Security At Our Core
Simon Data has a dedicated security team that’s committed to ensuring the protection of customer data and the Simon Platform. This team follows a vetted process for detecting, assessing, and prioritizing security risk across the organization. We work closely with internal teams to validate security controls and regularly perform risk assessments to ensure that we’re addressing the appropriate risks at the right time.
Experience and Training
We’re always learning! Our security team possesses decades of combined experience ranging from large enterprises to startups, and we spend 10-20% of our time on skill development and enrichment. The team’s active certifications include CISSP, ScrumMaster, and CISA. We volunteer at security events, have spoken at security conferences, and frequently mentor early-career security engineers.
Though we’re a very capable team, we can’t do everything on our own. We rely on partnerships across the company to amplify the signal of the Security Team. We empower engineers with actionable data and provide them with quality tools to make sound security decisions early in the design process and throughout development. Engineering teams willfully approach the Security Team for assessments and support, and we believe this is a strong indicator of the success of this approach.
Our platform was built to allow you to take action on all of your customer data without the overhead. Our approach to security follows the same principles. We recognize the importance of the first-party data you share with us, and have built our security program around the protection of the data you entrust us with.
Simon utilizes Amazon Web Services (AWS) for our entire production platform, and AWS and Snowflake for data stores. We follow best practices and native services to ensure the security of data at rest and in transit.
Least Privileged Access
Simon has policies, procedures, and automation in place to ensure that only the appropriate personnel are able to access customer data based on their role, and upon validation from select personnel. We monitor access patterns and potential violations in real time, and generate alerts to multiple teams when investigation is required. All teams have documented access patterns, and changes to this are validated by the Security Team and Simon leadership.
Resource Monitoring / Logging
Simon Data monitors and logs all AWS and Snowflake access events, and retains logs in accordance with best practices and SOC 2. These logs are only accessible by authorized personnel, and are read-only to prevent tampering.
Simon uses a combination of AWS-native and third party tools to capture access patterns from employees and services. These tools alert us on activity that doesn’t match our usage baselines, and constantly ingest data from threat feeds to alert on behavior consistent with contemporary tactics, techniques, and procedures. Such events notify the Security Team and are immediately investigated. If anomalous patterns can not be associated with a known or benign action, our incident response process is triggered.
We respect the privacy rights of users and recognize the importance of protecting information collected about you and your customers. Read more about how we collect, use, and maintain personal information, as well as your choices regarding use, access, and correction of personal information. We are also GDPR and CCPA compliant.
All customer data we collect and store is protected at rest in stores encrypted by AES-256 keys that are provisioned on a ‘by customer’ basis. This ensures that even if other controls failed, no 3rd party would be able to access your data.
All data in transit occurs via modern encryption protocols, including TLS 1.2 and SSHv2. No unencrypted protocols are ever used anywhere within the Simon Platform to transfer data. We monitor any potential violations of these configurations in real time via AWS-native and 3rd party security tools.
Certifications and Compliance
Simon Data is SOC 2 certified, and continuously monitors all associated controls to ensure we remain in compliance at all times. We are also compliant with GDPR and CCPA privacy standards.
All security policies are reviewed annually by the Security Team and Simon leadership to ensure they reflect our current risk and compliance profiles. Our SOC 2 Type 2 report and bridge letter can be shared with any prospects or customers that are under NDA.
Data Controller vs Data Processor
Simon Data is considered a data processor for data sent to and stored by us. We meet all GDPR and CCPA obligations as a data processor, and have a well-defined process for managing requests associated with both.
Want to learn more?
Email the Simon Security Team at firstname.lastname@example.org.