Terranova Security EU Alternative 2026: CLOUD Act 18/25 and Employee Vulnerability Data

Post #4 in the sota.io EU Security Awareness Training Series

Terranova Security was founded in 2002 in Montreal, Quebec — a Canadian company operating under PIPEDA, in a country that holds GDPR adequacy status under Article 45. For EU organisations, a Canadian SAT vendor looked like a pragmatic middle ground: not EU-native, but adequacy-covered, not subject to US jurisdiction.

In July 2022 that calculus changed. Proofpoint Inc. acquired Terranova Security and absorbed it into its Security Awareness Training portfolio. Proofpoint is a Delaware corporation headquartered in Sunnyvale, California, privately held since August 2021 by KKR & Co. — Kohlberg Kravis Roberts, the New York private equity firm that completed a $12.3 billion buyout. The Canadian adequacy shield fell the moment data control transferred to a US parent entity. Every phishing simulation your employees see, every click rate, every vulnerability score, every training completion record is now processed by a company subject to 18 U.S.C. §2713 — the CLOUD Act.

This post is the fourth in our five-part EU Security Awareness Training series. We cover KnowBe4, Cofense, SANS Security Awareness, Terranova, and a series finale with a side-by-side CLOUD Act matrix.

What Is Terranova Security?

Terranova Security (now operating as Proofpoint Security Awareness Training) offers a cloud-based security awareness training platform targeting enterprise and mid-market organisations globally.

Core products:

• Phishing Simulation Engine: Automated phishing campaign templates, click tracking, follow-up training assignment. Stores per-employee susceptibility history.
• Training Content Library: 2,000+ multilingual microlearning modules covering phishing, ransomware, social engineering, password hygiene, GDPR awareness.
• People Risk Intelligence Dashboard: Terranova's signature output — an employee-by-employee risk score combining training completion, phishing click rates, and behavioural patterns.
• "World's Biggest Phish" Benchmark: Annual global phishing exercise. Participating EU organisations contribute their simulation results to a cross-organisation dataset operated by Proofpoint under US jurisdiction.
• Microsoft 365 Native Integration: Terranova is Microsoft's exclusive security awareness training partner for the Microsoft 365 ecosystem — embedding training triggers directly into Outlook, Teams, and the M365 security portal.
• Compliance Reporting: Pre-built NIS2, DORA, ISO 27001, and GDPR compliance reports.

Terranova competes directly with KnowBe4, Cofense, SANS Security Awareness (Elevate), and Proofpoint's own legacy SAT product (which Terranova now replaces within the Proofpoint suite).

CLOUD Act Score: 18 / 25

The sota.io CLOUD Act scoring model evaluates 25 risk indicators across five categories: corporate structure, government relationships, data sensitivity, data location, and contractual protections.

18/25 interpretation: A US government warrant under the CLOUD Act can compel Proofpoint to produce phishing simulation histories, per-employee click rates, vulnerability scores, training records, and People Risk Intelligence dashboards — regardless of your DPA, SCCs, or EU data centre selection. The data controller is a Delaware C-Corp. GDPR Art. 44 transfer restrictions do not prevent a US court order directed at a US company.

For comparison: SoSafe GmbH (Cologne, Germany) scores 0/25 — German GmbH, no US parent, no government relationships, fully EU-operated data centres.

Three Paradoxes That EU Procurement Teams Miss

Paradox 1: The Microsoft-Exclusive Partnership Paradox

Terranova's most powerful sales argument is its status as Microsoft's exclusive security awareness training partner for Microsoft 365. The integration is seamless: phishing simulations trigger from within Microsoft Attack Simulator, training assignments push through Viva Learning, risk scores surface in the Microsoft 365 Defender portal, and compliance reports flow into Microsoft Purview.

The procurement framing is: "If you're already on M365, Terranova is the natural SAT choice — zero friction, native integration."

