Simple KYC recognizes the importance of adhering to regulatory and industry standards. Independent third-party auditors have granted a formal certification, attestation, or audit report based on an assessment that affirms our compliance with these offerings.

ISO/IEC 27001:2013

Simple KYC is ISO 27001:2013 certified. This is a security management standard that specifies security management best practices and comprehensive security controls. Simple KYC has implemented an Information Security Management System (ISMS) which incorporates Information Security Governance as well as Information System Security for Technical Controls related to compliance to the requirements set out by ISO 27001 Standard.

System and Organization Controls (SOC) 2

Simple KYC is SOC2 Type 1 certified, issued by an independent third-party assessor who validates the controls and processes Simple KYC has implemented and generates a report. The purpose of this report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

Data Security

Simple KYC understands that while the free flow of information is important it must be balanced against the privacy interests of individuals and businesses. Stringent privacy principles are applied to ensure that the privacy interests of individuals and businesses are respected. Where information relates to individuals, those principles embody the privacy principles and the other applicable provisions of the Privacy Act.

Infrastructure Security

Web application hosting and infrastructure for the delivery of the SKYC applications and service is provided by Microsoft Azure, which is independently audited and certified for ISO 27001 and SOC 2, and is designed to provide protections against any level of DDoS attacks.

Simple KYC subscribes to Vuls, Filebeat, Xsurflog, and Microsoft Defender for patching updates and security alerts. All systems are fast scanned daily. Deep scans are performed on a weekly basis. Vuls is used for scanning the systems. All patches are applied appropriately based on the severity of the find. Critical patches are applied within 24hrs. High severity patches are applied within the week and medium to lows within the month.

Simple KYC uses Microsoft managed MySQL databases for customer data. For file storage we use NetApp which uses FIPS 140-2 validated cryptographic module with an external key manager and AES-256 cipher for encryption.
All access to Simple KYC servers and apps is via HTTPS TLS 1.2+. Each customer instance is split across several machines for load balancing.

SonarQube is used for statically checking the code against OWASP rules.

Simple KYC has penetration tests and vulnerability scans conducted by an independent/third party, Vertex Cyber Security, at least annually.

Logs are retained for a period of 7 years in line with the Australian Government’s - Australian Signals Directorate, Australian Cyber Security Centre policy. Logs are protected and monitored using Kibana, Prometheus and Grafana.

The infrastructure is designed with a strong focus on security. It is divided into separate subscriptions and VLANs, with firewalls in place to control external access. By default, all ports and connections are closed, ensuring that only authorized access is permitted. Database access is limited to authorized internal staff only.

Least privilege principle is maintained for all staff access. External users are not provided any access to internal resources.
Development, Test and Production environments are separate and access to production environments is limited and no direct access from outside the network.

The security hardening guidelines align with NIST which is reviewed at least every 6 months.

Organizational Security

Simple KYC performs criminal background checks (where legally permitted and where appropriate) for all employees as well as additional checks which may include education, previous employment verifications, and credit checks.

All employees and contractors must sign agreements covering nondisclosure (confidentiality) and acceptable use, where applicable, in accordance with Human Resources policies.

Every employee and contractor must complete Simple KYC provided information security awareness training at the time of hire and monthly thereafter for a series of cybersecurity fundamentals topics as subscribed in the training pack with Vertex Cyber Security. SKYC's developers receive annual secure code training from Vertex, which includes talking about input filtering.

Simple KYC has approved security policies and procedures, and all employees must adhere to them. Management also ensures that security policies are accessible to all employees and contractors.Access is to be provided to information and systems for the employees of Simple KYC and third-party personnel according to the principle of least privilege and on a need-to-use basis.

All access rights are to be reviewed annually or on an ad-hoc basis to ensure there are no unnecessary user accounts as well as to ensure access privileges are in accordance with the business requirement. Access is removed from terminated employees within one business day.

All passphrases must have at least twelve (12) characters. All keys used are to be at least 256-bit RSA keys.All workstations are to be configured with a session or screen lock which activates either after a maximum of 5 minutes of user inactivity or if manually activated by the user.

Staff laptops and VDI are supported and managed by OzeIT.

Where confidential information is stored or transmitted, it will be encrypted or otherwise appropriately protected with compensating controls aimed at protecting the confidentiality of the data.

Simple KYC will only introduce systems that have undergone a secure development process that adheres to Microsoft Security Development Lifecycle guidelines. To ensure that all new projects and revisions or reviews of existing projects or systems are designed to withstand potential attacks from bad actors, Simple KYC follows industry best practice and utilize Microsoft STRIDE as their guiding process/tool. This includes applying it to infrastructure and access under Simple KYC's control.

Simple KYC has a defined risk management policy and framework to ensure that organisational capabilities and resources are employed in an efficient and effective manner to manage both opportunities and threats. The Framework is based on the Global Risk Standard ISO 31000:2009 Risk Management – Principles and Guidelines.

Formal risk reviews are conducted at least annually. The results are then reported to the members of the Senior Management team and Board as required.

Simple KYC has implemented a Backup and Recovery policy that describes the data to be protected, the frequency for backups and retention levels required by Simple KYC to meet its business requirements.

Simple KYC has implemented a Business Continuity and Disaster Recovery policy which identifies vulnerabilities and recommends necessary measures to prevent and or minimize impact to operations. All disaster recovery and business continuity plans will be developed to include appropriate information security controls during all plan cycles and include plans to ensure continuation of security controls.

Simple KYC has also implemented an Incident Response plan to articulate how cybersecurity incidents within Simple KYC are detected, responded to, reported, and investigated.

The Simple KYC CTO ensures that appropriate relationships and contact points are maintained with appropriate security groups, forums, and associations.

The Help Center is our online platform where customers can get assistance and report issues related to the services. On this platform, you can submit a request for help or report any vulnerabilities or suggestions for improvement. Alternatively, you can send an email to support@simplekyc.com which is specifically designated to receive support requests and feedback.