Security

Simacan works with large amounts of information, including both business-critical data of our customers and personal information as defined by privacy laws and regulations of their customers and drivers. We therefore consider it of the greatest importance to inform our customers and interested parties about our policies and procedures regarding information security and privacy.

Simacan GDPR privacy policy

With the implementation of GDPR in the Simacan organization the following eight fundamental rights given to every EU citizen can be exercised by those involved:

  1. The right to be informed – Simacan is completely transparent in how we are using personal data (personal data may include data such as a work email and work mobile if they are specific to an individual).
  2. The right of access – involved individuals do have the right to know exactly what information is held about them and how it is processed.
  3. The right of rectification – involved individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
  4. The right to erasure – also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
  5. The right to restrict processing – an individual’s right to block or suppress processing of their personal data.
  6. The right to data portability – this allows individuals to retain and reuse their personal data for their own purpose.
  7. The right to object – in certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
  8. Rights of automated decision making and profiling – the GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.

You have the right to request access to the information we have on you. If you want to appeal to one of the above rights, you can contact Simacan by sending an email to security@simacan.com
We will make sure to provide you with a copy of the data we process about you. In order to comply with your request we may ask you to certify your identity. We fulfil your request by sending your copy electronically, unless the request expressly specifies a different method.

Simacan’s ISO 27001:2013 certification

Simacan employs an ISO 27001:2013 certified Information Security Management System (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure, and it includes people, processes and IT systems by applying a risk management process. The governing principle behind the ISMS is that Simacan has designs, implements and maintains a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

Download Simacan ISO 27001 Certificate

Simacan Information Security Policy

Information should always be protected and Simacan has many critical information assets which are crucial in conducting business, maintaining clients’ trust, and keeping the future of the company strong. This policy outlines Simacan’s commitments to its employees, its clients, and its suppliers, on how all business-critical information assets will be handled by Simacan.

Every Simacan employee, every client, every supplier, must be aware of the significance of the information being handled, and ensure that proper controls are applied to prevent unauthorized disclosure, loss or lack of accessibility to the information.

The Simacan Information Security Policy is a part of the overall security and privacy effort carried out by Simacan. Simacan relies upon employees, clients, and suppliers to properly develop, maintain, and operate its systems, networks, and processes which keep sensitive information safe and properly used. Penalties for violating these policies may include disciplinary actions up to termination of employment, or termination of the business relationship with Simacan.

Policy Changelog

  • [11-04-2016] version 2.1, Section 2.2: the information security objectives were rewritten to better fit the services offered by Simacan.
  • [29-01-2016] version 1.3, First published version.
  • [19-01-2016] version 1.2, (Unpublished) working version.
  • [12-07-2015] version 1.1, (Unpublished) first version.

Download Simacan Information Security Policy

Security Controls

(Last update: September 2017)
At Simacan we deploy countermeasures against Risks by developing and implementing four different types of controls. These include technical controls, administrative controls, legal controls, and managerial controls. The proper use of controls makes existing vulnerabilities harder to exploit. Technical and legal controls aim to ensure information security in the short-to-medium period, while administrative and managerial controls aim to ensure information security in the medium-to-long period.

Confidentiality

Simacan places strict information security controls over its clients’ data, its suppliers’ data, and its own data. Simacan is committed to ensuring that client data is not seen by anyone (or anything) who should not have access. Simacan employees have access to the information systems in which client data is processed and stored. For example, in order to diagnose a production problem, Simacan employees may need to access data owned by the client. Simacan employees are prohibited from using these permissions to view client data unless it is necessary to do so. We have technical controls in place to ensure that any access to client data is monitored and logged. Simacan employees are bound to our Information Security Policy and Simacan treats these issues as matters of the highest importance.

Personnel Practices

Simacan employees are required to read Simacan’s Information Security Policy. The Policy covers the security, availability, and confidentiality of the Simacan ISMS. Also, Simacan Employees are required to sign an ISMS Acknowledgement as an addendum to their employment contract. Awareness of information security risks and available controls to mitigate them are promoted in yearly recurring training sessions for all employees.

Compliance

The environment that hosts all of Simacan Cloud information systems is Amazon Web Services (AWS). AWS is compliant with multiple certifications for its data centers, including ISO/IEC 27001, 27017, and SOC reports (1, 2, and 3). For more information about the certification and compliance of AWS, please visit the AWS Security website, the AWS Compliance website  and the AWS General Data Protection Regulation (GDPR) Center.

