Beveiliging en privacy

Simacan werkt met grote hoeveelheden informatie, zowel bedrijfskritische gegevens van klanten alsmede persoonlijke informatie zoals gedefinieerd in de privacywet- en regelgeving. Wij vinden het daarom van het grootste belang om onze klanten en geïnteresseerde partijen te informeren over ons beleid en onze procedures met betrekking tot informatiebeveiliging en privacy.

The Simacan GDPR privacy policy

With the implementation of GDPR in the Simacan organization the following eight fundamental rights given to every EU citizen can be exercised by those involved:

  • The right to be informed – Simacan is completely transparent in how we are using personal data (personal data may include data such as a work email and work mobile if they are specific to an individual).
  • The right of access – involved individuals have the right to know exactly what information is held about them and how it is processed.
  • The right of rectification – involved individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
  • The right to erasure – also known as 'the right to be forgotten', this refers to an individual's right to have their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
  • The right to restrict processing – an individual's right to block or suppress processing of their personal data.
  • The right to data portability – this allows individuals to retain and reuse their personal data for their own purpose.
  • The right to object – in certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
  • Rights of automated decision making and profiling – the GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
  • The right to request access to the information held about you.

If you want to exercise one of the above rights, you can contact Simacan by sending an email to We will make sure to provide you with a copy of the data we process about you. In order to comply with your request, we may ask you for proof of your identity. We will fulfil your request by sending you the copy of the data electronically, unless you expressly specify a different method.

Simacan’s ISO 27001:2013 certification

Simacan works with an ISO 27001:2013 certified Information Security Management System (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure, and it covers people, processes and IT systems by applying a risk management process. The governing principle behind the ISMS is that Simacan has designed, implements and maintains a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

Download Simacan's ISO 27001 certificate

The Simacan Information Security Policy

Information should always be protected and Simacan has many critical information assets which are crucial in conducting business, maintaining client trust and safeguarding a strong future the company. This policy outlines Simacan’s commitments to its employees, its clients and its suppliers regarding on how all business-critical information assets will be handled by Simacan.

Every Simacan employee, every client and every supplier must be aware of the significance of the information being handled and ensure that proper controls are applied to prevent unauthorized disclosure of loss of or lack of accessibility to the information.

The Simacan Information Security Policy is a part of Simacan's overall security and privacy efforts. Simacan relies upon employees, clients and suppliers to properly develop, maintain and operate its systems, networks and processes which keep sensitive information safe and properly used. Penalties for violating these policies may include disciplinary actions that go as far as termination of employment or termination of the business relationship with Simacan.

Policy Changelog
  • [29-10-2019] version 2019.2-3-gcdb0. Published Information Security Policy in new format.
  • [11-04-2016] version 2.1, Section 2.2: the information security objectives were rewritten to better fit the services offered by Simacan.
  • [29-01-2016] version 1.3, First published version.
  • [19-01-2016] version 1.2, (Unpublished) working version.
  • [12-07-2015] version 1.1, (Unpublished) first version.

Download the Simacan Information Security Policy

Security Controls

(Last update: September 2017)
At Simacan we deploy countermeasures against Risks by developing and implementing four different types of controls. These include technical controls, administrative controls, legal controls, and managerial controls. The proper use of controls makes existing vulnerabilities harder to exploit. Technical and legal controls aim to ensure information security in the short-to-medium period, while administrative and managerial controls aim to ensure information security in the medium-to-long period.


Simacan applies strict information security controls to its clients’ data, its suppliers’ data and its own data. Simacan is committed to ensuring that client data is not seen by anyone (or anything) that should not have access. Simacan employees do have access to the information systems in which client data is processed and stored. For example, in order to diagnose a production problem, Simacan employees may need to access data owned by the client. Simacan employees are prohibited from using these permissions to view client data unless it is necessary to do so. We have technical controls in place to ensure that any access to client data is monitored and logged. Simacan employees are bound to our Information Security Policy and Simacan treats these issues as matters of the highest importance.

Personnel Practices

Simacan employees are required to read Simacan’s Information Security Policy. The Policy covers the security, availability, and confidentiality of the Simacan ISMS. Also, Simacan employees are required to sign an ISMS Acknowledgement as an addendum to their employment contract. Awareness of information security risks and available controls to mitigate them is promoted in yearly recurring training sessions for all employees.


The environment that hosts all of Simacan's cloud information systems is Amazon Web Services (AWS). AWS is compliant with multiple certifications for its data centres, including ISO/IEC 27001, 27017, and SOC reports (1, 2, and 3). For more information about the certification and compliance of AWS, please visit the AWS Security website, the AWS Compliance website and the AWS General Data Protection Regulation (GDPR) Center.

