Security, privacy and compliance

ISO 27001
Simpplr is ISO 27001:2013 certified annually. An independent firm accredited by the ANAB standards body certifies that the Simpplr information security management system (ISMS) contains comprehensive policies and procedures to manage information risk. Note that a SOC 2 audit of a software vendor itself, in addition to audits of any subprocessor or cloud platform on which it operates, is required to validate that a vendor securely operates their ISMS.

SOC 2
Simpplr annually undergoes a SOC 2 Type 2 audit. An independent auditor regulated by the AICPA investigates our operations during a 12 month period and attests to the effectiveness of our security controls. SOC 2 attestation reports may be shared under NDA. We provide quarterly bridge letters to cover the period since the last SOC 2 audit. Our subprocessors also hold SOC 2 Type 2 attestation certificates.

SOC 3
SOC 3 reports are similar to SOC 2, but they contain less detail and may be shared publicly without an NDA. The SOC 3 is a report of internal controls over security, availability, processing integrity, and confidentiality. Both SOC 2 and SOC 3 reports are conducted according to SSAE 18 standards, as outlined by the AICPA. Both reports involve an audit and rigorous testing of an organization’s security controls. Note that bridge letters are not generated for SOC 3 reports.

TRUSTe Data Privacy Framework (DPF) verification
Companies that display the TRUSTe Privacy Verified seal have demonstrated that their privacy programs, policies, and practices meet the requirements of EU-U.S. and Swiss-U.S. Data Privacy Framework principles. Companies verified to the Data Privacy Framework Principles are considered in compliance with the UK Extension to the EU-U.S. Data Privacy Framework.

TRUSTe Dispute Resolution
Simpplr participates in the TRUSTe online Privacy Dispute Resolution program which lets users report potential violations of posted privacy statements and specific privacy issues that pertain to TRUSTe clients. TRUSTe investigates all eligible complaints and mediates solutions between users and clients.

GDPR
Simpplr helps organizations meet their GDPR compliance requirements through features such as retention policies, data subject access requests, and standard contractual clauses.

Data Privacy Framework (DPF)
Simpplr is an active member of the EU-US and Swiss-US Data Privacy Framework program as well as the UK Extension to the EU-U.S. Data Privacy Framework.

HIPAA
Simpplr complies with HIPAA standards, securing communication and collaboration with all key stakeholders, and will sign a HIPAA business associate agreement (BAA).

23 NYCRR Part 500
Simpplr is 23 NYCRR Part 500-ready and enables financial services firms to meet compliance requirements through features such as enhanced audit trail, SIEM integration, encryption, and incident response planning.

GXP
Simpplr enables biotechnology, pharmaceutical, and other life sciences organizations to meet GXP compliance requirements through features such as document management, content distribution, and awareness check-in.

Security

• ISO 27001:2013 certification
• SOC 2 Type 2 attestation (available under NDA)
• SOC 3 report

Data Privacy

• EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF) certification 
• TRUSTe Data Privacy Framework (DPF) verification
• TRUSTe Privacy Dispute Resolution program
• Simpplr Customer Privacy Policy
• Simpplr Government Data Request Policy
• Simpplr Subprocessor Partners

Simpplr follows the most stringent and secure software development and quality standards including regular and frequent internal and external security tests. The software development lifecycle employs industry leading security tools for code and application analysis.

Any vulnerability that is identified internally or reported by an external source is immediately triaged and the most appropriate remediation actions are applied. 

Access to the application is logged and the application maintains a well defined audit trail for all security related activities.

Customers are encouraged to bring their own identity provider and Simpplr supports several identity providers via SAML 2.0 and OAuth 2.0 to allow access to its application. MFA is supported when the Identity Provider has been configured as such. Role-Based Access Control (RBAC) helps with restricting user access to the application content and features on a need-to-know or need-to-access basis.

Simpplr is hosted on Salesforce and Amazon Web Services (AWS) in the US and EU regions.

We conduct quarterly penetration tests in accordance with our security policies. Access to the infrastructure is tightly controlled and ensures that unauthorized individuals do not gain access to any resource.

Simpplr engages external security vendors to provide application vulnerability and penetration testing quarterly. Testing is performed on Simpplr web and mobile applications on all platforms for which Simpplr products are available, which include Salesforce, AWS, iOS, and Android. 

Penetration testers leverage automated and manual tools to simulate malicious attacks and assess the security of application functionality, logic, and common vulnerabilities. Testing particularly looks for commonly found exploited vulnerabilities such as those outlined in the OWASP Web Security Testing Guide (WSTG), OWASP Top 10,  OWASP Top 10 API, OWASP Mobile Top 10, and CWE/SANS Top 25. The assessment also includes a review of security controls and requirements listed in the OWASP Application Security Verification Standard (ASVS).  

Vulnerabilities are prioritized by risk (critical, high, medium, and low) and remediated by priority in accordance with the Simpplr ISO 27001 Information Security Management System (ISMS).

Simpplr maintains disaster recovery (DR) and business continuity (BC) plans. The service performs real-time database transaction journaling and file replication to disk at each data center, and near real-time data replication between geographically-disparate primary and secondary data centers. Between data centers, data is transmitted across encrypted links. Disaster recovery tests verify our projected recovery times and the integrity of the customer data.  Simpplr is architected to provide the following RTO and RPO: 

• Recovery Time Objective (RTO) = 24 hours (12 hours for some systems)
• Recovery Point Objective (RPO) = 4 hours

Data is encrypted in transit and at rest. Backups are securely maintained to recover if needed. Secrets are safeguarded using industry leading practices, and access to them is tightly controlled.

