Our products and services are transforming manual HR processes into engaging, flexible and reliable digital solutions. The cornerstone of our success is providing a safe and secure place to manage employee information.

On this page we outline the controls, processes and precautions we take and that are necessary to maintain the confidentiality, integrity and availability of the Simon platform. Simon is a multi-tenant Software as a Service (Saas) application and the protection, confidentiality and integrity of our customers data and application infrastructure is critical.


Our approach to information security will continually evolve to achieve the correct balance between service, security and efficiency, and keep up to date with advances in technology.


What external audits or assessment results are available to review?


At Simon we take information security seriously. That is why Qtiviti Consulting Group Pty Limited (including Simon) has achieved ISO 27001:2013 certification for our business operations. ISO 27001 sets out the requirements of information security management systems.  It is part of the ISO 27000 family of international standards relating to information and cyber security and offers a comprehensive set of controls, based on best practice in information security.


Our data centre providers maintain ISO 27001, SOC2 Type II, and many other certifications. 


Simon also regularly undertakes third party security evaluation through defined Penetration Testing



Are physical security protections in place to protect my data?


Absolutely! Simon's physical infrastructure is hosted and managed within Amazon's secure data centres and utilises the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.  Amazon's data centre opertions have been accredited under:




  • ISO 27001
  • SOC 1 and SOC 2/ssae 16/isae 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

More details about Amazon's compliance is available online.




Simon is hosted across two Australian Availability Zones on Amazon's Web Services (AWS).


For details on their security practices, refer to Amazon Web Services - Overview of Security Processes.


In the unlikely event both Availability Zones become unavailable, our hosting will be switched to a secondary Australian hosting provider who complies with our minimum security standards.



What Network & Application security controls are in place to protect my data?


Application Security

  • All infrastructure runs on a Virtual Private Cloud (VPC)
  • AWS Security Groups are configured to allow specific traffic between server ports and subnets
  • Application and database servers only have required ports open for specific required services
  • All infrastructure is monitored and protected by Symantec Cloud protections

Network Security

  • Access to our network is achieved via a Virtual Private Network (VPN) device ensuring an encrypted tunnel to your data
  • AWS Security Groups are configured to allow specific traffic between server ports and subnets
  • Application and database servers only have required ports open for specific required services

Does Simon encrypt my data?


Yes! Simon encrypts data Communications over the internet using HTTPS and Secure Socket Layer (SSL), a cryptographic protocol designed to protect against eavesdropping, tampering and message forgery. All SSL Certificates use SHA-256 signature algorithm with RSA Encryption. To ensure an additional layer of security Simon operates on private subnet through Virtual Private Cloud ensuring an encrypted tunnel to stored data.

We also encrypt passwords in the database using SHA-1 password encryption - plain text passwords are never stored! 

How is my data archived or removed?


During an active subscription all customer data is maintained within the system unless the customer has deleted a record themselves.


If a customer chooses to leave Simon their data is kept for a minimum of 60 days from the date of the expiry or termination of the agreement.  Customers may request in writing that all customer data is deleted and this will be executed within 14 days. 


The decommissioning of hardware is managed by our infrastructure provider using a process designed to prevent customer data exposure.  Amazon Web Services uses techniques outlined in DoD 5220.22-M (National Industrial Security Program Operating Manual) or NIST 800-88 (Guidelines for Media Sanitization) to destroy data. 

 


How is my Data segregated from other customers data?


As a multi-tenanted application Simon classifies and binds customer data using a combination of User ID and Organisation ID.  The organisation for the purposes of Simon is the "Tenant". This means that whenever data is created or accessed the application applies validation rules to retrieve only information relevant to the tenant.



Who at Simon has access to my data?


Simon has strict protocols in place to ensure that your data can only be accessed by authorised Simon personnel on a needs to know basis. "Needs to know" is typically defined as those personnel who provide technical support and production system configuration support. 

All development and product testing is conducted in our staging and development environments which are segregated from the main production server and database.  Data contained within the staging and development environments is fictitious and does not identify with actual data contained within the production instance.


From time to time access and testing is required on the production environment. Any access and testing on the production environment is limited to authorised personnel operating under strict defined guidelines. All personnel who may have reason to access production environments are directly engaged by Simon.