Protecting your employees and providing them with a safe and trusted experience is our top priority. Independent auditors regularly verify our security and data privacy standards to ensure the Simpplr One™ platform remains compliant and free of abuse or threats.
We don’t believe it’s enough to meet the bar. We believe it’s our responsibility to set the bar and offer the most trusted and secure platform on the market.
Simpplr follows the most stringent and secure software development and quality standards including regular and frequent internal and external security tests. The software development lifecycle employs industry leading security tools for code and application analysis.
Any vulnerability that is identified internally or reported by an external source is immediately triaged and the most appropriate remediation actions are applied.
Access to the application is logged and the application maintains a well defined audit trail for all security related activities.
Customers are encouraged to bring their own identity provider and Simpplr supports several identity providers via SAML 2.0 and OAuth 2.0 to allow access to its application. MFA is supported when the Identity Provider has been configured as such. Role-Based Access Control (RBAC) helps with restricting user access to the application content and features on a need-to-know or need-to-access basis.
Simpplr is hosted on Salesforce and Amazon Web Services (AWS) in the US and EU regions.
We conduct quarterly penetration tests in accordance with our security policies. Access to the infrastructure is tightly controlled and ensures that unauthorized individuals do not gain access to any resource.
Simpplr maintains disaster recovery (DR) and business continuity (BC) plans. The service performs real-time database transaction journaling and file replication to disk at each data center, and near real-time data replication between geographically-disparate primary and secondary data centers. Between data centers, data is transmitted across encrypted links. Disaster recovery tests verify our projected recovery times and the integrity of the customer data. Simpplr is architected to provide the following RTO and RPO:
Simpplr engages external security vendors to provide application vulnerability and penetration testing quarterly. Testing is performed on Simpplr web and mobile applications on all platforms for which Simpplr products are available, which include Salesforce, AWS, iOS, and Android.
Penetration testers leverage automated and manual tools to simulate malicious attacks and assess the security of application functionality, logic, and common vulnerabilities. Testing particularly looks for commonly found exploited vulnerabilities such as those outlined in the OWASP Web Security Testing Guide (WSTG), OWASP Top 10, OWASP Top 10 API, OWASP Mobile Top 10, and CWE/SANS Top 25. The assessment also includes a review of security controls and requirements listed in the OWASP Application Security Verification Standard (ASVS).
Vulnerabilities are prioritized by risk (critical, high, medium, and low) and remediated by priority in accordance with the Simpplr ISO 27001 Information Security Management System (ISMS).
Data is encrypted in transit and at rest. Backups are securely maintained to recover if needed. Secrets are safeguarded using industry leading practices, and access to them is tightly controlled.
Customer data is heavily guarded. Access to customer data requires explicit customer consent and is allowed only when necessary such as for support purposes. Any such Simpplr access requires multi-factor authentication (MFA), and all access is logged. No external party has access to Simpplr customer data at any time. Physical access to the resources in our offices and data centers is secured by physical, electronic, and manual controls.
Data-in-Transit Encryption
Simpplr provides data-in-transit encryption. All transmissions between a customer and Simpplr services are encrypted through Transport Layer Security (TLS 1.2) leveraging at least 2048-bit RSA server certificates and 256 or 128-bit symmetric encryption keys at a minimum. TLS 1.2 or higher is enforced. Additionally, all data, including customer data, is transmitted between data centers for replication purposes across a dedicated, encrypted link utilizing AES-256 encryption.
Data-at-Rest Encryption
Simpplr provides data-at-rest encryption. Content, images, and attachments are encrypted with no additional hardware or software. The architecture leverages 256-bit AES symmetric keys to ensure strong protection. In some configurations of Simpplr, customers have full control of the lifecycle of their Hardware Security Module (HSM) derived tenant secret, and can rotate, export, and destroy secrets as needed to satisfy compliance requirements.
Bring Your Own Key (BYOK)
Some configurations of Simpplr support Bring Your Own Key (BYOK). BYOK allows customers to provide their own tenant secret, generated from their own HSMs, increasing control over their encryption processes.
Please see more information about data we collect in the Simpplr Customer Privacy Policy.
Simpplr implements technical and organizational security measures to protect the privacy of customer data. The location of data processing varies at the designation of the customer. Customers can choose deployment locations that meet the data privacy laws and regulations of the US, EU, Switzerland, UK, Canada, Australia, New Zealand, Brazil, India, and other regions.
Simpplr captures personal data to provide functionality (such as access control, notifications, and analytics). Simpplr also captures usage and performance data to improve the product. Data is never sold to third parties for marketing or revenue purposes.
See below for categories of identifiers. This data is used to provide features of the service such as role-based access control and intranet analytics and to capture usage and performance analytics in order to improve the product. Data is never sold to third parties for marketing or revenue purposes.
Categories of Identifiers:
Personal data processing-in
Simpplr does not process or store any of the following categories of personal data:
Simpplr enters into DPA contracts with customers and subprocessors to ensure data security and privacy. Simpplr uses contractual means such as the EU or UK Standard Contractual Clauses (SCC) to ensure adequate protection. Simpplr is a participant in the EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF) programs and the UK extension to the EU-U.S. Data Privacy Framework.
Customers have full control over what data they store on Simpplr. Simpplr software complies with the following industry and sector specific laws and regulations:
This is a partial list. Please contact privacy@simpplr.com concerning other industries or sectors, such as non-profit, defense, or government.
Additional Notes
Healthcare
Payment Cards
Simpplr enables customer compliance and is itself compliant with the following data privacy laws and regulations:
This is a partial list. Please contact privacy@simpplr.com concerning other geographies.
Please see the Simpplr support center website for the most recent list of Simpplr data subprocessor partners. You may subscribe on that page to be automatically notified when the list changes.
For complete details, please see the Simpplr Government Data Request Policy.
Simpplr will only disclose customer data in response to a lawful request from a government agency in accordance with applicable law, our terms of service, and any applicable Data Protection Agreement (DPA).
Whenever possible, Simpplr will provide notice to customers when their data is being requested by a government. This notice will be provided in a timely manner and will include information about the nature of the request, the specific data being requested, and the agency making the request. We will also provide customers with the opportunity to object to the disclosure of their data.
In no event will Simpplr transfer personal data to a Requesting Authority in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.
The mission of the Simpplr Product Security Incident Response Team is to protect Simpplr and its customers from any real or suspected security concerns arising from the use of Simpplr applications and services. It ensures that the product is secure and responses to vulnerabilities that matter are well-coordinated and timely.
