Security at Simplico

How we build, ship, and operate software that’s safe to put into production.

Security isn’t a checklist we run at the end — it shapes how we design, code, and operate every engagement. Below is what that means in practice.

Trust principles

Least privilege by default. Every service, every API key, every database role gets the narrowest scope that lets it do its job. We use RBAC, short-lived tokens, and row-level security wherever the data model justifies it.

Defense in depth. No single control sits between an attacker and your data. Network segmentation, app-layer authz, database scoping, and audit logging are designed as independent layers.

Observability is non-negotiable. Every system we ship comes with logs, traces, and metrics from day one. You can’t defend what you can’t see.

You own the artifacts. Source code lives in your Git. Infrastructure runs in your cloud account. Runbooks, architecture docs, and threat models are handed over. There is no vendor lock-in, and there is no Simplico-controlled production we can’t be removed from.

Engineering practices

  • Secure SDLC — design review and lightweight threat modeling for any flow that touches money, PII, or production data.
  • Code review on every change — no direct pushes to protected branches.
  • Dependency scanning in CI (Trivy / GitHub Advanced Security / Snyk depending on stack).
  • Static analysis and linting enforced as required checks.
  • Secrets scanning at commit; secrets live in a managed vault (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault), never in source.
  • Branch protection + signed commits where the host supports it.
  • CI/CD-only production deploys. Engineers do not SSH into production to "fix one thing."

Data protection

  • Encryption in transit — TLS 1.2+ on every network hop. Internal service-to-service traffic uses mTLS or VPC-private endpoints.
  • Encryption at rest — cloud-native KMS (AWS KMS, GCP KMS, Azure Key Vault) for databases, object storage, and backups.
  • PII classification — sensitive fields are tagged, with documented retention and deletion timelines.
  • Multi-tenant isolation — per-tenant scoping at both the API layer and the database row-security level. We’ve shipped this pattern for B2B accounts with negotiated pricing and proven zero SKU/data leakage over 6+ months.

Infrastructure and operations

  • Deployments target your AWS, GCP, Azure, or on-prem environment — never a Simplico-controlled cloud.
  • Network segmentation with private subnets for data tiers; public exposure limited to load balancers and CDNs.
  • Centralized observability — Grafana / CloudWatch / Datadog (your choice), with alerting wired to your on-call.
  • Backups + restore drills. Backups that haven’t been restored are wishful thinking; we periodically test the restore path.
  • Incident-ready runbooks for the common classes: degraded DB, queue backup, identity-provider outage, payment-gateway failover.

Compliance alignment

We design to align with the controls below. We don’t sell certification ourselves — for formal audits we partner with specialist firms.

  • PCI-DSS scope minimization, via tokenized payment providers (Stripe, Omise, 2C2P). Card data does not enter your systems.
  • GDPR / PDPA — data-subject rights (access, rectification, deletion), lawful basis tracking, and processor agreements.
  • ISO 27001 — used as a structural reference for our internal controls.
  • OWASP Top 10 / ASVS — the baseline for every web-facing system we ship.

Our own security products

Two of the platforms we sell are themselves security tools, built and operated by the same team that runs customer engagements:

  • simpliSOC — open-source SOC stack for security monitoring, threat detection, and incident response.
  • TAK Integration — cyber-physical common operational picture; we feed SOC detections and field sensors into a unified live map.

What we run for ourselves is what we ship to you.

Vulnerability disclosure

Found a security issue in something we built or operate? Email security@simplico.net with details (steps to reproduce, affected component, and your contact). We’ll acknowledge within 2 business days and keep you in the loop until it’s fixed.

We don’t run a paid bug-bounty program, but we credit researchers on request.

Please don’t:

  • Run automated scans against production systems without prior coordination.
  • Access, modify, or exfiltrate data beyond what’s needed to demonstrate the issue.
  • Disclose publicly before we’ve had a reasonable chance to remediate.

Contact

  • Security: security@simplico.net
  • General inquiries: hello@simplico.net
  • Phone / WhatsApp: +66-83-001-0222
  • LINE: iiitum1984