Compliance Statement

Simptel shall implement and maintain appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful processing, loss, destruction, damage, alteration, or disclosure. Such measures shall be aligned with industry standards and applicable laws and regulations.

Simptel’s information security program is based on an established Information Security Management System (ISMS) and is aligned with recognized frameworks and standards, including but not limited to ISO 27001:2022, SOC 2 Type II, and the General Data Protection Regulation (GDPR). Simptel shall maintain these controls and conduct periodic reviews, including independent third-party assessments where applicable.

Simptel employs industry-standard security practices, including but not limited to:

• Encryption of data in transit and at rest using strong, industry-accepted cryptographic standards;

• Strict access controls based on the principle of least privilege, including a no standing access approach, where elevated access is granted only when necessary, time-bound, and subject to approval and monitoring;

• Comprehensive insider risk management measures, including monitoring, logging, and controls designed to detect and prevent unauthorized or inappropriate access or use of systems and data;

• Network protection measures, including firewalls, traffic filtering, and denial-of-service mitigation controls;

• Continuous security monitoring and vulnerability management processes;

• Regular security testing and independent security assessments.

Simptel shall follow secure software development lifecycle (SSDLC) practices, including documented change management procedures, testing in non-production environments, and controlled deployment processes. Infrastructure changes shall be managed using infrastructure-as-code methodologies where applicable.

Simptel shall maintain business continuity and disaster recovery capabilities, including regular data backups and periodic testing of recovery procedures.

Simptel shall ensure that its personnel receive appropriate security awareness training and that access to systems and data is limited to authorized individuals with a legitimate business need.

Simptel may update its security measures from time to time, provided that such updates do not materially decrease the overall level of security of the Services.