Simpra manages your policies, controls, evidence, and risk register — the most sensitive artifacts in your information security program. We run our own security program in Simpra. If it isn't good enough for us, it isn't good enough for you.
Our internal compliance program — policies, controls, evidence collection, risk register — runs on the same agentic platform we offer customers. When our agents flag a gap in our own program, we fix it. That's not a marketing claim; it's how we caught three control gaps in our first minutes running on our own platform.
Simpra's infrastructure runs entirely on AWS inside a private VPC. No public-facing compute. No shared infrastructure between tenants. Every agent runs in an isolated ECS container — the security boundary is architectural, not just configured.
All ECS containers run inside a private VPC. No agent or service is directly reachable from the public internet. Traffic routes through controlled ingress only.
Each customer's data lives in a logically isolated tenant with row-level security enforced at the database layer. Cross-tenant queries are structurally impossible.
AES-256 at rest via AWS KMS with automated key rotation. TLS 1.2+ in transit. Vector embeddings encrypted at storage. Keys never leave the KMS boundary.
RBAC with granular permissions. MFA enforced on all admin accounts. Break-glass access is time-bounded and logged at the audit trail level.
Every platform and agent action is logged with user, timestamp, and change detail. Immutable, retained per your policy, surfaced directly to auditors.
Encrypted daily backups with point-in-time recovery. DR tested quarterly against defined RTO and RPO. US and EU data residency, elected at onboarding.
