Security Practices

Effective: April 7, 2025

We take the security of your data very seriously at 5 Dynamics. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security.

If you have additional questions regarding security, we are happy to answer them. Please write to dpo@simpli5.com and we will respond as quickly as we can.

Overview

Our security program is built on industry standards such as ISO 27001, NIST, and OWASP. It includes technical, organizational, and procedural safeguards to protect customer data and ensure platform integrity—especially in the context of AI-based features.

Confidentiality

We place strict controls over our employees’ access to the data you and your users make available via the Simpli5 platform, as more specifically defined in your agreement with 5 Dynamics covering the use of the Simpli5 platform (“Customer Data”) and are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. The operation of the Simpli5 platform requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem, you are having with the Simpli5 platform, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.

All our employees and contract personnel are bound to our policies regarding Customer Data and we treat these issues as matters of the highest importance within our company.

Personnel Practices

5 Dynamics conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the Simpli5 platform.

Compliance

The following security-related audits and certifications are applicable to the Simpli5 platform:

PCI: 5 Dynamics is not currently a PCI-certified Service Provider. We are a PCI Level 4 Merchant and have completed the Payment Card Industry Data Security Standard’s SAQ-A, allowing us to use a third party to process your credit card information securely.

The environment that hosts the Simpli5 platform maintains multiple certifications for its data centers, including ISO 27001 compliance, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website and the AWS Compliance website.

Security Features for Team Members & Administrators

In addition to the work we do at the infrastructure level, we provide Team Administrators of the Simpli5 platform with additional tools to enable their own users to protect their Customer Data.

Data Security

Data Encryption

  • All data in transit is encrypted using TLS 1.2+.
  • All data at rest is encrypted using AES-256.
  • Secrets, tokens, and credentials are encrypted and securely stored.

Access Controls

  • Role-Based Access Control (RBAC) and principle of least privilege (PoLP) are strictly enforced.
  • Multi-Factor Authentication (MFA) is required for all administrative access.
  • Regular audits of access rights are conducted.

Data Segmentation & Isolation

  • Customer data is logically isolated in multi-tenant environments.
  • Strict boundaries are maintained between environments (e.g., development, staging, production).

Application Security

Secure Development Practices

  • Code is reviewed through automated and manual security checks.
  • Developers receive secure coding training and follow OWASP Top 10 guidelines.
  • Infrastructure-as-Code (IaC) is used to maintain consistent and auditable environments.

Vulnerability Management

  • Regular dynamic and static code scans (DAST/SAST).
  • Periodic penetration testing by third parties.
  • CVEs are tracked and patched according to severity.

AI-Specific Security Considerations

Responsible AI Use

  • AI models are evaluated for security, robustness, and fairness before deployment.
  • AI features are designed with human-in-the-loop or override options when appropriate.
  • Models do not train on customer-specific data unless explicitly authorized.

Model and Prompt Security

  • Input validation and sanitization help protect models from prompt injection and adversarial inputs.
  • Output monitoring is implemented to detect and suppress unsafe, biased, or sensitive content.
  • Rate limiting and abuse detection systems protect public and customer-facing AI endpoints.

Infrastructure & Cloud Security

Cloud Provider

  • Our platform is hosted on Amazon Web Services, leveraging their built-in security features.
  • We follow best practices in network segmentation, firewall configuration, and identity federation.

Monitoring & Logging

  • Continuous monitoring of system events, anomalies, and security logs.
  • Centralized logging using secure, tamper-resistant storage.
  • Alerting systems flag suspicious behavior in real time.

Privacy & Compliance

Data Privacy

  • We comply with major data protection laws including GDPR, and CCPA.
  • Our Privacy Policy outlines how customer data, including AI-generated output, is collected, used, and retained.

Third-Party Vendor Security

  • Vendors undergo security assessments before integration.
  • Data processing agreements (DPAs) are maintained for vendors with data access.

Incident Response

  • A dedicated Incident Response Team (IRT) follows a documented plan covering detection, containment, and recovery.
  • Incidents are logged and investigated promptly.
  • Customers are notified of breaches in accordance with legal obligations and SLAs.

Business Continuity & Disaster Recovery

  • Daily backups with automated recovery tests.
  • High availability architecture with regional failover support.
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are clearly defined.

Deletion of Customer Data

Simpli5 provides the option for organization administrators to delete Customer Data at any time during a subscription term. When a user connection is removed from an organization, their data is no longer visible to the organization. If that user is not a member of any other organization, Simpli5 hard deletes all information from currently-running production systems (excluding search terms embedded in URLs in web server access logs). Simpli5 platform backups are destroyed within 30 days.

Network Protection

In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment. Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with AWS Security Groups.

Host Management

We perform automated vulnerability scans on our production hosts and remediate any findings that present a risk to our environment. We enforce screens lockouts and the usage of full disk encryption for company laptops.

Product Security Practices

New features, functionality, and design changes go through a security review process facilitated by the security team. In addition, our code is audited with automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production. The security team works closely with development teams to resolve any additional security concerns that may arise during development.