Trust & Security Center
The security and well-being of our customers underpin everything we do. Security is built into everything that we encompass including the organizational, architectural, and operational levels ensuring your data and solutions are safe at all times.
Having deployed SmartSimple Cloud in some of the most security-conscious organizations in both public and private sectors, we continually pursue stronger security standards.
This experience goes to benefit all of our customers as we apply the same rigorous approach to security throughout our platform and organization.
Data processing relationship
Our data processing activities include where we process personal data about identified or identifiable natural persons on behalf of clients. Our data controller activities include where we collect personal data as part of the provisioning of the cloud service.
Our approach to data processing ensures that you have full control over the data you enter into all solutions and this extends to the configured solutions themselves.Our approach to data processing ensures that you have full control over the data you enter into all solutions and this extends to the configured solutions themselves.
Data is encrypted in motion over secure HTTPS (port 443) utilizing SSL protocols and algorithms. Current encryption standards are SSL encryption using TLSv1.1 and TLSv1.2 with SHA256 certificate. SSL certificates are rotated every 2 years or less.
For every production environment, a separate warm backup environment is maintained. This backup environment is synced from the production environment at least once per day. Additionally, the database backup file is also pushed to alternate file storage, in the AWS S3 service, and retained for 90 days.
In a recovery situation, the Recovery Point Objective (RPO) is under a maximum of 24 hours, and the Recovery Time Objective (RTO) is under a maximum of 8 hours.
Attribute and Role-Based Security & Permissions are a cornerstone in our security design. Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC) dictate everything from portal access, to application access, to the ability to view and modify the contents of a field. These controls extend past the user role and encompass the context (location, time of day, material to be accessed, and other attributes) to the field level.
SmartSimple Cloud supports users with multiple, concurrent organizational affiliations and different roles, and manages these users with login best practices including one login/one user, and multi-role hot switching. Username and password, and SAML for SSO access options are supported.
All stakeholders access the system through a single login window and are presented with a customized portal tailored to their specific roles and responsibilities.
SmartSimple Cloud supports single-sign-on (SSO) using SAML 2.0. Through single-sign-on users who are signed on to their internal enterprise web environment gain access to their SmartSimple Cloud solution without needing to log in with different credentials.
This feature provides authentication services through popular systems such as Active Directory Federation Services (ADFS), Microsoft Active Directory, and web-based identity management services such as OKTA (https://www.okta.com/).
Implementation of SSO requires configuration both within SmartSimple Cloud and within the system that will provide the authentication.
SmartSimple Cloud's implementation of SSO acts as the Service Provider and assumes the client has the infrastructure and resources to host, configure, and manage the Identity Provider service.
Multi-factor authentication (MFA)
This feature is turned on for all SmartSimple Cloud systems. It adds an additional layer of protection to the sign-in process.
SmartSimple Cloud supports strong authentication functionality utilizing multi-factor authentication (MFA). Through MFA, the platform supports easy-to-use authenticator tools like Google Authenticator (to generate software tokens), email, and SMS.
Multi-Factor authentication is role-based, allowing your organization to select only the subset of stakeholder roles where this added security is necessary.
Both physical and virtual devices support authentication with one-time passwords calculated from algorithms that are time and/or event-based.
For additional details on authentication functionality please visit our public wiki: https://wiki.smartsimple.com/wiki/Multi-Factor_Authentication
Physical security (Data center)
SmartSimple Cloud solutions are hosted in state-of-the-art Amazon Web Services (AWS) data centers designed to protect your application and data, ensure regulatory compliance, and maximize availability and redundancy.
Our data center partners are secure by design and employ controls that ensure that security. To help you fulfill your audit and regulatory requirements our data centers provide the strictest physical and environmental controls including:
- Governance and Risk (Third-party security attestation - SOC, ISO, NIST, PCI, HIPAA, etc. and ongoing data center risk management)
- Secure Design (Site Selection, redundancy, availability, capacity planning)
- Business Continuity & Disaster Recovery
- Physical Access Controls including employee data center access and Third-party data center access)
- Monitoring and Logging
- Surveillance and Detection (CCTV, Data Center entry points, Intrusion detection)
- Device, Asset, and Media Management
- Operational Support Systems (Power redundancy, fire detection, and suppression)
- Infrastructure Maintenance (Equipment and environment management)
We have detailed operational policies and procedures to monitor and protect our network environments. These policies and procedures are reviewed regularly and are within the scope of our SOC and ISO 27001 certifications.
Included in our operational policies are internal network firewalls, IDS, Windows firewall, Web reputation filtering, suspicious connection service, IP whitelisting, and many others. Full access to our Network Security policies is available within our Trust Portal.
We follow Software Development Life Cycle (SDLC) processes in the platform development as well as well-defined industry-standard release and change management processes.
We employ many different application security strategies to ensure the continued security of our SmartSimple Cloud solutions including regular internal and external vulnerability assessments, screening of network traffic (IDS, IDP), static source code analysis for security vulnerabilities, malware detection, weekly security scans, and regular and on-demand penetration testing.
Weekly provision of vulnerability assessment services and annual and on-demand Penetration testing services are performed by trusted third-party vendors. Penetration testing is performed against an isolated, dedicated instance of SmartSimple Cloud that contains no client data and tests for many security vulnerabilities.