The CLOUD Act framing is different: EU organisations deploying M365 combined with Terranova now have dual Delaware CLOUD Act exposure — Microsoft Corporation (Redmond, Washington / Delaware C-Corp) and Proofpoint Inc. (Sunnyvale, California / Delaware C-Corp with KKR NY ownership). Employee phishing data flows through two parallel US CLOUD Act jurisdictions simultaneously. The "native integration" that reduces IT friction also reduces legal separation.

EU organisations that selected Terranova specifically because it was a Canadian vendor now face the same jurisdictional risk as US-headquartered SAT vendors — but with an additional M365 cross-service data flow that their earlier Canadian-era DPAs did not contemplate.

DSGVO Art. 26 implication: The joint control arrangement between Microsoft and Proofpoint for integrated M365-Terranova deployments creates obligations that few EU organisations have formally documented. Who is the lead controller for phishing simulation data that flows through Outlook, is stored in M365, and is also logged by Terranova's platform? Both companies hold copies. Both are Delaware C-Corps.

Paradox 2: The PIPEDA Adequacy Paradox

Canada is one of eleven countries that hold GDPR adequacy status under Article 45 (Commission Decision 2001/497/EC, renewed). PIPEDA — Canada's Personal Information Protection and Electronic Documents Act — provides protections that the European Commission has assessed as essentially equivalent to GDPR. This adequacy determination covers cross-border data transfers without the need for SCCs or BCRs.

Many EU organisations carry an institutional memory of Terranova as a Canadian vendor. DPAs and transfer impact assessments drafted before 2022 may reference Canadian adequacy as the legal basis for data transfers.

The legal reality after July 2022: Canadian adequacy does not follow data to a US parent. When Proofpoint acquired Terranova, data control transferred to a Delaware C-Corp. PIPEDA adequacy covers Canadian companies processing data under Canadian law — not US subsidiaries processing data on behalf of a US parent. A CLOUD Act warrant directed at Proofpoint Inc. does not route through Canadian privacy law. It is served on the Delaware entity directly.

EU organisations have an obligation under GDPR Art. 30 (records of processing) and Art. 44 to reassess their legal basis for transfers when a vendor changes corporate structure. The Terranova acquisition triggered this reassessment obligation in 2022. DPOs who have not updated their transfer impact assessments since then are operating on a stale legal basis.

Paradox 3: The World's Biggest Phish Benchmark Paradox

Each year, Terranova publishes the "World's Biggest Phish" — a global phishing benchmark report drawing on anonymised simulation data from thousands of participating organisations. The report provides industry-vertical click rates, failure rates by department, device type breakdowns, and temporal patterns. It is genuinely useful intelligence.

The dataset behind this report is aggregated from Terranova's customer base — including EU organisations participating in the benchmark exercise. The aggregation, processing, and analysis of this cross-organisation dataset occurs under Proofpoint's US corporate structure, subject to CLOUD Act jurisdiction.

The specific risk: The World's Biggest Phish dataset is not merely anonymised statistics. The underlying dataset — from which the statistics are derived — contains per-organisation phishing results, including industry sector, organisation size, and simulation parameters. A CLOUD Act request for Proofpoint's benchmark dataset would expose not just aggregate statistics but the underlying customer-level data from which they are computed.

EU organisations that opt into the World's Biggest Phish benchmark are contributing their employee vulnerability profiles to a US-jurisdiction dataset. The benchmark's value to them comes from comparing against peers — but so does the value to any intelligence or competitive adversary seeking to understand EU enterprise security postures across industry verticals.

NIS2 Art. 21(2)(d) supply chain risk: NIS2 requires essential and important entities to assess security risks in their supply chain, including at the software supply chain level. A SAT vendor that aggregates cross-organisation employee vulnerability data and holds it under foreign jurisdiction represents a supply chain concentration risk that most NIS2 Art. 21 risk assessments have not explicitly addressed.

