Legal

Security Statement

We work hard to keep all our legal mumbo jumbo as simple as possible, but we still have to have it.


This Statement should be read in conjunction with SimplePay’s Terms of Service, Privacy Policy and PDPA Page.

SimplePay protects you against the unauthorised access, use and disclosure of your information, both in transit when you access your information, and at rest in our server. Our adopted measures meet and often exceed the requirements laid out in the relevant data protection legislation. Some of our key controls are detailed below:

Protection of Data in Transit

Data transferred between your browser and SimplePay’s servers is encrypted and secured by SSL certificates – the same protocol used by your internet banking – so that no-one can eavesdrop on your communications.

Protection of Data at Rest

SimplePay’s servers are stored in a data centre in Ireland, hosted by Amazon Web Services (AWS). Access to the buildings, data floors and individual areas is strictly controlled by means of individually programmed access cards – using biometrics and visual identification – ensuring secure, single-person entry.

High Security Standards

SimplePay’s inward and outward facing infrastructures are secure by design. We follow the Open Web Association Security Project (OWASP) guidelines and verify that they have been followed before making changes to our system. Role based access controls are in place to limit the amount of information any one member of our team has access to and all activity on privileged accounts is logged.

Our system is constantly being developed to protect your data from common attacks, such as cross-site scripting (XSS) and SQL injection. The processes we use have been designed with security at their heart and we continue to look for ways to update and improve them.

SimplePay reviews the security measures of our service providers before contracting with them, ensuring that they are not a weak link in terms of our security. The AWS data centre has effective technical and organisational measures in place to ensure the protection of all information assets across their global operations. Meeting the stringent international security and compliance standards has led to them receiving internationally recognised certifications and accreditations, such as ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and EU-specific certifications such as BSI’s Common Cloud Computing Controls Catalogue (C5).

Availability and Confidentiality

SimplePay’s database runs in multi-AZ (Availability Zone) mode, meaning that in the unlikely event that a data centre goes down, there is automatic failover onto a backup AZ. This is possible due to our information being instantaneously backed up to a secondary location. Our critical infrastructure has alerts in place for unsatisfactory performance and is also monitored manually by our team to maintain service.

Your password’s confidentiality is preserved by storing them via a one way hash function on our database. This means that even if an unauthorised person were able to access SimplePay’s server, this information is still protected.

Two Factor Authentication

To verify the identity of the user who is logging in, SimplePay offers a two factor authentication system, whereby logging in and performing certain actions requires a newly generated verification code. This means that even if your password were to be compromised, an unauthorised user would still be barred from accessing your account.

Personal Data Breach Process

In the unlikely event of a data breach, SimplePay will contact all affected parties in accordance with our data breach process. This process is formulated to meet the strictest data protection requirements of our operational regions.