Simpliflo Trust Centre

Welcome to the Simpliflo Trust Centre. We take data privacy and security seriously, and these principles guide every part of our business. Here, you can explore our security practices that demonstrate our commitment to protecting your data.

Our approach

We collect the minimum data needed to run the product. We keep environments isolated. Payments take place on Stripe hosted pages, so card details never touch Simpliflo.

What we do to keep data safe

Data minimisation and isolation

  • We store only what is needed to provide the service.
  • Development, Staging, and Production are fully separated with distinct keys and webhooks.
  • Tenant data in Postgres is protected with row level security.

Secure transport and headers

  • All traffic uses HTTPS.
  • We set strict security headers on the Website and the Portal. This includes a Content Security Policy with nonces, HSTS with includeSubDomains and preload, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and a minimal Permissions-Policy.
  • Session cookies are HttpOnly, Secure, and SameSite Lax.

Sign in and access

  • Passwordless sign in uses single use magic links with a time to live of fifteen minutes or less. Tokens are hashed or stored as JTIs with used and expired states.
  • Step up authentication is required for sensitive actions such as plan changes and GDPR delete.
  • Role based access control covers Owner, Accountant, and Member roles.
  • Support access is least privilege and time limited.

Payments and accounting

  • WhatsApp reminders open Stripe hosted invoice pages by default. Pro users can enable Quick Pay creation in Settings.
  • Stripe Connect uses OAuth. When you enable Quick Pay, Simpliflo acts on your connected Stripe account to create pay links, subject to the account permissions.
  • Simpliflo never collects or stores card numbers. Stripe handles payments and receipts.
  • We post to Xero or QuickBooks using first party APIs. We attach a payout proof file and verify the attachment by read back.

Webhook integrity and idempotency

  • Stripe and WhatsApp webhooks are signature verified.
  • Webhook secrets are rotated. During rotation we accept the current and the next secret for a short period and we record which secret validated each event.
  • Every accounting entry carries a durable external reference, for example stripe_bt:{id}. We also keep unique keys per tenant to prevent duplicates and to support safe replay.
  • Corrections are done by reverse and repost. We do not overwrite posted entries.

Consent, cookies, and messaging safety

  • We use WhatsApp Cloud Utility templates and require customer opt in. STOP and START are supported.
  • The cookie banner blocks non essential scripts, including analytics, until you accept. You can change your choice at any time and we keep a consent log.

Retention and deletion

  • Idempotency and posting metrics are kept for 18 months.
  • Exceptions and audit logs are kept for 24 months.
  • Authentication logs are kept for 12 months.
  • WhatsApp message metadata is kept for 90 days.
  • Consent records are kept for at least 24 months.
  • A nightly purge job enforces these windows and raises an Incident if a purge fails.
  • GDPR delete is available in Settings. We revoke OAuth tokens, delete tenant data according to policy, keep a minimal non personal audit of tenant ID and deletion timestamp, block future logins, and return 410 to future webhooks.

Backups and recovery

  • Postgres is managed with high availability and point in time recovery.
  • We keep a disaster recovery runbook and we drill it on Staging.

Monitoring and incidents

  • We use structured logs with correlation IDs to trace Stripe, queues, workflows, and accounting calls.
  • We watch Stripe to accounting latency, exception rate, WhatsApp delivery failure rate, queue depth, and job age.
  • If exceptions spike for a tenant, posting is paused for that tenant and an Incident is opened with a runbook link. Status banners keep owners informed.
  • If a personal data breach is likely to result in a risk to rights and freedoms, we will notify affected customers without undue delay. We will describe what happened, what data may be affected, and the steps we are taking.

Software quality

  • We run unit and contract tests for posting, mapping, exceptions, idempotency, and replay handling.
  • We run static and dynamic application security testing in CI and CD. Builds fail on high severity findings.
  • Vendor API versions are pinned and recorded.

Data location and vendors

  • Evidence files and assets are stored in the EU where possible.
  • Analytics is privacy friendly and hosted in the EU, and loads only after consent.
  • Some providers may process data outside the UK or EEA. Where this occurs, we use approved safeguards such as Standard Contractual Clauses or the UK International Data Transfer Addendum.
  • We keep a public list of sub-processors with purpose and region and we update it when providers change.

Your controls

  • You can view what was posted and you can see proof files for payouts.
  • You can export your tenant configuration from the Portal.
  • You can delete your tenant data from Settings at any time.
  • You can submit a data access or deletion request from the Portal or by email. We aim to respond within 30 days.

Cookies and analytics

Our cookie banner gives you a clear choice. Non essential scripts are off until you accept. You can return to the banner to change your choice at any time.

Contact for privacy and security

Use the Help form in the Portal or the contact form on the Website to reach us about data protection or security concerns.

We will respond in a timely manner and we will provide additional details on our data practices on request.

For direct support, please email support@simpliflo.co.uk.

Legal entity

Operated by Simpliflo Ltd. Company No 16677770 United Kingdom.