Security at Simplata

Introduction

Our mission is to protect your sensitive data.  We must ensure that your data is secure and that we prevent unauthorized access to it.  We're committed to being transparent about our security practices to help you understand how we achieve that.

Organization

Simplata's security program is led by our CTO and is based on an approach that takes security into consideration in all of our technical and organizational activities.  The CTO is supported by all members of the organization, who help ensure that we develop effective defense-in-depth security practices.

Protecting Data

Data in Motion

All Simplata customer data is encrypted at rest and in motion.  In motion encryption is provided by use of TLS 1.2 for all connections to our web servers and from our servers to other servers accessed via APIs.  In addition, all communication from our web servers to data stores is encrypted using TLS 1.2.  We employ the latest recommended secure cipher suites where possible..

Data at Rest

At rest encryption is provided for all data using built-in AWS disk encryption for S3, EBS, and RDS.  The sensitive data that we detect as part of our service is additionally encrypted using AES-256-GCM before being persistently stored.  Encryption keys are stored separate from this sensitive data.

Data Lifecycle

All customer data is hosted in our AWS production environment.  Customer data never leaves this secure AWS production environment.  We delete customer data from production systems immediately when the deletion is requested through our application interface.  Backups of this delete data will age out on a schedule of 30 days.  AWS is responsible for ensuring removal of data from physical disks is performed in a responsible manner before they are repurposed.

Data Segregation

Each customer's sensitive data is stored logically separate from other customer's data.  Unique data store access credentials and encryption keys are created for each customer.

Security in Depth

Key and Secret Management

Simplata uses AWS Key Management Service and AWS Secrets Manager to manage programmatic encryption keys and secrets, and AWS IAM to manage user and programmatic access keys.  Keys and secrets are rotated on a regular basis based in current industry best practice timelines.

Network Security

We maintain separate Virtual Private Clouds (VPCs) for our production and development environments.  Only a limited set of personnel have access to the production environment.  Direct access to production data servers is protected by a VPN and IP-address firewall rules.

Network access to our production environment is also restricted, with only a small number of front-facing web load balancers accessible from the Internet.  Only protocols necessary for delivery of our service to our users are open at the perimeter.

Access Control

All user access to Simpata systems is subject to the principle of least privilege and requires multi-factor authentication (MFA).  We provision AWS IAM groups and roles with only the specific policies required for the user or system to perform its function.

Simplata employees who interact with your data must be specifically screened and authorized to do so.

Vulnerability Management

We perform regular scans of our codebase and our AWS environment for vulnerabilities or misconfigured systems.  These scans are performed using a mix of AWS-provided tools as well as third-party tools.  Remediation of discovered vulnerabilities occurs on a regular basis.

Our technical team rapidly investigates all reported security issues.

Physical Security

All Simplata customer data resides in our AWS production environment. Physical protections are entirely provided by AWS.  AWS provides detailed information about their data center controls.

Customer Communication

Simplata can provide PGP keys to encrypt your communication with us, or to verify signed messages you receive from us.  You may use our general PGP key to securely contact us.  If you need to send us sensitive data as part of technical troubleshooting, you may use our sensitive data PGP key.