Security Incident Response Policy

1. Introduction


“SIMPLIO” LOCATED IN KEIZERSGRACHT 482 1017EG AMSTERDAM NETHERLANDS, IS WILLING TO GRANT ACCESS TO THE APPLICATION TO YOU AS THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE APPLICATION (REFERENCED BELOW AS “MERCHANT”) ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS AGREEMENT (AS DEFINED BELOW). BY ENTERING INTO THIS AGREEMENT AS A MERCHANT, YOU REPRESENT THAT WE HAVE THE LEGAL AUTHORITY TO BIND YOU THE MERCHANT TO THIS AGREEMENT. MERCHANT AND SIMPLIO MAY EACH ALSO BE REFERRED TO AS A “PARTY” AND TOGETHER, THE “PARTIES”.

When this Security Incident Response Policy mentions Simplio or Simple Invoice or Simple Promotions and Upsells or Simple Order Printer or https://www.simplio.app or https://www.simpleinvoice.info, it refers to “we”, “us”, or “our”, and we will be acting as a Data Processor.

2. Policy Statement

The purpose of this policy is to clearly define Simplio roles and responsibilities for the investigation and response to computer security incidents and Data Breaches.

3. Applicability

This policy applies to information systems, regardless of ownership or location, used to store, process, transmit or access Simplio Data as well as all personnel including Security Incident Response Policy employees, and Merchants of the Application, those employed by contracted entities and others authorized to access Simplio assets and information resources.

4. Definitions

  • Computer Security Incident Response Team (CSIRT): A function of the Information Security Office responsible for receiving, reviewing, and coordinating the response to computer security incident reports and activity involving Simplio Data and/or Information Systems.
  • Data Breach: Unauthorized access, acquisition, use, or disclosure of Restricted Data. Data breach notifications are subject to regulatory requirements following a private investigation and risk assessment.
  • Incident: An event, whether electronic, physical, or social that adversely impacts the confidentiality, integrity, or availability of Simplio data or information systems; or a real or suspected action, inconsistent with Simplio Privacy or terms and conditions.
  • Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function.

5. Policy Specifics

  • The Computer Security Incident Response Team (CSIRT) detects and investigates security events to determine whether an incident has occurred, and the extent, cause, and damage of incidents.
  • The CSIRT directs the recovery, containment, and remediation of security incidents and may authorize and expedite changes to information systems necessary to do so. The CSIRT coordinates responses with external parties when existing agreements place responsibility for incident investigations on the external party.
  • During the conduct of security incident investigations, the CSIRT is authorized to monitor relevant Simplio IT resources and retrieve communications and other relevant records of specific users of the Simplio Application, including login session data and the content of individual communications without notice or further approval and in compliance with the Monitoring of IT Resources Policy.
  • Any external disclosure of information regarding information security incidents must be reviewed and approved by the Simplio CIO in consultation.
  • The CSIRT coordinates with law enforcement, government agencies, peer CSIRTs, and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The CSIRT is authorized to share external threat and incident information with these organizations that do not identify any member of the Simplio Application. 

6. Review and Adjudication

  • All members of the Simplio Application are responsible for promptly reporting any suspected or confirmed security incident involving Simplio Data or an associated information system, even if they have contributed in some way to the event or incident. Reports are to be made to the Simplio support department, helpdesk@simplio.app. Members of the Simplio Application must cooperate with incident investigations, and may not interfere, obstruct, prevent, retaliate against, or dissuade others from reporting an incident or cooperating with an investigation.
  • Information Security Administrators (ISAs) are responsible for unit procedures to train users to recognize and report information security incidents. 
  • Information Security Managers (ISMs) are responsible for responding to, and periodic reporting on, Low Severity security incidents according to procedures established by the Information Security Office. High Severity incidents reported to or discovered by ISMs are to be promptly reported to the Computer Security Incident Response Team (CSIRT).
  • The Computer Security Incident Response Team (CSIRT) is responsible for responding to High Severity incidents according to procedures established in the Simplio Computer Security Incident Response Plan.
  • The Chief Information Security Officer is responsible for staffing the CSIRT, and augmenting staff with subject matter experts and/or surge staffing as necessary.

7. Policy Violations

Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Merchants may have their Merchant membership terminated.

8. Compliance

Simplio policies are guided by mandatory compliance standards specified by governments and industry regulators. These standards outline how an organization should safeguard personally identifiable information and other sensitive data.

9. Support Services and Upgrades

To send us your questions, comments, or complaints or receive communications from us kindly email us; helpdesk@simplio.app

Last update: November, 2024