How we take care of your data

Account Security

Cimplico Workpapers enforces the use of two-factor authentication (2FA) for all accounts created in our system to prevent unauthorised account access. Users may choose to utilise SSO, such as Sign in with Xero, to authenticate to Cimplico Workpapers. In these cases we are unable to enforce 2FA and recommend you to enable this in your SSO provider’s platform.

As user data storage and authentication is of upmost importance to us, Cimplico Workpapers leverages Auth0, a best-in-breed authentication and user management service to assist with token management and user authentication. You can read more on Auth0’s security, privacy & compliance here.

Data Encryption

Cimplico Workpapers encrypts data in transit using SSL/TLS with RSA 2048 encryption. This ensures your information is safe in transit from the client → the API server. Data at rest is encrypted using AES-256 bit encryption.

Data Hosting

Our infrastructure is provided by Amazon Web Services (AWS), an industry-standard in hosting. All data is stored and backed up within AWS’ Sydney data centre. AWS is ISO27001 compliant and provides inbuilt, offsite backups, disaster recovery, multiple sites synchronisation and more to ensure the integrity of your data.

Like us, they treat security as a top priority. You can read about their superior visibility, control and permissions here.

Authentication

Using OAuth2, an industry-leading authentication standard, we generate short-lived “access” tokens to facilitate the communication between the client (your browser) and the API (our server). In the event of an account breach, short-lived tokens minimise the opportunity for malicious actions.

Cimplico Workpapers uses a role-based system to prevent users from performing unauthorised actions within the application. To be authorised to access a firm’s data, a user must either be an Admin or member of the firm.

Access & Permissions From Staff

Cimplico mandates the use of a password manager for all staff that enforces strong passwords.

Staff are only authorised to access data required to perform their duties.

Multi-factor authentication is enforced on all platforms that allow it.

On occasion, you may be required to grant our support staff access to your firm as part of Cimplico Workpaper’s onboarding service or for further support. This can only be granted by an administrator or manager of your firm. The support staff’s access can be removed at any time.

Logging

Cimplico Workpapers keeps logs of all suspicious and flagged activity for debugging, support, and threat-monitoring purposes.

Backups

Your data is continually backed up by AWS as part of their core service. AWS provides inbuilt offsite backups, disaster recovery, multiple sites sync and more. By default, we perform a daily backup and maintain the snapshot for 7 days.

In the event of a failure, the database can be fully recovered to the latest snapshot.

As we continue to innovate and add new features to Cimplico Workpapers, database changes may be required. Backups of the database are always initiated in the event of a database change and will be restored immediately in the event of a failure to minimise disruption to service.

Questions

If you have any questions related to security, please contact us.