Trust & security
How smpl handles your employees' data, who we share it with, and what we do to keep it safe.
Data residency
The smpl application and primary database run in London, UK
(Fly.io lhr
region). Database
backups stay in-region. Some sub-processors (listed below) operate
outside the UK — see the table for details.
Compliance posture
- UK GDPR / EU GDPR — smpl acts as Processor; the Customer is Controller. You accept a click-through DPA at signup and can download the signed copy from /admin/billing once your workspace is active.
- Standard Contractual Clauses — included in the DPA for sub-processors operating outside the UK/EEA.
Sub-processors
These providers help us deliver the smpl platform. We announce additions 30 days in advance; existing customers can object per the terms of the DPA.
| Provider | Purpose | Region |
|---|---|---|
| Stripe | Payment processing | Global |
| Fly.io | Application hosting and database | London (lhr) |
| Tigris | Document storage and exports | Global (S3-compatible) |
| Resend | Transactional email delivery | United States |
| Anthropic | CV parsing (optional, opt-in) | United States |
Security posture
- In transit — every connection uses HTTPS. HSTS is enforced with preload and a two-year expiry, including subdomains.
- At rest — database and backup volumes are encrypted. Particularly sensitive identifiers (like national insurance / social security numbers) get an extra layer of application-level encryption so they stay unreadable even to operators with database access.
- Access — every user has a role (super admin, HR partner, manager, or individual contributor). HR permissions can be further scoped to specific departments. Sessions expire after 14 days, or sooner if idle for 72 hours.
- Audit trail — every edit to an employee profile is logged with who made the change, what changed, and when. Admins can review the history from the employee profile page.
- Pen-test — we commission a third-party AI penetration test every quarter and act on any findings before publishing the next release.
Retention & deletion
If you cancel, we keep your data for 90 days so you can reactivate or export it. After 90 days the data is permanently deleted and the subdomain is released. You can export your workspace at any time while it's active from the billing dashboard.
For subject access requests (DSARs), email trust@smpl-ppl.com and we'll respond within the statutory 30-day window.
Contact
One inbox for security reports, privacy questions, and procurement: trust@smpl-ppl.com . PGP key available on request.