Security & Privacy FAQs

Answers to commonly asked questions about Symplicity's Security and Privacy Programs

 

Is Symplicity ISO 27001 or SOC 2 Type II certified?

Yes, Symplicity is ISO 27001 and SSAE 18 SOC 2 Type II certified.  The locations that are part of the audits are our headquarters in Arlington, VA, and our offices in Belo Horizonte, Brazil (Contratanet), Hamilton, Canada (Orbis Communications), and Brisbane, Australia (CareerHub).

Is Symplicity GDPR compliant? 

Yes. You can learn more about Symplicity’s privacy practices and about Symplicity’s commitment to compliance with the General Data Protection Regulation (“GDPR”) in our Privacy Policy.

What kind of encryption does Symplicity use?

To protect data in transit between our app and our servers, Symplicity supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, whenever supported by the clients. 

Data at rest in Symplicity’s production network is encrypted using industry-standard 256-bit Advanced Encryption Standard (AES256), which applies to all types of data at rest within Symplicity’s systems—relational databases, file stores, database backups, etc.

How does Symplicity host the suite of applications?

Symplicity primarily utilizes Amazon Web Services (AWS) for our hosting and storage needs., but also uses MS Azure and OCI in certain regions.  Contratanet uses AWS, Orbis uses MS Azure, and CareerHub uses AWS as well.    Symplicity's use of these cloud service providers enables us to provide scalability, cloud-native security, with the latest technologies to our clients.

Does Symplicity perform security assessments of third party companies with which we share data?

Symplicity evaluates all vendors for security risks, periodically, through a formal risk assessment process.

What is Symplicity's Authentication and Authorization Strategy and does Symplicity support SSO?

Symplicity offers CAS, LDAP, and local authentication out of the box.  We also support just about any SSO out there.  For clients using our local authentication, clients can set their own password complexity settings so that departments can comply with their school/university IT Password Security Requirements. 

Does Symplicity have a documented Business Continuity Plan?

Yes, Symplicity maintains a Business Continuity Plan. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster. 

Does Symplicity have a documented Disaster Recovery Plan?

Yes, Symplicity maintains a Business Continuity Plan. This document describe high-level strategies for restoring critical business functions by resuming operations from backup locations, establishing communication among core team members, and executing operations playbooks for restoring from backups. We test and review the plan annually.

How does Symplicity accomplish Continuous Monitoring?

Symplicity implements continuous monitoring by maintaining a Vulnerability Management Program, monitoring tools such as a SIEM and Intrusion Detection, Configuration Management, Risk Assessments, Ongoing Assessment, and more.

Does Symplicity monitor for intrusions on a 24 x 7 x 365 basis?

Symplicity implements extensive service monitoring, and our operations team is on call 24x7x365.

Does Symplicity have a formal Incident Response plan?

Yes, Symplicity maintains a formal Incident Response plan. Our primary goals will be to investigate, contain any exploitations, eradicate any threats, recover Symplicity systems, and remediate any vulnerabilities. Throughout this process, thorough documentation will be required as well as a post-mortem report.

How do users make data privacy requests?

To submit a request to exercise your access, deletion, or correction privacy rights, please go to the Data Privacy Requests page and fill out the form.

How do I report a security incident?

If you believe you've discovered a security-related issue, please report the issue immediately by:

  • Calling or emailing the Help Desk
  • Submitting a ticket in the Symplicity Help Center
  • Reaching out to your Client Manager
  • email us at infosec@symplicity.com

How does Symplicity destroy data?

Since Symplicity only has virtual access to our infrastructure via our Cloud Service Providers (AWS, Azure, OCI), we rely on them to destroy IT assets.  Our Cloud Service Providers destroy media according to industry standards such as NIST 800-88.