Data Loss Prevention Policy
1. Introduction
“SIMPLIO” LOCATED IN KEIZERSGRACHT 482 1017EG AMSTERDAM NETHERLANDS, IS WILLING TO GRANT ACCESS TO THE APPLICATION TO YOU AS THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE APPLICATION (REFERENCED BELOW AS “MERCHANT”) ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS AGREEMENT (AS DEFINED BELOW). BY ENTERING INTO THIS AGREEMENT AS A MERCHANT, YOU REPRESENT THAT WE HAVE THE LEGAL AUTHORITY TO BIND YOU THE MERCHANT TO THIS AGREEMENT. MERCHANT AND SIMPLIO MAY EACH ALSO BE REFERRED TO AS A “PARTY” AND TOGETHER, THE “PARTIES”.
When this Data Loss Prevention Policy mentions Simplio or Simple Invoice or Simple Promotions and Upsells or Simple Order Printer or https://www.simplio.app or https://www.simpleinvoice.info, it refers to “we”, “us”, or “our”, and we will be acting as a Data Processor.
2. Definitions
Electronic commerce: Electronic financial services delivered via electronic means including, but not limited to, the Internet or other electronic delivery methods.
Encryption: This is the conversion of data into a form, called a cipher text, which cannot be easily understood by unauthorized people.
Authentication: This is the process of determining whether someone or something is, in fact, who or what it is declared to be. Depending on the transactions, a more stringent authentication process may be required.
Firewall: Any hardware and/or software designed to examine network traffic using policy statements (ruleset) to block unauthorized access while permitting authorized communications to or from a network or electronic equipment.
4. Purpose
If you have an Simplio subscription, this policy can be used as both a guideline and an overview of the management of Simplio application.
5. Policy Detail
Simplio is committed to enhancing member service through the use of many forms of e-commerce activities.
Electronic commerce activities include Simplio website, email, online invoice system, ACH transactions, ATM system, and online bill payment and services. They also include business-to-business transactions where interaction is conducted electronically between Simplio, its customers, and its business partners using the Internet as the communications network.
Simplio will build policies to protect sensitive data. Every policy will consist of some rules, such as to protect credit card numbers, PII, and social security numbers, if such policies are not already in place.
It is the practice of Simplio to safeguard member data at all times, including the processing of e-commerce transactions. The information must be protected at both the sending and receiving ends of each transaction. To accomplish this, there are several levels of protection applied to e-commerce activities.
- Encryption: Encrypting transactions provides security by ensuring that no portion of a transaction is readable except by the parties at each end of the transmission. This ensures that data can be transmitted securely without concern that another party could intercept all or part of the transaction. Encryption also makes certain that the transaction is not tampered with as it routes from point to point and data is received exactly as it was sent. Simplio will use a minimum of 128b encryption. This also applies to vendors that host Simplio member data.
- Authentication: After a secure connection is established, the initiating party must prove his/her identity prior to conducting the transaction. This is typically handled with user IDs or account numbers, along with password or PIN combinations. Additionally, encryption certificates are also employed to validate the authenticity of both servers and users. System administrators control system access by assigning users different levels of access to applications and data. These access levels are determined by senior management and are specific to each job function. This ensures that access to applications and specific types of transactions are only granted as job functions require.
- Multi-factor Authentication (MFA): For online invoicing services, MFA offers more than one form of authentication to verify the legitimacy of a transaction. The layered defense makes it more difficult for an unauthorized person to gain access.
- Firewalls: Simplio will deploy and utilize firewalls as necessary to protect internal systems from threats originating from the Internet, as well as those that might be present when connecting to vendors’ networks. Firewall operating systems and configurations will be reviewed periodically to ensure maximum protection. An audit log will be maintained tracking all attempts to access unconfigured (blocked) services. Firewalls and other access devices will be used, as needed, to limit access to sites or services that are deemed inappropriate or non-corporate in nature. Vendor-hosted solution firewalls will be reviewed prior to implementation.