EU-Native Alternatives: 0/25 CLOUD Act Exposure

SoSafe GmbH — Cologne, Germany

SoSafe is the European market leader in security awareness training, founded 2018 and headquartered in Cologne. Incorporated as a German GmbH, all data processed exclusively in EU data centres (Hetzner and dedicated EU infrastructure). No US parent, no US investment that creates US corporate presence, no government relationships.

CLOUD Act score: 0/25. German GmbH → no US jurisdiction exposure.

Core offering: Phishing simulations, microlearning, mobile-first training, GDPR/NIS2/DORA compliance reports, Defender-for-Office-365 integration without cross-border data flow. Customer base: 4,000+ European organisations including DAX-listed enterprises, German Mittelstand, and public sector.

Versus Terranova: SoSafe lacks the Microsoft-exclusive partnership badge, but offers native M365 integration without the CLOUD Act overhang. The absence of the "World's Biggest Phish" benchmark is a feature, not a limitation — EU employee vulnerability data stays EU-sovereign.

Hoxhunt Oy — Helsinki, Finland

Hoxhunt is a Finnish saas company founded 2016, incorporating Finnish company law under the Finnish Limited Liability Companies Act. Data processed in EU (Microsoft Azure West Europe). No US parent entity.

CLOUD Act score: 0/25. Finnish Oy → no US jurisdiction.

Core offering: Gamified phishing simulation, adaptive training paths, real attack reporting via Outlook add-in ("Report" button that identifies real threats), integration with Microsoft Sentinel and Defender. Known for higher employee engagement rates than traditional LMS-style SAT platforms.

Versus Terranova: Hoxhunt's Microsoft integration is deep (Outlook, Defender, Sentinel) without the Microsoft-exclusive partnership creating joint controller obligations. Training data stays in EU Azure infrastructure under Finnish corporate control.

Phished — Gent, Belgium

Phished is a Belgian cybersecurity company founded 2017, incorporated as a Belgian NV (Naamloze Vennootschap). All data processing within the European Economic Area. No US parent, no Five Eyes government relationships.

CLOUD Act score: 0/25. Belgian NV → no US jurisdiction.

Core offering: AI-driven phishing simulation personalised to each recipient (uses recipient behaviour history to select phishing templates most likely to catch that specific individual), automated training assignment, risk scoring. European GDPR-compliance reporting native.

Versus Terranova: Phished's personalisation engine is technically sophisticated — simulations adapt to individual behaviour rather than generic templates. No "World's Biggest Phish" style cross-organisation benchmarking means EU employee data does not contribute to a cross-customer dataset under foreign jurisdiction.

Regulatory Framework for SAT Procurement in 2026

NIS2 Art. 21 — Security Measures

NIS2 Art. 21(1) requires essential and important entities to take "appropriate and proportionate technical, operational and organisational measures" to manage cybersecurity risk. Art. 21(2)(g) specifically requires "cybersecurity training policies and practices" — security awareness training is explicitly mandated.

The supply chain risk assessment requirement under Art. 21(2)(d) applies to SAT vendors. A vendor holding employee vulnerability maps under US jurisdiction is a supply chain risk that NIS2 compliance frameworks must document.

DORA Art. 28 — ICT Third-Party Risk

For EU financial institutions subject to DORA (in force since January 2025), SAT vendors qualify as ICT third-party service providers under Art. 3(21). DORA Art. 28 requires documented risk assessments, contractual provisions (Art. 30), and — for critical ICT providers — supervisory access rights. DORA does not exempt security awareness training from third-party risk management requirements.

GDPR Art. 9 — Special Categories

Security awareness training data approaches special category territory when vulnerability profiles intersect with disability, mental health indicators, or age-related susceptibility patterns. Art. 9 processing requires explicit consent or an Art. 9(2) exemption. SAT vendors rarely articulate their Art. 9 position in their DPAs.

DSGVO §26 — Employee Data

Under German employment law (DSGVO §26 / BDSG), processing employee data for security monitoring requires works council co-determination (Betriebsrat). Phishing simulations that track individual employees by name — which all major SAT platforms do — require an operating agreement (Betriebsvereinbarung) in German-law jurisdictions. Cross-border transfers of this data to a US parent compound the §26 compliance burden.

