Security & Trust

Secure Development

We develop and maintain our system following SDL (Secure Development Lifecycle) principle and security testing is conducted for any changes or new developments, with separate environments for development, testing, and production. In all our operations, we have adopted secure system engineering principles, such as security by design, code review, and static application security testing.

Data Security

We enforce strict internal access control, granting data access only to individuals with necessary permissions and role-based rights aligned with functional responsibilities, following "need-to-know" and "need-to-use" principles. These rights are reviewed regularly.

We perform backups regularly, perform tests storing data in secure servers using encrypted data transfer in different locations, to prevent any data loss or corruption, as well as ensure viability in the event of an incident.

Encryption at rest and in transit: We use advanced encryption technologies and all our external communication is supported via encrypted channels secured with standard protocols (up to TLS 1.3 with AES-128 / AES-256 encryption) and depending on compatibility circumstances. With our SOAP with Encryption feature, sensitive information (SOAP comments and medical history) may be encrypted when at rest (RSA-4096).

Corporate Security Controls

We conduct internal and external audits to ensure compliance and efficiency of our internal policies and procedures, as well as vulnerability assessments.

Our Business Continuity and Disaster Recovery Plan is reviewed annually and established actions plans are tested at least annually to ensure readiness, in line with our comprehensive incident response policy and procedure.

Our human resources procedures ensure that we perform background checks before hiring an individual, we conclude a Non-Disclosure and Confidentiality Agreement and where needed a Data Processing Agreement.

We have information security and privacy awareness and training initiatives in place, focused on the protection of personal data, privacy and security and addressed to all employees.

We perform regular Vulnerability Assessment and Penetration test campaigns and address related remediations/mitigations according to vulnerabilities criticalities and priorities.

Compliance

We align our security practices with applicable standards, laws, and regulations, as well as the requirements of our ISO 27001 certification, which adheres to the latest ISO/IEC 27001:2022 standard. Find out more on our dedicated page for our certification or contact our securityofficer@simplybook.me.

For the protection of personal data, we have rigorously enforced applicable privacy and data protection practices in all our operations, as described in our GDPR Compliance Statement and Privacy Policy. You can contact us to find more information at dpo@simplybook.me.

As part of our legal responsibilities under the HIPAA Rules, we identify risk areas, develop policies and procedures, conclude Business Associate Agreement, train our staff and ensure that PHI are always protected. If you are interested you can request a copy of our HIPAA Compliance Policy by contacting us at legal@simplybook.me.

We do not process, store or transmit any credit card information during our business interactions and when using our SBPay me solution. All your payments are all processed by external and secure PCI DSS compliant payment service providers.

If you have specific questions, please contact our legal@simplybook.me.