- Network Traffic Rules and Restrictions: Intra-network traffic is subject to distinct operating rules and restrictions. Through the use of firewall technology, outside parties are directed only to approved, internal resources. An example of this is web page services that allow certain types of traffic from the Internet (web page browsing) but have other types of traffic blocked (i.e. administrative tasks). This strategy dramatically reduces the risk of any party gaining unauthorized access to a protected server. The internal network is also protected from virus attacks through the use of network-level anti-virus software that is updated automatically on a regular basis. These regular updates are loaded automatically to each PC, as they are available. This provides the most up-to-date virus protection and security available. E-mail is also scanned prior to delivery, reducing the potential of a virus entering the network in this manner.
- Physical App Security: The entire IT Department is protected by a card access entry system allowing only authorized personnel into the Department. Sensitive data, hardware, and software are secured in the Simplio data center, which is secured with a card access entry point and is monitored throughout the day by IT staff. Access to the data center is further limited to a small number of authorized personnel. It is Simplio’s practice to change administrative passwords and immediately remove card access privileges after any change in IT staff. In addition to on-site storage of data, Simplio stores overnight backups of critical systems data and replicated Storage Area Network (SAN) storage to a secure, off-site location. This ensures that data is available in the event of a disaster or other critical situation.
- Staff Training and Review: IT staff receives training and reviews all procedures at least annually or as major system additions or changes are implemented.
- User Password Maintenance: Staff passwords, on the host data processing system, expire after 45 or 90 days, forcing users to modify their passwords. This control, along with a strict Simplio policy prohibiting users from sharing or disclosing their passwords, is intended to prohibit unauthorized access to systems and data. After receiving a change in status from the Human Resources Department or other management team members, IT staff immediately removes user access codes from appropriate systems.
- Expert Assistance: Simplio recognizes that e-commerce security issues change daily. New threats to security, safety, and accuracy appear daily and system vendors publish updates and patches regularly to eliminate the threat. To assist in the ongoing maintenance of key components of system security, Simplio will engage, at a regularly scheduled interval, in consulting and audit oversight with a nationally recognized leader in the area of e-commerce security. This vendor may also provide technical assistance as new e-commerce-related features are added to the system to ensure the continued safety and security of existing systems.
- Communications Network: Simplio employs the use of several types of data communication lines including dial-up phone lines, direct point-to-point circuits, and other private and public network connections. Data transmissions are secured, encrypted, and/or password protected, as needed.
6. Identify Sensitive Data
Simplio will identify all the confidential, restricted, and highly restricted data across the whole application and across the three categories, i.e. for data-in-transit, in-store, and in-use. In identifying the sensitive data, Simplio will define the scope within which the DLP Solution will function. Each data set analyzed will be considered as to whether or not leveraging the DLP product would be an efficient use of resources, whether the data is non-sensitive, or whether the DLP would be an effective tool in further securing the data. DLP products work with signatures to identify any restricted data when it is crossing boundaries. To identify the critical data and develop its signatures, there is a term in DLP products known as fingerprinting. Data is stored in various forms at various locations in the application and it requires identifying. Various products come with a discovery engine that crawls all searchable data in a given data store, index it and make it accessible through an intuitive interface that allows quick searching on data to find its sensitivity and ownership details.
7. Response Program
In the event Simplio suspects or detects unauthorized individuals have gained access to member information systems, Simplio will report such actions to appropriate regulatory and law enforcement agencies according to Simplio information security response procedures.
8. Compliance
Simplio policies are guided by mandatory compliance standards specified by governments and industry regulators, such as the PCI DSS, US Data Privacy Law, European Union General Data Protection Regulation as well as the United Kingdom Data protection laws. These standards outline how an organization should safeguard personally identifiable information (PII) and other sensitive data.
9. Support Services and Upgrades
To send us your questions, comments, or complaints or receive communications from us kindly email us; helpdesk@simplio.app
Last update: October, 2024