Protect your people and your data at every step.
Simpplr is committed to providing a safe and trusted experience for its users, business contacts, and employees. Simpplr security and data privacy standards are regularly verified by independent auditors to ensure that the platform remains compliant and free of any abuse and/ or threats.
Customers entrust Simpplr with their data and we take this responsibility with utmost caution and care. Simpplr’s SOC 2 attestation, ISO 27001 certification, and TRUSTe verification are independent endorsements of this fact.
CERTIFICATIONS
SOC 2 Type 2
SOC 3
ISO 27001
DPF
Security
Data Privacy
Simpplr follows the most stringent and secure software development and quality standards including regular and frequent internal and external security tests. The software development lifecycle employs industry leading security tools for code and application analysis.
Any vulnerability that is identified internally or reported by an external source is immediately triaged and the most appropriate remediation actions are applied.
Access to the application is logged and the application maintains a well defined audit trail for all security related activities.
Customers are encouraged to bring their own identity provider and Simpplr supports several identity providers via SAML 2.0 and OAuth 2.0 to allow access to its application. MFA is supported when the Identity Provider has been configured as such. Role-Based Access Control (RBAC) helps with restricting user access to the application content and features on a need-to-know or need-to-access basis.
Simpplr is hosted on Salesforce and Amazon Web Services (AWS) in the US and EU regions.
We conduct quarterly penetration tests in accordance with our security policies. Access to the infrastructure is tightly controlled and ensures that unauthorized individuals do not gain access to any resource.
Simpplr engages external security vendors to provide application vulnerability and penetration testing quarterly. Testing is performed on Simpplr web and mobile applications on all platforms for which Simpplr products are available, which include Salesforce, AWS, iOS, and Android.
Penetration testers leverage automated and manual tools to simulate malicious attacks and assess the security of application functionality, logic, and common vulnerabilities. Testing particularly looks for commonly found exploited vulnerabilities such as those outlined in the OWASP Web Security Testing Guide (WSTG), OWASP Top 10, OWASP Top 10 API, OWASP Mobile Top 10, and CWE/SANS Top 25. The assessment also includes a review of security controls and requirements listed in the OWASP Application Security Verification Standard (ASVS).
Vulnerabilities are prioritized by risk (critical, high, medium, and low) and remediated by priority in accordance with the Simpplr ISO 27001 Information Security Management System (ISMS).
Simpplr maintains disaster recovery (DR) and business continuity (BC) plans. The service performs real-time database transaction journaling and file replication to disk at each data center, and near real-time data replication between geographically-disparate primary and secondary data centers. Between data centers, data is transmitted across encrypted links. Disaster recovery tests verify our projected recovery times and the integrity of the customer data. Simpplr is architected to provide the following RTO and RPO:
Data is encrypted in transit and at rest. Backups are securely maintained to recover if needed. Secrets are safeguarded using industry leading practices, and access to them is tightly controlled.
Customer data is heavily guarded. Access to customer data requires explicit customer consent and is allowed only when necessary such as for support purposes. Any such Simpplr access requires multi-factor authentication (MFA), and all access is logged. No external party has access to Simpplr customer data at any time. Physical access to the resources in our offices and data centers is secured by physical, electronic, and manual controls.
Please see more information about data we collect in the Simpplr Customer Privacy Policy.
Simpplr implements technical and organizational security measures to protect the privacy of customer data. The location of data processing varies at the designation of the customer. Customers can choose deployment locations that meet the data privacy laws and regulations of the US, EU, Switzerland, UK, Canada, Australia, New Zealand, Brazil, India, and other regions.
Simpplr captures personal data to provide functionality (such as access control, notifications, and analytics). Simpplr also captures usage and performance data to improve the product. Data is never sold to third parties for marketing or revenue purposes.
Simpplr does not process or store any of the following categories of personal data:
See below for categories of identifiers. This data is used to provide features of the service such as role-based access control and intranet analytics and to capture usage and performance analytics in order to improve the product. Data is never sold to third parties for marketing or revenue purposes.
Categories of Identifiers:
Simpplr enters into DPA contracts with customers and subprocessors to ensure data security and privacy. Simpplr uses contractual means such as the EU or UK Standard Contractual Clauses (SCC) to ensure adequate protection. Simpplr is a participant in the EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF) programs and the UK extension to the EU-U.S. Data Privacy Framework.
Simpplr enables customer compliance and is itself compliant with the following data privacy laws and regulations:
This is a partial list. Please contact privacy@simpplr.com concerning other geographies.
Customers have full control over what data they store on Simpplr. Simpplr software complies with the following industry and sector specific laws and regulations:
This is a partial list. Please contact privacy@simpplr.com concerning other industries or sectors, such as non-profit, defense, or government.
Additional Notes
Healthcare
Payment Cards
Please see the Simpplr support center website for the most recent list of Simpplr data subprocessor partners. You may subscribe on that page to be automatically notified when the list changes.
The mission of the Simpplr Product Security Incident Response Team is to protect Simpplr and its customers from any real or suspected security concerns arising from the use of Simpplr applications and services. It ensures that the product is secure and responses to vulnerabilities that matter are well-coordinated and timely.
For complete details, please see the Simpplr Government Data Request Policy.
Simpplr will only disclose customer data in response to a lawful request from a government agency in accordance with applicable law, our terms of service, and any applicable Data Protection Agreement (DPA).
Whenever possible, Simpplr will provide notice to customers when their data is being requested by a government. This notice will be provided in a timely manner and will include information about the nature of the request, the specific data being requested, and the agency making the request. We will also provide customers with the opportunity to object to the disclosure of their data.
In no event will Simpplr transfer personal data to a Requesting Authority in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.
Simpplr is committed to open and transparent communication about security. For any security questions or concerns not addressed above, please contact security@simpplr.com.