Legal

GDPR Compliance

Last updated: May 2026

Our commitment

Anzol Guard is committed to full compliance with the General Data Protection Regulation (EU) 2016/679. All personal data processed through our platform is handled in accordance with GDPR principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountability.

Controller and processor roles

Anzol Guard operates in two distinct capacities depending on the data involved:

  • Data Controller: For account data and waitlist data that we collect directly for our own purposes.
  • Data Processor: For employee data uploaded by our customers. In this capacity, we process data only according to documented instructions from the customer, who acts as the data controller.

Data Processing Agreement

Business customers who process EU personal data through Anzol Guard can request our standard Data Processing Agreement (DPA). This agreement sets out the obligations of both parties under GDPR Article 28. To request a DPA, contact us at hello@anzolguard.com.

Data transfers

All personal data is stored and processed within the European Economic Area. We do not transfer personal data to third countries outside the EEA without appropriate safeguards in place.

Sub-processors

We use the following categories of sub-processors to operate the platform:

  • Cloud infrastructure providers (for data storage and compute).
  • Email delivery services (for sending simulated phishing emails and transactional communications).
  • Authentication services (for secure user login).

All sub-processors are bound by GDPR-compliant data processing agreements. We will notify customers of any changes to our sub-processor list with reasonable advance notice.

Data subject rights

Employees who receive simulated phishing emails from Anzol Guard on behalf of their employer may contact their employer directly regarding any data subject rights requests. Customers (data controllers) are responsible for facilitating data subject rights for their employees. We will assist customers in responding to such requests as required by GDPR Article 28.

Security measures

We maintain appropriate technical and organisational security measures including encryption of data in transit and at rest, access controls and least-privilege principles, regular security testing, and incident response procedures. In the event of a personal data breach, we will notify affected customers within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

Record of processing activities

We maintain records of processing activities as required by GDPR Article 30. These records are available to supervisory authorities upon request.

Contact and supervisory authority

For GDPR-related queries, contact us at hello@anzolguard.com.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Portuguese supervisory authority, the CNPD (Comissão Nacional de Proteção de Dados), at www.cnpd.pt.