Security Overview
Introduction
Smpl360 users trust us with their data. That trust is based upon us keeping that data both private and secure. The information on this page should provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.
Security Program
Our team is protecting the data you store in our service. We drive a security program that includes the following focus areas: product security, infrastructure controls (physical and logical), policies, employee awareness, intrusion detection, and assessment activities.
We periodically assess our infrastructure and applications for vulnerabilities and remediate those that could affect the security of customer data. Our team continually evaluates new tools to increase the coverage and depth of these assessments.
Network Security
Load balancers, firewalls, and VPNs are used to define the network boundaries. We use these to control which services we expose to the Internet and to segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business needs and strongly authenticate that access.
Account Security
We never store your password in plaintext. When we need to securely store your account password to authenticate you, we use hash functions with a unique salt for each credential. We select the number of hashing iterations in a way that balances user experience and password cracking complexity.
We do not require you to set a complex password. We limit failed login attempts on both a per-account and per-IP-address basis to slow down password guessing attacks.
Email Security
When you receive an email from us, make sure that it really came from our only mailbox [email protected]
Product Security
Securing our Internet-facing web service is critically important to protecting your data. Our team drives an application security program to improve code security hygiene and periodically assess our service for common application security issues.
Every client application that talks to our service uses an API for all actions. There is no direct object access within the service and each client’s authentication token is checked upon each access to the service to ensure the client is authenticated and allowed to access a particular report or list of reports.
Customer Segregation
Our service is multi-tenant and does not segment your data from other users’ data. Your data may store on the same servers as another user’s data. We consider your data private and do not permit another user to access it unless you explicitly share it.
Transport Encryption
Our service uses industry-standard encryption to protect your data in transit. This is commonly referred to as transport layer security (TLS) or secure socket layer (SSL) technology. We plan to continue improving our transport security posture to support our commitment to protecting your data.
We protect all customer data flowing between our data center and the Microsoft Azure Platform.
Physical Security
We operate our service using the Microsoft Azure Platform. All data resides inside Northern Europe.
Privacy and Compliance
Please see our privacy page for more information. We do not publish a Service Organization Control (SOC) report.