The following security-related audits and certifications are applicable to the Simacan ISMS:

  • ISO/IEC 27001: Simacan has successfully undergone the phase 2 of the ISO/IEC 27001 audit.
  • GDPR audit is planned june 4th 2018

Auditing Security Checklist: Simacan yearly runs an internal audit of its cloud infrastructures against the auditing security checklist published by Amazon Web Services.

Security Controls

Simacan implements in its ISMS several security controls to protect its clients’ data, its suppliers’ data, and its own data.

Monitoring and Logging

Simacan monitors and logs 24/7/365 every aspect of what happens in its Cloud information systems. These technical security controls allow the Simacan employees to timely prevent possible security incidents and effectively assist the client in case of service deterioration or disruption.

Company-Wide Two-Factor Authentication Policy

Simacan employees are required to set up two-factor authentication on all the accounts where client data is processed or stored.

Single Sign On

Simacan’s Single Sign On is based on Keycloak, an open source Identity and Access Management solution aimed at modern applications and services. Simacan implements and maintains Keycloak within its own systems.

Data Retention

Data retention is agreed in the Data Processor Agreement with the client.

Deletion of Customer Data

Timeframes and modality for the deletion of customer data is agreed in the Data Processor Agreement with the client.

Return of Customer Data

Timeframes and modality for the return of customer data is agreed in the Data Processor Agreement with the client.

Data Encryption

Simacan implements the latest recommended SSL encryption security controls for all traffic in transit through its information systems.
Simacan monitors the changing cryptographic landscape closely and works promptly to upgrade its ISMS to respond to new cryptographic weaknesses as they are discovered and implements best practices as they evolve.

Availability

Simacan understands that its clients rely on Simacan Control Tower in their primary business functions. Simacan is committed to making Simacan Control Tower a highly-available product the clients can count on. The Simacan Cloud infrastructure runs on fault-tolerant systems, whether the failure invests individual servers or entire data centers. All Simacan clients who have a SLA contract in place benefit of the 24/7/365 service of the Simacan Support Team. The Support Team is available to quickly resolve all production problems.

Disaster Recovery

To ensure availability, clients’ data is stored redundantly at multiple locations within the European Union at AWS data centers. Simacan has well-tested backup and restoration procedures, which allow recovery even from major disasters. Clients’ data and our source code are automatically backed up. Simacan has 24/7 monitoring and logging controls in place alerting Simacan employees in case of failures of the backup systems.

Network Protection

In addition to sophisticated system monitoring and logging, Simacan has implemented two-factor authentication for all server access across its production environment. Also, all of Simacan’s office networking infrastructure is configured according to industry best practices.

Incident Management & Response

In the event of a security breach, Simacan promptly notifies the client. Simacan has incident management policies and procedures in place to handle such an event.

External Security Audits

Simacan has contracts with respected external security firms who perform regular audits of the Simacan ISMS to verify that the implemented security practices are sound, and to monitor for new vulnerabilities. Simacan runs penetration tests either upon clients’ request, or upon Simacan’s own request.

Product Security Practices

New features, functionalities, and design changes go through an information security review process. In addition, all Simacan source code is extensively tested, and manually peer-reviewed prior to being deployed to production. Simacan employees work closely with one another to resolve any additional security concerns that may arise during development.

ISMS Certification

In July 2015 Simacan entered a trajectory to certify its own ISMS against the ISO/IEC 27001:2013 standard. ISO/IEC 27001:2013 is a risk-based information security standard which helps organizations to keep information assets secure. Certification to ISO/IEC 27001:2013 is possible but not obligatory. Simacan chose to implement the standard in order to benefit from the best practice it contains and to reassure its clients of the quality of the processes behind the Simacan SaaS products.

Questions about Information Security and/or GDPR?

Contact us at security@simacan.com

Security Bulletins

From time to time it is necessary to notify our clients, suppliers, and business partners about relevant security-related events. In the security bulletins below we only publish notifications relevant to events related to the Simacan ISMS. Information about incidents is available on the Simacan status page.

  • [2018-05-01] The GDPR legislation has been added
  • [2017-09-06] updated the Single Sign On section of the security portal.
  • [2016-04-28] published version 2.1 of the Information Security Policy.
  • [2016-03-29/31] an internal audit was performed on the Simacan ISMS.
  • [2016-03-22/23] Simacan employees received an Awareness & Training session about the Simacan ISMS.
  • [2016-03-01] Simacan ISMS has been initiated.