Logging, monitoring and log retention

All digital actions usually create events that are kept in logs. This document describes what data Simployer logs, how we keep our log data, how we use the data that are logged and how we handle log retention (deletion of log data).

The two main categories of logs we have in Simployer are audit logs (security logs) and feature logs (activity/event logs for functionality). As a general principle we avoid storing personal data or sensitive data in logs, but there are exceptions to this principle.

Audit logs

Audit logs are used to track events related to authentication, change of data, cybersecurity needs and meeting industry data compliance requirements. Audit logs provide important insights into system and network activity for Simployer personnel.

Simployer logs all relevant transactions and all authentication requests, and the logs may contain personal data (like userid, name and IP address).These logs are not available for the customer as standard but extracts from audit logs can be available for the Customers administrators as part of functionality in our modules (ex. when was an email changed, and by whom). Simployer can also extract and export such logs on request. Simployer does, however, reserve the right to reject such requests if the request is not related to legal requirements and/or GDPR.

If not specifically agreed otherwise in the Data Processing Agreement with the customer, Simployer reserves the right to use anonymized data from these logs for legitimate security and business purposes without any obligations to the customer (the Data Controller) or its users or recipients.

Feature logs

A feature log is a set of log records documenting a sequence of activities within a system. Simployer keeps feature logs for most activities that the Simployer system provides where we consider logging important. The feature log can be available for the customer as part of functionality in our modules (ex. sick leave history in the sick leave module), or the feature log can be available for Simployer only to improve or maintain the system.

Feature logs are not available for the customer as standard, but Simployer can extract and export such logs on request. Simployer do however reserve the right to reject such requests if the request is not related to legal requirements and/or GDPR.

If not agreed otherwise in the Data Processing Agreement with the customer, Simployer reserves the right to use anonymized data from these logs for legitimate security and business purposes without any obligations to the customer (the Data Controller) or its users or recipients.

Log storage and consolidation

Simployer comprises of many internal and external services hosted with different hosting providers into what is often described as a distributed system. To secure and store log data from different services we consolidate our logs using a cloud based logging and monitoring tool provided by a 3rd party vendor. Our logs are always stored within the EU/EEC. 

Monitoring and accessibility of logs

Simployer continuously monitors all our systems and infrastructure for incidents, unnormal traffic and performance issues using 3rd party professional tools.  

If an incident occurs, Simployer will continuously update its customers at https://status.simployer.com. Users can also choose to subscribe to notifications on this site.  

Only authorized and trained Simployer personnel have access to logs. Simployer does not provide customers with access to specific log monitoring tools. 

Log retention

Simployer maintains log data for a limited time, adhering strictly to the retention periods mandated by law and necessary for service operations.  As a guideline we keep logs for at least two months, but no longer than twelve months. Authentication logs are kept for 3 months. On top of that logs are a part of our backup regime and may be available through backups for the period of the backup schedule.