Privacy Policy

1. Introduction

Welcome to Simple Trust Portal. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Simple Trust Portal is a document sharing platform designed for B2B organizations to publish and manage trust portals where they can share security and compliance documents with prospective customers.

1.1 Data Roles (Controller / Processor)

Depending on the context, Simple Trust Portal may act as a data processor (service provider) or as a data controller:

• Organization Content and Sharing (Processor): For documents uploaded by organizations and the workflows used to share them (including access requests and approvals), the organization is the data controller and Simple Trust Portal acts as a processor providing the infrastructure and processing on the organization’s instructions.
• Platform Operations (Controller): For our own account administration and operational data (such as account records, security logs, audit logs, and service communications), Simple Trust Portal acts as a data controller.

Organizations are responsible for ensuring they have appropriate legal bases, notices, and permissions for the data and documents they upload and share through the Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when using our service:

• Account Information: Name, email address, and encrypted password when you create an account
• Google Sign-In: If you choose to sign in with Google, we receive your name, email address, and profile picture from your Google account. We do not access your Google contacts, calendar, Drive, or any other Google services
• Organization Information: Organization name, logo, and trust portal configuration settings
• Access Request Information: When requesting access to documents, we collect your name, email, company name, and optional message
• NDA Acceptance: Records of Non-Disclosure Agreement acceptance when required by organizations

2.2 Automatically Collected Information

We automatically collect certain information when you use our service:

• Usage Data: Document uploads, downloads, access requests, and share link usage
• Audit Logs: Comprehensive activity logs including event types, timestamps, and user actions
• Version History: Complete document version tracking including uploader names, timestamps, version numbers, and file replacement chains
• Technical Information: IP addresses, browser type, device information, and user agent strings
• Cookies and Session Data: HTTP-only session cookies for authentication and security

2.3 Documents and Files

Organizations upload security and compliance documents (such as SOC2 reports, penetration test results, and policies) to share with prospective customers. These documents are stored securely and access is controlled by the uploading organization.

2.4 Sensitive and Regulated Data

The Service is intended for sharing business security and compliance documentation. You must not upload regulated or highly sensitive personal data, including Protected Health Information (PHI) subject to HIPAA. The Service is not HIPAA compliant and we do not sign Business Associate Agreements (BAAs). You should also not upload payment card data or other data subject to sector-specific regulation unless we have separately agreed in writing to support that processing. Organizations are responsible for determining what data they upload and share and for complying with applicable laws.

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve our document sharing platform
• Authentication: To verify your identity and manage your account access
• Access Control: To manage document visibility, approval workflows, and time-limited access
• Security: To detect, prevent, and respond to fraud, security incidents, and unauthorized access
• Audit Trail: To maintain comprehensive audit logs for compliance and security purposes
• Communication: To send email notifications about access requests, approvals, and account activity
• Document Watermarking: To add requester information to downloaded PDF documents for tracking purposes
• Analytics: To understand aggregated usage patterns and improve our service (we do not use advertising tracking pixels)

4. Data Storage and Security

4.1 Infrastructure

Our service is hosted on secure infrastructure in the United States:

• Application Hosting: AWS EC2 (US-based servers)
• Database and Authentication: Supabase (PostgreSQL database with US-based servers)
• File Storage: Supabase Storage (secure, encrypted storage)

4.2 Security Measures

We implement reasonable administrative, technical, and organizational safeguards designed to protect your information. Our security program is informed by commonly used frameworks such as the CIS Critical Security Controls and the NIST Cybersecurity Framework. We do not represent that we are certified under, formally compliant with, or audited against any specific framework unless we expressly state so in writing.

• HTTPS encryption for all data in transit (TLS 1.2+)
• Encrypted storage for all files and documents
• HTTP-only, secure session cookies to prevent XSS attacks
• Tenant isolation and access controls enforced through authentication and authorization checks
• JWT-based authentication via Supabase Auth
• Role-based access control (admin/regular user roles)
• File type validation and size limits
• Time-limited share tokens with download count restrictions
• IP address tracking for audit purposes

4.3 Data Retention

We retain your information for as long as your account is active or as needed to provide services. Audit logs are retained for compliance and security purposes. Organizations can delete their account and associated data through the dashboard settings. We may retain limited information as necessary to: (a) comply with legal obligations; (b) enforce our agreements; (c) resolve disputes; and (d) maintain security, fraud prevention, and audit logs. Backup copies may persist for a limited period as part of standard backup and disaster recovery practices and will be overwritten or deleted in the ordinary course.

Document Versioning: When documents are replaced, all previous versions are retained indefinitely for audit compliance and to maintain the integrity of external document shares. This ensures that external users with approved access can continue to access documents even after files are updated. When an organization is deleted, document versions and associated data are deleted in accordance with our retention practices described above, subject to limited retention for legal, security, and compliance purposes.

4.4 Security Incidents and Breach Notification

If we become aware of a security incident that results in the unauthorized access, use, or disclosure of personal information for which we are responsible, we will notify affected customers as required by applicable law and as appropriate based on the nature of the incident. Organizations remain responsible for their own legal obligations (including any notifications to their end users, customers, or regulators) relating to the data they control.

5. Information Sharing and Disclosure

5.1 Within Organizations

When you request access to an organization's documents, your information (name, email, company, message) is shared with administrators of that organization to facilitate the approval process.

5.2 Service Providers

We use trusted third-party service providers to support our operations. These providers are authorized to process personal information only as necessary to provide services to us, and are subject to confidentiality and data protection obligations.

• Supabase: Database, authentication, and file storage
• Amazon Web Services (AWS): Application hosting
• Resend: Transactional email delivery and tracking
• Google: Optional authentication via Google Sign-In (OAuth 2.0). When you use Google Sign-In, Google's Privacy Policy applies to the authentication process

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, or government agencies).

6. Cookies and Tracking

We use HTTP-only session cookies for authentication and security purposes. These cookies are essential for the service to function and cannot be disabled without affecting your ability to use Simple Trust Portal.

We do not use third-party advertising cookies or tracking pixels.

7. Your Rights and Choices

You have the following rights regarding your personal information:

• Access: You can access your account information through the dashboard
• Update: You can update your profile information and organization settings at any time
• Delete: You can delete your organization and associated data through the settings page
• Audit Logs: You can view and export comprehensive audit logs of all activity
• Download: You can export your audit logs in CSV format

8. Data Protection Rights

We are committed to facilitating the exercise of your rights granted by the laws of your jurisdiction, which may include the right to access, correct, or delete your personal information.

8.1 Canada (PIPEDA)

If you are a resident of Canada, your personal information is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to access and correct your personal information held by us. Simple Trust Portal is a Canadian organization, but we use service providers in the United States.

Privacy Officer and Complaints: You may contact our Privacy Officer at privacy@simpletrustportal.com. If you have a complaint, please contact us first so we can try to resolve it. If your concern is not resolved, you may contact the Office of the Privacy Commissioner of Canada.

8.2 EEA and California (GDPR/CCPA)

If you are a resident of the European Economic Area (EEA) or California, you have additional rights under GDPR or CCPA:

• Right to access, rectify, or delete your personal data
• Right to data portability
• Right to restrict or object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

8.3 International Data Transfers

Please note that while Simple Trust Portal is based in Canada, our servers and infrastructure are located in the United States. Your data will be transferred to, stored, and processed in the United States. By using our Service, you acknowledge this transfer and that the US may have different data protection laws than your country of residence.

9. Children's Privacy

Simple Trust Portal is a B2B service not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• General Inquiries: Via our contact page
• Security Concerns: security@simpletrustportal.com
• Service: Simple Trust Portal