Decision Framework: Terranova vs EU-Native SAT

Are you subject to NIS2 (essential/important entity)?
├── YES → DORA/NIS2 require documented supply chain risk assessment
│   ├── Can you document that US CLOUD Act exposure is acceptable? → Terranova OK
│   └── Cannot document acceptable risk → EU-native required (SoSafe, Hoxhunt, Phished)
└── NO → Standard GDPR Art. 44 transfer assessment applies
    ├── Do you have a valid TIA covering post-2022 Proofpoint corporate structure? → Terranova OK
    └── TIA not updated since 2022 → Update required before continuing use

Microsoft 365 integration requirement:

• Terranova: Microsoft-exclusive, native M365 integration, joint CLOUD Act exposure
• SoSafe: M365 integration without cross-border data flow
• Hoxhunt: Deep Microsoft integration (Defender, Sentinel, Outlook) under Finnish corporate control

German Works Council (Betriebsrat) requirement: All four vendors (Terranova, SoSafe, Hoxhunt, Phished) require a Betriebsvereinbarung for individual-level phishing tracking in German-law jurisdictions. EU-native vendors simplify the cross-border transfer element of the Betriebsvereinbarung negotiation.

World's Biggest Phish benchmark participation: EU organisations should opt out of cross-organisation benchmark programmes operated under US jurisdiction. EU-native vendors offer peer benchmarking without the associated cross-border data flow.

What Proofpoint's Acquisition Changed (And What Your DPA Doesn't Cover)

Most enterprise SAT contracts are multi-year. EU organisations that signed with Terranova between 2002 and 2022 have DPAs referencing a Canadian company operating under PIPEDA with Canadian adequacy as the transfer mechanism.

The July 2022 acquisition created three gaps:

Gap 1 — Transfer mechanism: Canadian adequacy no longer applies. SCCs were required from the moment data control transferred to Proofpoint's Delaware entity. DPAs that were not updated in 2022–2023 are operating on a lapsed legal basis.

Gap 2 — Data controller identity: The data controller named in pre-2022 DPAs is "Terranova Security Inc." or "Terranova Corporation." Post-acquisition, the effective controller is Proofpoint Inc. GDPR Art. 30 records must reflect the actual controller. DPOs who have not updated their records are in violation of their Art. 30 obligations.

Gap 3 — KKR ownership clause: KKR's private equity ownership is typically not addressed in enterprise SAT DPAs. PE ownership creates M&A risk — Proofpoint could be sold or restructured again. EU organisations have no contractual right to require data repatriation or termination rights in the event of a further change of control unless those rights are explicitly drafted into the contract.

Conclusion

Terranova Security was a reasonable SAT choice before July 2022. It was Canadian, adequacy-covered, and independent. Post-acquisition, it is a Delaware C-Corp subsidiary under KKR private equity ownership, holding employee vulnerability maps under US CLOUD Act jurisdiction, and operating as Microsoft's exclusive M365 SAT partner — which means dual US-jurisdiction data flows for any organisation running M365.

EU organisations with pre-2022 Terranova contracts should:

1. Update their Art. 30 records to reflect Proofpoint Inc. as the effective data controller.
2. Replace Canadian adequacy with SCCs (or switch to an EU-native vendor).
3. Conduct a transfer impact assessment under the post-2022 Proofpoint corporate structure.
4. Assess whether Microsoft-exclusive integration creates undocumented Art. 26 joint controller obligations.

For new procurement, SoSafe, Hoxhunt, and Phished each provide enterprise-grade security awareness training with full EU sovereignty — no CLOUD Act exposure, no Five Eyes data flows, no adequacy reassessment risk.

This analysis is based on public corporate filings, Proofpoint's acquisition announcement (July 2022), KKR's transaction documentation, and the CLOUD Act legal framework. It is not legal advice. Consult your DPO and legal counsel for transfer impact assessments specific to your organisation.