Security is fundamental to us
Simple Finance Technology Corp., the creator of Simple, meets all industry standards to safeguard your data. We use a variety of methods to secure our network and servers as well as our software and web applications. Our data retention and business continuity plans are comprehensive and our employees maintain organizational security measures designed to keep your data safe.
Network and server security
- Network infrastructure is segregated into levels of information classification with strict routing, firewalling, and access control links that separate each privilege level.
- Network infrastructure undergoes regular internal penetration testing audits that are augmented by semi-regular third-party audits.
- Our information security team performs regular software updates throughout the Simple infrastructure to remain up-to-date on software security patches.
- Card numbers, mag-stripe data, and security codes are handled in accordance with PCI DSS requirements.
Software and web application security
- Web APIs and web pages are secured with High Assurance SSL certificates that support encryption algorithms with key lengths up to 256 bits and prohibit any key lengths shorter than 128 bits.
- Simple's cloud infrastructure employs Multi-Factor Authentication for management operations.
- Industry-standard (symmetric and asymmetric) encryption algorithms with appropriately sized keys are used to protect sensitive Customer Information.
- Simple applications undergo regular internal source code audits. Internal audits are augmented by semi-regular third-party audits.
- Standards and leading practices identified by independent security organizations (e.g., OWASP) are integrated in to all Simple code creation processes.
Data retention & Disaster recovery
- Data is aggressively archived and Simple performs regular offsite backups to ensure redundancy.
- Simple services are designed to tolerate failures in supporting infrastructure while maintaining continuity of operations; we place a high priority on redundancy and ensuring maximum availability of our services.
- Simple follows industry standard incident response procedures with a dedicated incident response team.
- Prospective employees undergo security screenings during the hiring process.
- Simple employees undergo security operations training.
- Simple employees use encrypted storage, encrypted chat (and voice), encrypted tunnels (VPN and SSH), and encrypted email for sensitive internal communications and operations.
- Simple maintains detailed application-level and system-level logs.
Security research and disclosure process
Simple understands the devotion and effort that security work requires. As such, we encourage (and reward) the responsible disclosure of any vulnerabilities to us. Responsible disclosure means:
- Openly share the full details of any vulnerabilities with us.
- Do not announce or share the details of any vulnerabilities in any way with the public or other parties.
- Do not exploit the vulnerability except for purposes of demonstrating it to Simple personnel. Please contact email@example.com if you are unsure of exploitability and we will work with you to verify it safely.
- Do not use the vulnerability to access, modify, harm, or otherwise alter any Simple (or its customers') data.
Vulnerabilities that are "responsibly disclosed" according to the above process are welcomed. Simple will not seek to bring legal action against any person who adheres to this process of responsible disclosure. Additionally, severe vulnerabilities are eligible for a vulnerability reward.
Simple uses Bugcrowd to manage vulnerability submissions and for reward distribution. For more details about the scope and terms of our program, go to https://bugcrowd.com/simple and sign up as a tester. If you have identified a vulnerability, please report it via Bugcrowd to be eligible for a reward.
You may also contact us with any security concerns, or security suggestions at firstname.lastname@example.org. All security-related emails that are signed with Simple Security's official key (if you are using GPG and have imported our public key) may be verified using `gpg --verify`.
The Simple Security team's official GPG key has an ID of `79FF66A9` and may be retrieved from public key servers using a command like: `gpg --recv-keys 79FF66A9`. If you are able, please use that key to encrypt any messages regarding security sent to Simple. The fingerprint for that key is `E034 918A BA56 1DD0 6CAF 46D8 C472 1EA0 79FF 66A9`.
The following researchers have submitted reports to Simple that have contributed to the continuing security of Simple's services and we would like to gratefully acknowledge their efforts.