Security Policy & Standards
SimplicityDX will abide by the security standards set forth below (“Security Standards”), which detail the various actions taken by SimplicityDX that are designed to ensure the security of the SimplicityDX Services (“Information Security”).
During the Subscription Term, these Security Standards may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as deemed reasonably necessary by SimplicityDX, provided that such changes will not bring the Security Standards below industry standard security measures.
Definitions
Terms not defined herein will have the meanings ascribed to them in the relevant agreement for the SimplicityDX Services entered into between the parties.
1. Risk Management.
An annual Information Security risk assessment is performed covering SimplicityDX facilities and information assets. Risk assessment results and risk mitigation suggestions areshared with the executive management team. The risk assessment results will specify proposed changes to systems, processes, policies, or tools, in order to reduce security vulnerabilities and threats, if any.
2. Security Policy.
Policies, including those related to data privacy, security and acceptable use, are assessed and approved by SimplicityDX senior management. Policies are documented and published among all relevant personnel.
Employees and contracted third parties are required to comply with SimplicityDX policies relevant to their scope of work.
New employees receive new hire training, which includes training on confidentiality obligations, information security, compliance, and data protection.
Employees receive annual Information Security training, which covers SimplicityDX Information Security policies and expectations.
Where required, policies are supported by associated procedures, standards, and guidelines.
Information Security policies are updated, as needed, to reflect changes to business objectives or risk.
Senior management performs an annual review of all Information Security policies.
Information Security policies are stored, maintained, updated, and published in a centralized location accessible to employees and third parties.
SimplicityDX’s employees are regularly reminded about their responsibilities with respect to password requirements, Internet usage, computer security, confidentiality, social media, customer data protection, and Company data protection.
3. Organization of Information Security.
Information Security governance and data protection compliance for the Company are the responsibility of SimplicityDX’s Chief Technical Officer.
Confidentiality and non-disclosure agreements are required when sharing sensitive, proprietary personal or otherwise confidential information between SimplicityDX and a third-party.
4. Asset Management.
SimplicityDX assigns ownership for all information assets.
Desktops and laptops utilize encrypted storage partitions whenever an employee is in a role involving access to Customer Content or SimplicityDX intellectual property.
SimplicityDX maintains a data and media management policy that covers the disposal of electronic assets and associated media.
5. Human Resources Information Security.
SimplicityDX performs background screening of applicants, including job history and references (subject to local laws).
SimplicityDX requires all new employees to sign employee agreements, which include comprehensive non-disclosure and confidentiality commitments.
Information Security awareness is enhanced through regular communications using the SimplicityDX’s internal communication tool and company-wide emails, as necessary.
SimplicityDX maintains a documented procedure for changes in employment status and employment termination (including notification, access modification, and asset collection).
New third party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments commensurate with their access and handling of confidential information.
6. Physical and Environmental Security.
Physical security controls in all data centres utilized by SimplicityDX is handled by the third party cloud services provider.
SimplicityDX office space is secured from visitor access except for areas staffed by reception or security personnel.
7. Communications and Operations Management.
The operation of systems and applications that support the SimplicityDX Services are subject to documented operating procedures.
The operations team maintains hardened standard server configurations.
Systems are deployed and configured in a uniform manner using configuration management systems.
Separate environments are maintained to allow for the testing of changes.
8. Access Controls.
SimplicityDX maintains an access control policy that outlines requirements for the use of user IDs and passwords.
All users are required to use a unique ID and SSH key for access to the production environment.
Generic accounts are prohibited for user access.
Access to the “root” account is restricted to Operations personnel deemed necessary.
Upon notice of termination of SimplicityDX personnel, all user access is removed.
All critical system access is removed immediately upon notification.
9. Information Systems Acquisition, Development, and Maintenance.
Product features are managed through a formalized product management process.
Security requirements are discussed and formulated during scoping and design discussions.
SimplicityDX maintains a sustaining engineering team whose primary responsibility is identifying and remediating bugs found in the SimplicityDX Service.
SimplicityDX maintains a QA Department dedicated to reviewing and testing application functionality and stability.
Application source code is stored in a central repository.
Access to source code is limited to authorized individuals.
Changes to SimplicityDX software are tested before production deployment. Deployment processes include unit testing at the source environment, as well as integration and functional testing within a test environment prior to implementation in production.
SimplicityDX follows change control procedures for all system and software configuration changes. These controls include, at a minimum, a documented impact for each change, change review, testing of operational functionality, and back-out procedures.
Customer Content is not used in testing environments.
Emergency fixes are pushed to production, as needed.
Change management is retrospectively performed.
Customer Content is stored in a shared database environment with other customers. Account identifiers are used to distinguish data for different customers. Application security controls limit a Customer being able to access another Customer’s data or content.
10. Information Security Incident Management.
SimplicityDX maintains an incident response process that includes direct participation and cooperation between support, security, and operations teams.
The SimplicityDX incident response process includes notification, escalation, and reporting. When required, Customer notification is initiated through the SimplicityDX status page, SimplicityDX initiated reporting tickets, or direct email/phone communication to account contacts.
Internally, SimplicityDX maintains an incident response plan that is evaluated on a regular basis. The plan addresses specific incident response procedures
V1.0 03.2024-US