Security questionnaire
Pre-filled vendor security questionnaire
Honest answers to the ~25 most common questions IT procurement teams ask before approving a SaaS vendor. Modelled on the CSA CAIQ Lite layout. Print or save as PDF and attach to your vendor file.
Last updated: May 2026 · Contact: hello@simpleams.co.uk
1. Governance, Risk and Compliance (GRC)
Do you have a documented information security policy?
Yes. Reviewed annually. Covers acceptable use, access control, change management and incident response.
Are you certified to SOC 2, ISO 27001 or similar?
Not currently. Both are on the roadmap (target: SOC 2 Type I within 12 months). The underlying hosting infrastructure (Hetzner Cloud) is ISO 27001 certified.
Do you comply with the EU GDPR?
Yes. We are registered as a data controller and act as a data processor for customer data. A pre-signed Data Processing Addendum is available at simpleams.co.uk/legal/dpa.
Do you maintain a public subprocessor list?
Yes, published at simpleams.co.uk/legal/subprocessors. Customers are notified before any new subprocessor is added.
2. Data Protection and Privacy
Where is customer data stored?
Application servers and primary databases run on Hetzner Cloud in Nuremberg, Germany (European Union). Backups remain in the EU.
Is customer data isolated between tenants?
Yes. Every customer gets a dedicated MariaDB database. There are no shared tables and no cross-tenant queries are possible at the application layer.
Is data encrypted in transit?
Yes. TLS 1.2 or higher on every request. HTTPS-only, HSTS enabled, modern cipher suites only.
Is data encrypted at rest?
Sensitive secrets (API keys, OAuth tokens, integration credentials) are AES-256 encrypted at rest using the Laravel application key. Database files sit on encrypted disks. Passwords are bcrypt-hashed (cost 12).
Will customer data be used to train AI models?
No. The AI inventory assistant calls Anthropic's Claude API with prompts scoped to the asking tenant's data only. Anthropic does not train on API traffic by default and we do not opt in.
Can a customer export all their data?
Yes. A full ZIP export of all entities (assets, users, licenses, history, attachments) is available from Settings → Export at any time.
What is the data retention policy after account closure?
30 days. Tenants can request immediate deletion. Backups containing the data roll off the 30-day retention window.
3. Identity & Access Management (IAM)
Do you support SSO?
Yes. Google Workspace, SAML 2.0 (Okta, Azure AD, OneLogin, JumpCloud, Auth0) and LDAP/Active Directory.
Do you support SCIM provisioning?
Yes. SCIM 2.0 endpoints for auto-provisioning users from Okta and Azure AD.
Is multi-factor authentication available?
Yes. TOTP-based 2FA (Google Authenticator, 1Password, Authy etc.) for any tenant user. Customers may enforce 2FA for all admins.
Are passwords stored securely?
Passwords are never stored in plain text. Bcrypt with cost factor 12. No retrievable form.
Are login attempts rate-limited?
Yes. Login, register, password reset and 2FA challenge are all throttled per IP + identifier.
Is there role-based access control?
Yes. Per-tenant roles (super admin, admin, member, viewer) with granular permissions for assets, licenses, integrations, settings and billing.
4. Application & Infrastructure Security
How is the application protected against CSRF?
Every state-changing route (POST/PUT/PATCH/DELETE) requires a synchronizer token tied to the session. Validated by Laravel's built-in CSRF middleware.
How is the application protected against XSS?
All Blade templates auto-escape output by default. User-generated HTML (rich text fields) is sanitised through an HTML purifier before storage and display.
How are SQL injection risks managed?
All database access goes through Laravel's Eloquent ORM with parameterised queries. No string concatenation into raw SQL.
Are dependencies scanned for vulnerabilities?
Yes. Composer and npm dependencies are checked against the GitHub Dependabot advisory database. Critical patches are applied within 7 days.
Do you log access and changes?
Yes. Per-tenant activity log records every create, update, delete, checkout, login and integration sync with actor, IP and timestamp. Available to admins under Insights → Activity and exportable.
5. Business Continuity & Disaster Recovery
How often are backups taken?
Hetzner takes a daily backup of the entire application server (databases, files, configuration). Retention is per the Hetzner Backups policy attached to our server plan.
What is the recovery point objective (RPO)?
24 hours (daily backups). Tenants on Business may request additional database dump cadence on request.
What is the recovery time objective (RTO)?
Best-effort: under 4 hours for a single-tenant restore, under 24 hours for a region-wide event.
Is the service status published?
Uptime is monitored externally. Customers are notified by email about scheduled maintenance and any incident affecting availability.
6. Incident Response & Vulnerability Management
Is there a documented incident response plan?
Yes. Detect → triage → contain → notify affected tenants → remediate → post-mortem. Critical breach notifications are sent within 72 hours per GDPR Article 33.
How can researchers report vulnerabilities?
Email security@simpleams.co.uk. We acknowledge within 48 hours and credit reporters in our security advisory page.
Has there been a security breach in the past 24 months?
No.
Something not covered here?
We are happy to fill in your team's own questionnaire (CAIQ full, SIG Lite, custom). Typical turnaround is 48 hours.
Email security@