Trust & Security

How we protect customer data, how we decide who we sell to, and what enterprise buyers can expect from a security review.

Last updated: 12 July 2026

Our approach

Pwned Labs is a security company, and we hold ourselves to the standard we teach. We build and operate intentionally vulnerable training environments, and we keep those strictly separated from the systems that hold customer and learner data. This page covers how we protect your data, how we decide who we sell to, and what enterprise customers can expect from us during procurement and security review.

Enterprise capabilities

  • Single sign-on (SSO/SAML): integrate Pwned Labs with your identity provider.
  • SCIM provisioning: automate user lifecycle management from your directory.
  • Manager reporting: team dashboards and progress reporting for training leads.
  • Data Processing Agreement (DPA): available on request for enterprise contracts.
  • Security questionnaires: we respond to vendor risk questionnaires as part of enterprise onboarding.

Data protection

We collect the minimum data needed to run the service: account details (name, email), learning progress, and billing data handled by third-party payment processors, so we never store your card details. Customer data is stored on secure servers located in Europe. Data is retained while your subscription is active and for one year after it ends, or deleted earlier on request. We support GDPR and CCPA rights including access, rectification, erasure, and portability. To exercise these rights, contact hi@pwnedlabs.io. Full details are in our Privacy Policy.

Customer screening and sanctions compliance

Our content constitutes practical offensive cybersecurity capability, so we apply diligence beyond that of ordinary SaaS. Every customer, from individual signups to enterprise contracts, is screened against international sanctions and denied-party lists, including the UN Consolidated List, UK OFSI, the EU Consolidated List, and US OFAC SDN and BIS Entity Lists. Diligence is risk-tiered: enterprise and reseller relationships undergo enhanced checks including beneficial ownership review. We do not provide services to comprehensively embargoed jurisdictions, and active customers are re-screened at renewal and when sanctions lists change.

Compliance and certifications

ISO 27001 certification is in progress. Our information security management system is already operating ahead of certification, and we can walk enterprise security teams through our controls and share supporting documentation under NDA as part of procurement.

Responsible disclosure

We welcome good-faith security research. If you believe you have found a vulnerability in our services, report it to security@pwnedlabs.io. Our full scope, response commitments, and safe harbor terms are in our Vulnerability Disclosure Policy, and we publish a security.txt.

Subprocessors

We use a small number of third-party providers to deliver the service, including HubSpot for our website, CRM, and customer communications, and Recurly for payment processing. A complete, current subprocessor list is available on request.

Contact

Security questions: security@pwnedlabs.io
Privacy and data rights: hi@pwnedlabs.io
Enterprise procurement: contact us