CanIPhish relies on a small number of trusted third-party subprocessors to deliver certain platform features, such as AI-powered content, voice phishing, and dark web monitoring. Privacy Settings gives you control over which non-essential subprocessors are permitted to process your organization's data.
When you disable a subprocessor, any functionality it powers is turned off across your tenant. This lets you tailor the platform to your organization's data-privacy requirements.
Who can access Privacy Settings
Privacy Settings can be viewed by Super Admins. Changing which subprocessors are used requires an Enterprise subscription – on lower tiers you can review your subprocessors and their data locations, but the toggles are disabled. Because changes apply to your entire tenant, we recommend reviewing them with your security or compliance team first.
How to open Privacy Settings
- Sign in to CanIPhish.
- Go to Platform Settings.
- Select Privacy Settings to open the Privacy Settings panel.
Understanding the Privacy Settings panel
The panel is divided into two sections and shows the data location for each subprocessor:
- Platform Subprocessors – subprocessors that may process employee or tenant information when delivering platform functionality. These can be toggled on or off (with the exception of Amazon Web Services, which is essential).
- CanIPhish Business Operations – subprocessors used to run our business (support, billing, and marketing). These do not process your employee information and cannot be toggled.
Tip: Each subprocessor row displays its Data Location – the region where that subprocessor processes data. See Data locations below for a full reference.
Platform subprocessors
The table below lists each platform subprocessor, the functionality it powers, and whether it can be disabled.
| Subprocessor | Powers | Can be disabled? |
|---|---|---|
| Amazon Web Services | Core cloud hosting and storage for all platform data and services. | No – essential |
| Microsoft Azure OpenAI | AI functionality across the platform, including conversational email phishing, AI threat analysis, the AI content generator, the AI program manager, the AI chat widget, AI employee profiling, and the AI knowledge source. | Yes |
| ElevenLabs | Conversational AI voice for simulated voice phishing and callback phishing, and the text-to-speech used by the AI video generator. | Yes |
| Telnyx | Voice-over-IP call delivery for simulated voice phishing and callback phishing. | Yes |
| Twilio | The double opt-in SMS workflow used to verify employee consent before voice phishing simulations. | Yes |
| Fal AI | Serverless AI infrastructure that orchestrates AI training video generation. | Yes |
| Veed | AI video models that transform video scripts into professional-quality training videos. | Yes |
| Have I Been Pwned | Dark web monitoring, which identifies whether employee email addresses have been exposed in data breaches. | Yes |
What happens when you disable a subprocessor
Disabling a subprocessor immediately blocks the functionality it powers. Any buttons or actions that rely on it are disabled, and attempts to use that functionality (including via the API) are prevented. The table below summarizes what becomes unavailable.
| If you disable… | The following becomes unavailable |
|---|---|
| Microsoft Azure OpenAI |
|
| ElevenLabs |
|
| Telnyx |
|
| Twilio |
|
| Fal AI or Veed |
|
| Have I Been Pwned |
|
Subprocessor dependencies
Some subprocessors work together to deliver a feature. When subprocessors are coupled, disabling one automatically disables the others it depends on:
- ElevenLabs is coupled with Fal AI, Veed, and Twilio. Disabling ElevenLabs also disables all three. They cannot be re-enabled until ElevenLabs is re-enabled.
- Fal AI and Veed together power AI video generation, so they are mutually dependent. Disabling either one also disables the other, and re-enabling either one re-enables both.
Note: When you turn a subprocessor off, CanIPhish shows you exactly which coupled subprocessors and features will be affected before the change is applied.
A note about Have I Been Pwned and Dark Web Monitoring
Dark Web Monitoring (powered by Have I Been Pwned) is opt-in and off by default. Because turning it on requires accepting the Dark Web Monitoring terms, Have I Been Pwned behaves differently from the other subprocessors in Privacy Settings:
- From Privacy Settings you can only disable Have I Been Pwned (opt out of dark web monitoring).
- You cannot re-enable it from Privacy Settings. To turn it back on, activate Dark Web Monitoring from the Employee Risk section and accept the terms. Doing so re-enables the Have I Been Pwned subprocessor.
Data locations
Each subprocessor processes data in a specific region. Amazon Web Services and Microsoft Azure OpenAI process data in your tenant's data storage location (the region you selected when your account was created).
| Subprocessor | Data location |
|---|---|
| Amazon Web Services | Your data storage location |
| Microsoft Azure OpenAI | Your data storage location* |
| ElevenLabs | United States |
| Telnyx | Points of Presence in the USA, Ireland, Netherlands, Australia, Singapore, Canada, and the UK |
| Twilio | United States |
| Fal AI | United States |
| Veed | United States |
| Have I Been Pwned | Australia |
* Azure OpenAI processing matches your data storage location, with two exceptions: if your storage location is Singapore, Azure OpenAI processing is conducted out of Japan; if your storage location is the United Arab Emirates, it is conducted out of Germany.
CanIPhish Business Operations
The following subprocessors support our day-to-day business operations, such as customer support, billing, and marketing. They do not process your employee information and therefore cannot be toggled.
| Subprocessor | Purpose | Data location |
|---|---|---|
| Microsoft 365 | Corporate email, video conferencing, and document storage. | Australia |
| Zendesk | Knowledgebase, live chat, and offline chat support. | Australia |
| Monday | Customer relationship management (CRM). | United States |
| Klaviyo | Marketing and product-update emails to platform administrators. | United States |
| Stripe | Payment processing and subscription billing. | United States |
Re-enabling a subprocessor
To restore functionality, open Privacy Settings and toggle the subprocessor back on. The associated features become available again immediately. Two exceptions apply:
- If a subprocessor is coupled with another (for example, Fal AI and Veed, or the ElevenLabs group), re-enable them according to the dependency rules described above.
- Have I Been Pwned cannot be re-enabled from Privacy Settings – re-activate Dark Web Monitoring from the Employee Risk section instead.
Frequently asked questions
Why are the toggles greyed out?
Changing which subprocessors are used requires an Enterprise subscription. On lower tiers you can review your subprocessors and data locations, but the toggles are disabled. To make changes, upgrade to Enterprise or contact your account manager.
Why can't I turn Have I Been Pwned back on from Privacy Settings?
Dark Web Monitoring is opt-in and requires accepting its terms, so it can only be enabled from the Dark Web Monitoring activation flow (Employee Risk section). In Privacy Settings you can only opt out. Re-activating Dark Web Monitoring re-enables the Have I Been Pwned subprocessor.
Does disabling a subprocessor delete data that was already processed?
No. Disabling a subprocessor prevents any new data from being sent to it and turns off the related functionality. It does not retroactively delete data that was processed before the change.
Can I disable Amazon Web Services?
No. Amazon Web Services provides the core hosting and storage that the entire platform runs on, so it is marked as essential and cannot be disabled.
Will disabling a subprocessor affect campaigns that are already scheduled?
Yes. Enforcement applies across the platform, so functionality that depends on a disabled subprocessor is blocked even for previously scheduled activity. For example, if you disable ElevenLabs or Telnyx, voice and callback phishing will not run.
Where can I learn more about how CanIPhish handles data?
For full details on our subprocessors, data processing, and data locations, visit our Trust Centre.
Comments
0 comments
Please sign in to leave a comment.