The following security-related audits and certifications are applicable to the Simacan ISMS:

  • ISO/IEC 27001: Simacan has successfully undergone the stage 2 audit of the ISO/IEC 27001 certification.

Auditing Security Checklist: Simacan runs an annual internal audit of its cloud infrastructures against the auditing security checklist published by Amazon Web Services.

Security Controls

Simacan implements in its ISMS several security controls to protect its clients’ data, its suppliers’ data and its own data.

Monitoring and Logging

Simacan monitors and logs every aspect of what happens in its cloud information systems, 24/7/365. These technical security controls allow Simacan employees to anticipate and timely prevent possible security incidents and effectively assist clients in case of service deterioration or disruption.

Company-Wide Two-Factor Authentication Policy

Simacan employees are required to set up two-factor authentication on all the accounts where client data is processed or stored.

Single Sign On

Simacan’s Single Sign On is based on Keycloak, an open source Identity and Access Management solution aimed at modern applications and services. Simacan implements and maintains Keycloak within its own systems.

Data Retention

Data retention is agreed in the Data Processor Agreement with the client.

Deletion of Customer Data

Timeframes and modality for the deletion of customer data is agreed in the Data Processor Agreement with the client.

Return of Customer Data

Timeframes and modality for the return of customer data is agreed in the Data Processor Agreement with the client.

Data Encryption

Simacan implements the latest recommended SSL encryption security controls for all traffic in transit through its information systems. Simacan monitors the changing cryptographic landscape closely and works promptly to upgrade its ISMS to respond to new cryptographic weaknesses as they are discovered and implements best practices as they evolve.


Simacan understands that its clients rely on Simacan Control Tower in their primary business functions. Simacan is committed to making Simacan Control Tower a highly-available product the clients can count on. The Simacan cloud infrastructure runs on fault-tolerant systems, whether the failure invests individual servers or entire data centers. All Simacan clients who have an SLA contract in place benefit from the 24/7/365 service of the Simacan Support Team. The Support Team is available to quickly resolve all production problems.

Disaster Recovery

To ensure availability, clients’ data is stored redundantly at multiple locations within the European Union at AWS data centres. Simacan has well-tested backup and restoration procedures, which allow recovery even from major disasters. Clients’ data and our source code are automatically backed up. Simacan has 24/7 monitoring and logging controls in place alerting Simacan employees in case of failures of the backup systems.

Network Protection

In addition to sophisticated system monitoring and logging, Simacan has implemented two-factor authentication for all server access across its production environment. Also, all of Simacan’s office networking infrastructure is configured according to industry best practices.

Incident Management & Response

In the event of a security breach, Simacan promptly notifies the client. Simacan has incident management policies and procedures in place to handle such an event.

External Security Audits

Simacan has contracts with respected external security firms who perform regular audits of the Simacan ISMS to verify that the implemented security practices are sound, and to monitor for new vulnerabilities. Simacan runs penetration tests either at the client's request or at Simacan’s own request.

Product Security Practices

New features, functionalities, and design changes go through an information security review process. In addition, all Simacan source code is extensively tested and manually peer-reviewed prior to being deployed to production. Simacan employees work closely with one another to resolve any additional security concerns that may arise during development.

ISMS Certification

In July 2015 Simacan entered a trajectory to certify its own ISMS in line with the ISO/IEC 27001:2013 standard. ISO/IEC 27001:2013 is a risk-based information security standard which helps organizations to keep information assets secure. Certification to ISO/IEC 27001:2013 is possible but not obligatory. Simacan chose to implement the standard in order to benefit from the best practices it contains and to reassure its clients of the quality of the processes behind the Simacan SaaS products.

Any questions about Information Security and/or GDPR?

Contact us at

Security Bulletins

From time to time it is necessary to notify our clients, suppliers and business partners about relevant security-related events. In the security bulletins below we only publish notifications relevant to events related to the Simacan ISMS. Information about incidents is available on the Simacan status page.

  • [2018-05-01] The GDPR legislation has been added
  • [2017-09-06] updated the Single Sign On section of the security portal.
  • [2016-04-28] published version 2.1 of the Information Security Policy.
  • [2016-03-29/31] an internal audit was performed on the Simacan ISMS.
  • [2016-03-22/23] Simacan employees attended an Awareness & Training session about the Simacan ISMS.
  • [2016-03-01] Simacan ISMS has been initiated.