coverage. See the financial services deep dive →. |
These rows describe the architectural controls PhishArmory contributes as evidence within your existing compliance program. They are not a claim that PhishArmory itself holds any of these certifications, and none of them constitute independent legal or audit advice — verify current certification and control status with your own counsel and assessors before relying on it in a procurement or audit decision.
Every row above rests on the same platform-level baseline: credentials are protected under host-isolated envelope encryption — a per-secret data key wrapped by a master key that never leaves this host's environment, never the database — and every operator account requires TOTP multi-factor authentication to sign in. See the architecture breakdown → for how each is actually built.
In practice
The same evidence, as your team would see it
A preview of how live simulation metrics roll up into the posture view your security team already checks — resilience score, response speed, and a vector-by-difficulty breakdown, in one place.
Resilience score
3.4
Median TTR
4m 12s
Org. risk grade
B
Vector performance heatmap
Email · Easy
Resilient
Resilient
Email · Medium
Elevated
Elevated
Email · Hard
Untested
Untested
SMS · Easy
Pipeline Integration
Pipeline Integration
SMS · Medium
Pipeline Integration
Pipeline Integration
SMS · Hard
Pipeline Integration
Pipeline Integration
SMS delivery is in pipeline integration — shown for roadmap context only; email is the only vector live today.