Information should always be protected, in whatever format and however it is shared, communicated or stored
At Simacan, we work with critical information assets which are crucial for our business, for maintaining our clients’ trust and for safeguarding the future of our services. Here, we explain how we protect these assets – and we outline Simacan’s information security commitments to our employees, our current and future clients and our suppliers.
How do we keep your information safe and our processes secure?
To ensure the secure processing of data, we have implemented several measures to protect our clients’ data, our suppliers’ data and, of course, our own data. All of these security measures are part of our ISO/IEC 27001-certified Information Security Management System (ISMS).
Privacy and the GDPR
Besides processing customer/business data, we also work with personal data such as clients’ email addresses, drivers’ phone numbers and locations, employees’ contact details, etc.
We take privacy very seriously, and we only process information in accordance with relevant legislation: the General Data Protection Regulation (GDPR). Furthermore, we only process data within the borders of the EU. We have implemented several security measures specifically to protect your data from data leaks, hacks and other unwanted events.
Compliance and the data processing agreement
To safeguard these security measures and ensure compliance with the relevant current legislation, we have drafted a data processing agreement (DPA) based on experience and sound legal advice. As Simacan’s customer, supplier or partner, you can make use of this DPA.
Read more about the types of data we store, where and how we store this data and the accompanying security measures:
Where and how do we store your data? >
What does this mean when using Simacan’s and services?
We understand that our clients rely on the Simacan Control Tower in their primary business functions. We are committed to making the Simacan Control Tower a highly available product you can count on. The Simacan cloud infrastructure runs on fault-tolerant systems, and the Simacan Support Team is available to quickly resolve any production problems and incidents. All Simacan clients who have an SLA contract in place benefit from the Simacan Support Team’s services, 24/7 and 365 days a year.
And the software?
All new features, functionalities and design changes go through an information security review process. In addition, all Simacan source code is extensively tested and manually peer-reviewed prior to being deployed to production. Simacan employees work closely with one another to resolve any additional security concerns that may arise during development, e.g. by introducing features (such as single sign-on) which enhance the security of our services. In addition to the security checks during development, additional checks are also carried out throughout the year, e.g. a vulnerability scan which is performed by an external party.
All of Simacan’s cloud information systems are hosted on Amazon Web Services (AWS), which is located in EU territory. In accordance with our IT policy, we aim to work paperless and fully digital, without the need to operate physical servers. We ask users to work within the cloud wherever possible, and to limit the downloading of information outside of the protected cloud environment. We understand that the exception proves the rule, which is why all our devices have to comply with a set of basic rules, such as: a proper firewall, malware protection, strong authentication and up-to-date security patches.
We have implemented the latest recommended SSL encryption security controls for all traffic in transit throughout our information systems. Furthermore, we monitor the changing cryptographic landscape closely. If necessary, we act promptly to upgrade our ISMS to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.
Multi-factor authentication (MFA)
In addition to data encryption, we have implemented two-factor authentication for all server access across our production environment. Moreover, Simacan’s entire office networking infrastructure is configured according to industry best practices. For Simacan employees, this means they are required to set up two-factor authentication on all the accounts where client data is processed or stored.
Read more about:
Amazon Web Services >
The role of our employees
Every Simacan employee must be aware of the significance of the information being handled and ensure that proper controls are applied to prevent unauthorized disclosure of or loss/lack of accessibility to the information.
Simacan employees are required to read Simacan’s Information Security Policy. They also have to agree to include a formal acknowledgement of information security practices as an addendum to their employment contract. The policy covers the security, availability and confidentiality of the Simacan Information Security Management System. Awareness of information security risks and the available controls to mitigate them is promoted in annual training sessions for all employees.
Read more about:
Amazon Web Services (AWS) is one of the world’s largest cloud platforms, servicing millions of customers from data centres worldwide.The AWS data centres are compliant with multiple certifications, including ISO/IEC 27001 and ISO/IEC 27017, and have SOC reports (1, 2 and 3). For more information about the certification and compliance of AWS, you can visit the AWS Security website, the AWS Compliance website and the AWS General Data Protection Regulation (GDPR) centre.
To ensure availability, the data of Simacan clients is stored redundantly at AWS data centres at multiple locations within the European Union. They have well-tested backup and restoration procedures, which allow recovery even from major disasters. Clients’ data and our source code are automatically backed up. We have 24/7 monitoring and logging controls in place to alert Simacan employees in case of an event in the backup systems.
We apply strict information security controls to our clients’ data, our suppliers’ data and our own data. We are committed to ensuring that client data is not accessible by anyone (or anything) that should not have access. Some Simacan employees do have access to the information systems in which client data is processed and stored. For example, in order to diagnose a production problem, Simacan employees may need to access data owned by the client. However, Simacan employees are prohibited from using these permissions to view client data unless it is necessary to do so. We have technical controls in place to ensure that any access to client data is monitored and logged. Simacan employees are bound by our Information Security Policy and Simacan treats these issues as matters of the highest importance.
Simacan has contracts with respected external security firms. They perform regular audits of the Simacan ISMS to verify that the implemented security practices are sound and to screen them for new vulnerabilities. We also run penetration and vulnerability tests, either at the client’s request or for our own reassurance.
We have incident management policies and procedures in place to handle security breaches, and we promptly notify the client in the case of such an event. In addition to actual events and incidents, we ask employees to recognize security weaknesses, i.e. defects in systems or procedures that can potentially lead to security events and/or security incidents.
Simacan works with an ISO 27001-certified Information Security Management System (ISMS). An ISMS supports a systematic approach to managing sensitive information so that it remains secure. The ISMS covers people, processes and IT systems by applying a risk management process. The governing principle behind the ISMS is the design, implementation and maintenance of a coherent set of policies, processes and systems (controls) to manage risks to information assets, thus ensuring acceptable levels of information security risk.
To establish these controls, we have listed all possible risks related to the information we process on a daily basis. We deploy countermeasures against these risks by developing and implementing four different types of controls: technical controls, administrative controls, legal controls and managerial controls. Technical and legal controls are aimed at ensuring information security in the short to medium term, while administrative and managerial controls are aimed at ensuring information security in the medium to long term. Examples of such controls include identity & access management, event monitoring, asset management and disaster recovery.
The Simacan Support Team monitors and logs every aspect of what happens in the cloud information systems, 24 hours a day, 7 days a week, 365 days a year. Further technical security controls allow Simacan employees to anticipate and take timely action to prevent possible security incidents, and to effectively assist clients in case of the deterioration or disruption of services.
If you have any questions about the information presented here, please contact us at the email address below.
You can also use this email address to notify us of a data breach or make suggestions regarding our software or services.
Contact us at email@example.com