Customer data is heavily guarded. Access to customer data requires explicit customer consent and is allowed only when necessary such as for support purposes. Any such Simpplr access requires multi-factor authentication (MFA), and all access is logged. No external party has access to Simpplr customer data at any time. Physical access to the resources in our offices and data centers is secured by physical, electronic, and manual controls.

Please see more information about data we collect in the Simpplr Customer Privacy Policy.

Simpplr implements technical and organizational security measures to protect the privacy of customer data. The location of data processing varies at the designation of the customer. Customers can choose deployment locations that meet the data privacy laws and regulations of the US, EU, Switzerland, UK, Canada, Australia, New Zealand, Brazil, India, and other regions.

Simpplr captures personal data to provide functionality (such as access control, notifications, and analytics). Simpplr also captures usage and performance data to improve the product. Data is never sold to third parties for marketing or revenue purposes.

• User data
  • Name
  • Login identifier or username (e.g., email, mobile number, or a unique ID)
• Application data
  • Browsing history within Simpplr
  • Search history within Simpplr
  • Web and app data (e.g., performance analytics)
• Network and device data
  • IP address
  • Network activity data (e.g., session duration)
  • Device and hardware data (e.g., manufacturer, OS)
  • General location data (e.g., IP-based location)
• [OPTIONAL] People directory data
  • Customers may optionally choose to upload data such as title, department, user photo, or other fields. Customers have complete control over which fields they upload or allow their employees to edit.

Simpplr does not process or store any of the following categories of personal data: 

• No sensitive personal data 
  • GDPR – No “special categories of data”
  • CCPA/CPRA – No “sensitive personal information”
  • No data related to disability, race, religion, political affiliation, or medical history is collected. 
• No personal health information (PHI)
• No financial information

See below for categories of identifiers. This data is used to provide features of the service such as role-based access control and intranet analytics and to capture usage and performance analytics in order to improve the product. Data is never sold to third parties for marketing or revenue purposes. 

Categories of Identifiers:

• Application unique user identifiers (e.g., Simpplr UUID)
• Unique device identifiers (e.g., IMEI, IMSI)
• Persistent identifiers (e.g., identifiers used for analytics)

• Data Protection Agreements (DPA)
• Standard Contractual Clauses (SCC)
• Data Privacy Framework (DPF)

Simpplr enters into DPA contracts with customers and subprocessors to ensure data security and privacy. Simpplr uses contractual means such as the EU or UK Standard Contractual Clauses (SCC) to ensure adequate protection. Simpplr is a participant in the EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF) programs and the UK extension to the EU-U.S. Data Privacy Framework.

Simpplr enables customer compliance and is itself compliant with the following data privacy laws and regulations:

• GDPR (EU and UK)
• CCPA/CPRA (California) as well as the data privacy laws of other US states, including Virginia, Colorado, Utah, and Connecticut, among others. 
• nFADP (Switzerland)
• Australian Privacy Act
• New Zealand Privacy Act
• PIPEDA (Canada)
• Quebec Privacy Act
• LGPD (Brazil)
• DPDP (India)
• PDPA (Singapore)
• APPI (Japan)
• PIPL (China)

This is a partial list. Please contact privacy@simpplr.com concerning other geographies.

Customers have full control over what data they store on Simpplr. Simpplr software complies with the following industry and sector specific laws and regulations: 

• HIPPA (US, Healthcare)
• 23 NYCRR 500 (US/New York, Financial Institutions)
• FDA 21 CFR Part 11 (US, Life Sciences/Pharmaceutical)
• GXP  (US, Life Sciences/Pharmaceutical)
• FERPA (US, Education)
• PCI DSS (Global, Ecommerce)

This is a partial list. Please contact privacy@simpplr.com concerning other industries or sectors, such as non-profit, defense, or government. 

Additional Notes

Healthcare

• PHI — Simpplr does not store Personal Healthcare Information (PHI) or user medical information. 
• BAA — Simpplr will enter into Business Associate Agreements (BAA) with customers. 

Payment Cards

• PCI not applicable — PCI DSS/3DS is not applicable to Simpplr because we do not process or store credit card information.

Please see the Simpplr support center website for the most recent list of Simpplr data subprocessor partners. You may subscribe on that page to be automatically notified when the list changes.

The mission of the Simpplr Product Security Incident Response Team is to protect Simpplr and its customers from any real or suspected security concerns arising from the use of Simpplr applications and services. It ensures that the product is secure and responses to vulnerabilities that matter are well-coordinated and timely.

For complete details, please see the Simpplr Government Data Request Policy. 

Simpplr will only disclose customer data in response to a lawful request from a government agency in accordance with applicable law, our terms of service, and any applicable Data Protection Agreement (DPA). 

Whenever possible, Simpplr will provide notice to customers when their data is being requested by a government. This notice will be provided in a timely manner and will include information about the nature of the request, the specific data being requested, and the agency making the request. We will also provide customers with the opportunity to object to the disclosure of their data.

In no event will Simpplr transfer personal data to a Requesting Authority in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.