simacan

Security and privacy

Information should always be protected, in whatever format and however it is shared, communicated or stored

At Simacan, we work with critical information assets which are crucial for our business, for maintaining our clients’ trust and for safeguarding the future of our services. Here, we explain how we protect these assets – and we outline Simacan’s information security commitments to our employees, our current and future clients and our suppliers.

How do we keep your information safe and our processes secure?

To ensure the secure processing of data, we have implemented several measures to protect our clients’ data, our suppliers’ data and, of course, our own data. All of these security measures are part of our ISO/IEC 27001-certified Information Security Management System (ISMS).

Read all about our ISO/IEC 27001-certified Information Security Management System >

Privacy and the GDPR

Besides processing customer/business data, we also work with personal data such as clients’ email addresses, drivers’ phone numbers and locations, employees’ contact details, etc.

We take privacy very seriously, and we only process information in accordance with relevant legislation: the General Data Protection Regulation (GDPR). Furthermore, we only process data within the borders of the EU. We have implemented several security measures specifically to protect your data from data leaks, hacks and other unwanted events.

Compliance and the data processing agreement

To safeguard these security measures and ensure compliance with the relevant current legislation, we have drafted a data processing agreement (DPA) based on experience and sound legal advice. As Simacan’s customer, supplier or partner, you can make use of this DPA.

Read more about the types of data we store, where and how we store this data and the accompanying security measures:
Where and how do we store your data? >

What does this mean when using Simacan’s and services?

We understand that our clients rely on the Simacan Control Tower in their primary business functions. We are committed to making the Simacan Control Tower a highly available product you can count on. The Simacan cloud infrastructure runs on fault-tolerant systems, and the Simacan Support Team is available to quickly resolve any production problems and incidents. All Simacan clients who have an SLA contract in place benefit from the Simacan Support Team’s services, 24/7 and 365 days a year. 

And the software?

All new features, functionalities and design changes go through an information security review process. In addition, all Simacan source code is extensively tested and manually peer-reviewed prior to being deployed to production. Simacan employees work closely with one another to resolve any additional security concerns that may arise during development, e.g. by introducing features (such as single sign-on) which enhance the security of our services. In addition to the security checks during development, additional checks are also carried out throughout the year, e.g. a vulnerability scan which is performed by an external party.

Read more about:
External security audits >
Incident management & response >
The Simacan Support Team >

Where and how do we store your data?

All of Simacan’s cloud information systems are hosted on Amazon Web Services (AWS), which is located in EU territory. In accordance with our IT policy, we aim to work paperless and fully digital, without the need to operate physical servers. We ask users to work within the cloud wherever possible, and to limit the downloading of information outside of the protected cloud environment. We understand that the exception proves the rule, which is why all our devices have to comply with a set of basic rules, such as: a proper firewall, malware protection, strong authentication and up-to-date security patches.

Data encryption

We have implemented the latest recommended SSL encryption security controls for all traffic in transit throughout our information systems. Furthermore, we monitor the changing cryptographic landscape closely. If necessary, we act promptly to upgrade our ISMS to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.

Multi-factor authentication (MFA)

In addition to data encryption, we have implemented two-factor authentication for all server access across our production environment. Moreover, Simacan’s entire office networking infrastructure is configured according to industry best practices. For Simacan employees, this means they are required to set up two-factor authentication on all the accounts where client data is processed or stored.

Read more about:
Amazon Web Services >
Confidentiality >

The role of our employees

Every Simacan employee must be aware of the significance of the information being handled and ensure that proper controls are applied to prevent unauthorized disclosure of or loss/lack of accessibility to the information.

Simacan employees are required to read Simacan’s Information Security Policy. They also have to agree to include a formal acknowledgement of information security practices as an addendum to their employment contract. The policy covers the security, availability and confidentiality of the Simacan Information Security Management System. Awareness of information security risks and the available controls to mitigate them is promoted in annual training sessions for all employees.

Read more about:
Confidentiality >

Contact us

If you have any questions about the information presented here, please contact us at the email address below.
You can also use this email address to notify us of a data breach or make suggestions regarding our software or services.

Contact us at security@simacan.com

 

Information security management system

Simacan works with an ISO 27001-certified Information Security Management System (ISMS). An ISMS supports a systematic approach to managing sensitive information so that it remains secure. The ISMS covers people, processes and IT systems by applying a risk management process. The governing principle behind the ISMS is the design, implementation and maintenance of a coherent set of policies, processes and systems (controls) to manage risks to information assets, thus ensuring acceptable levels of information security risk.

To establish these controls, we have listed all possible risks related to the information we process on a daily basis. We deploy countermeasures against these risks by developing and implementing four different types of controls: technical controls, administrative controls, legal controls and managerial controls. Technical and legal controls are aimed at ensuring information security in the short to medium term, while administrative and managerial controls are aimed at ensuring information security in the medium to long term. Examples of such controls include identity & access management, event monitoring, asset management and disaster recovery.