Simployer Trust CenterSecurity and IT › Information security policy

Information security policy

Simployer is committed to maintaining the highest level of information security to protect information assets, ensure the privacy of our customers and employees, and maintain the quality of our products and services.

This policy outlines our approach to information security, including risk assessment, incident management and continuous improvement.

Risk assessment

Simployer will identify and assess risks associated with the confidentiality, integrity, and availability of information and systems. This includes identifying potential threats and vulnerabilities to our infrastructure, data, and operations.

We will analyze the identified risks to evaluate their potential impact and likelihood. This analysis will help us prioritize risks and determine the appropriate mitigation strategies.

Simployer will implement appropriate safeguards and controls to reduce identified risks to an acceptable level. These measures may include technical, organizational, and physical controls.

Confidentiality

Simployer ensures that information remains accessible only to authorized individuals by adhering to best practices. We conduct internal risk assessments and establish documented procedures to prevent potential risks, with a strong emphasis on maintaining confidentiality throughout our product development process.

Simployer achieves this by offering our customers:

  • Secure authentication methods
  • Flexible and secure role models within our products.
  • Privacy by design and privacy by default on multiple levels in the products
  • Data isolation, ensuring that each customer's data is kept separate within dedicated storage containers.


Furthermore, Simployer operates based on the following principles:

  • Prioritizing privacy at every stage of product development
  • Conducting both automated and manual testing during product deployment
  • Providing training to our staff on privacy and security matters
  • 3rd party audits of our management system around privacy

Integrity

Simployer follows established best practices to prevent unauthorized or accidental changes to data. Our approach relies on internal risk assessments, well-documented procedures to mitigate risks, and a strong commitment to maintaining data integrity as a key factor in our product development.

Every Simployer customer benefits from data isolation by design. This means that each customer's data is securely kept separate in dedicated storage containers, ensuring there is no mixing of data. Additionally, robust access controls and role models are in place to further guarantee data integrity.

Our systems utilize built-in, trusted tools within SQL Servers and the Microsoft .NET framework to uphold data integrity.

Read more under IT Security.

Availability

Simployer follows established best practices to ensure that information remains available and operational at all agreed-upon times for legal and authorized use. We also ensure that data can be transported as needed in accordance with established procedures.

Our commitment to maintaining availability is reinforced by our Service Level Agreement (SLA).

Simployer currently manages a diverse array of systems, including HSE systems, personnel systems, time/planning systems, learning management systems, staff/management manuals, and more, serving over 2.000 customers. Some of these customers are among the largest companies in the Nordic region. Simployer takes responsibility for maintaining uninterrupted system operations and implementing robust security measures and backup strategies, all of which are detailed in our Service Level Agreement (SLA) and Data Processing Agreements.

For more comprehensive information, please review our SLA and Data Processing Agreements.

Data portability

Simployer, as a data processor acknowledges that customer data belongs to the customer. Customers can terminate the service in accordance with agreed deadlines in relevant agreements, and it is regulated in the SLA how Simployer will return and remove all customer data after expiration of the agreement.

Customers may at any time during the term of the agreement have its data exported to a machine-readable format.

Transparency

As a Simployer customer you know where your data is stored, who has access to data and how data is processed.

  • Where: Read more about Simployer hosting providers.
  • Who has access: After the service is initially established, only the customer has access to their data. Before the service is established, only the customer and trusted staff at Simployer have access to the customer's data for the purpose of assisting in the establishment of the service.
  • How is data processed: After establishing the service, it is the customer who controls which persons that should have access to the customer's data. The systems are designed to enable employers to perform their duties as an employer, and they are designed in a way that helps the customer to comply with Privacy.

Incident management

Simployer has establish procedures to promptly detect and identify potential security incidents.

Any employee who suspects or identifies a security incident must report it immediately.

Simployer maintains an incident response plan that outlines roles, responsibilities, and procedures for responding to security incidents. The plan will be regularly reviewed and updated to reflect changes in technology and the threat-landscape.

Upon detection of a security incident, an incident response team will take appropriate actions to respond to and mitigate the impact of the incident.

Once the incident is handled and mitigated, Simployer will initiate recovery processes to restore affected systems and data to normal operations.

Simployer will maintain clear communication channels throughout the incident response process. We will communicate internally and, when necessary, externally.

Continuous improvement

Simployer is committed to continuous improvement of our information security practices. We will regularly review and update our risk assessments, security controls and incident management procedures to adapt to changing threats, technologies, and business needs.

Compliance

Simployer will ensure that all information security activities are performed in compliance with relevant laws, regulations, and industry standards.