Simply Effective Protection

Last updated on January 15, 2026

SimpleSet is committed to protecting the confidentiality and integrity of electronic protected health information (ePHI). Our infrastructure and policies are designed to exceed industry standards for PIPEDA (Canada), HIPAA (USA), and GDPR (Europe).

Before looking at our technical infrastructure, we validate our security through rigorous external assessments:

• SOC2 Type II Attestation: SimpleSet has undergone a third-party audit and attained a SOC2 Type II attestation. This confirms the ongoing effectiveness of our security controls over an extended period.

• Independent Penetration Testing: SimpleSet undergoes annual third-party penetration testing. Results from these expert assessments are used to set our highest mitigation and remediation priorities.

We host our services on Amazon Web Services (AWS) within the Canadian Region, ensuring data residency for our Canadian users.

• Physical Security: AWS data centers employ layered security models. SimpleSet personnel never have physical access to servers or storage.

• Logical Access: Infrastructure access is restricted to authorized operations team members via Two-Factor Authentication (2FA) and are segregated into Virtual Private Clouds (VPCs).

• Threat Detection: We use AWS GuardDuty for real-time intrusion detection, using both signature-based and algorithmic security to block attacks.

• AWS Audits: AWS maintains HITRUST, ISO 27001, and SOC2 certifications. SimpleSet performs yearly reviews of these vendor certifications to ensure continued compliance.

Your data is protected throughout its entire lifecycle—whether it is sitting on our servers or traveling to your device.

• Encryption: All data is encrypted at rest using the AWS Key Management Service and in transit via HTTPS (TLS).

• Retention & Deletion: Data is stored for the duration of your subscription. Upon cancellation, data is permanently deleted after 12 months, and backups are expunged 30 days later.

• Disaster Recovery: Encrypted backups are performed daily. In the event of a region-wide disaster, we maintain a redundant Disaster Recovery Plan within Canada.

SimpleSet provides administrators with the tools needed to enforce their own internal security policies.

• Multi-Factor Authentication (MFA): Managers can monitor user adoption or enforce MFA for the entire organization to prevent unauthorized access.

• Audit Logging: Access a chronological history of all user actions—including ePHI views and edits—stamped with time and IP addresses.

• Session Control: Customize automatic log-off settings to align with your clinic's specific security requirements.

Security is integrated into our company culture and software development process.

• Secure Development: We practice continuous delivery with mandatory code reviews and automated error tracking to identify and eradicate vulnerabilities quickly.

• Vetted Team: All staff undergo background checks and participate in mandatory annual security and privacy training.

• Device Management: All staff workstations are encrypted and protected with anti-malware software.

• Incident Response: We follow the industry-standard SANS framework. If a data breach is identified, we notify affected customers as soon as possible via email.

For further details, please review our legal documentation:

• Privacy Policy
• Terms of Service
• Data Processing Addendum