Org-wide phishing protection, no rip-and-replace.
Give your team a second opinion on every suspicious message - as bulk triage, a connector, or an API. Without replacing your mail infrastructure.
"An API for the question is this real? - in the shape we already call Safe Browsing with."- Theo, backend architect
A bearer token, an HTTPS connection, an OpenAPI 3.1 client library. That's it.
A stable API, an MCP server for AI agents, a heuristic fallback on model outage, signed audit trails for compliance.
The expensive, targeted mails - not just bulk spam.
Your spam filter catches the obvious 95 %. Scampilot is the on-demand second opinion for the rest.
Bulk triage
Collect suspicious mails, score them in one pass, surface them ranked by risk.
Connector, not migration
Inline checks alongside your existing mailbox - no mail-server switch.
Audit trail
Every check logged: who, when, what verdict - exportable for compliance.
EU DPA without lawyer-months
Data processing with a named subprocessor list, EU hosting, no model training.
Who wires Scampilot into enterprises.
We talked to four very different teams. Each use case has its own page with a concrete stack and compliance notes.
IT admins & security teams
Protect 250 employees from spear-phishing without replacing your mail infrastructure. One forward connector and an Outlook add-in.
See the use case →
Banks & fintechs
Classify "phishing@my-bank.de" automatically. Thousands of customer-submitted mails per day, 90 % genuine, 10 % false alarms - no need to triage by hand.
See the use case →
Email providers & ESPs
"Check this mail" button for your webmail UI. End customers get the report in your branding; you pay per analyzed message.
See the use case →
Developers & AI agents
REST + MCP for your own client, Slack bot, or Claude agent. Structured responses, OpenAPI spec, stable contracts.
See the use case →
From pilot to org-wide coverage.
Start small, with one team. Roll out when the numbers add up.
Pilot with one team
Connector or API for one department. We set it up in days, not quarters.
Triage into your workflows
Suspicious mails run through Scampilot before escalation. Verdicts land in your helpdesk.
Org-wide with an SLA
Higher quotas, 99.5 % SLA, a dedicated account manager, custom-branded reports.
Contracts your compliance team waves through.
One table, one PDF, one DPA. Not four weeks of back and forth.
| Data processing (GDPR Art. 28) | Standard DPA as an appendix to the main contract. EU SCC for AI and email sub-processors. |
| Hosting | EU hosting provider, sites in Falkenstein and Frankfurt. DE/EU, ISO/IEC 27001 certified. |
| Storage encryption | LUKS full-disk on all DB hosts. Backups separately encrypted with a dedicated key. |
| Transport security | TLS 1.3 enforced. HSTS with a 6-month header + preload entry. |
| Audit trail | Append-only audit log for all privileged actions. Available on request as a database export for audits. |
| Pen test | Annual, by a BSI-approved assessor. Latest report available under NDA. |
| SLA | 99.5 % uptime on the business tier (in preparation). Q2 2026. |
Frequently asked questions
Does Scampilot cover CEO fraud and invoice fraud?
Yes. Detection evaluates email authentication (SPF/DKIM/DMARC), lookalike domains, and payment and urgency patterns - the classic signals of CEO fraud and forged invoices (BEC).
Can Scampilot integrate with our organisation?
Yes: REST API, bulk checks, webhooks, SSO/SAML and SCIM provisioning, plus audit logs and a custom DPA.
Where is the data held for regulated teams?
On EU servers, with no US data flows and no model training on content - with audit trails and exportable evidence.
