Built for fiduciary scrutiny.
Honest about where we stand.
Simplorium is built by engineers with hands-on experience implementing SOC 2, NIST 800-53, and FDIC-grade control environments. We designed the platform from day one against those standards — and we're transparent about what we have and what we're working toward.
Transparency statement
Simplorium does not currently hold an independent SOC 2 Type II attestation report. Our platform is architecturally designed against the SOC 2 Trust Services Criteria and we will share our full control mapping with your fund's auditor or legal counsel under NDA on request. For funds whose fiduciary review process requires a formal attested report, we offer a client-sponsored audit engagement — see below.
The control environment in detail
Data Encryption
All data encrypted at rest with AES-256, managed via AWS KMS with per-fund key isolation. All data in transit over TLS 1.3. Keys are rotated on a defined schedule and rotation events are logged.
Tenant Isolation
Every fund runs on its own isolated environment. Cross-fund data access is architecturally impossible — not just a policy, but a structural constraint enforced at the infrastructure layer.
Immutable Audit Logging
Every participant record change, eligibility determination, benefit calculation, and administrative action is logged with actor identity, timestamp, and before/after state. Logs are append-only and cannot be modified or deleted by application users.
Access Control
Role-based access control with least-privilege defaults. Mandatory MFA for all administrative and staff accounts. Session management with configurable timeouts. Trustee and auditor read-only access roles available.
Infrastructure & Availability
Hosted on AWS in us-east-1 with multi-AZ failover. Automated daily backups with verified restore testing. Documented recovery time objectives (RTO) and recovery point objectives (RPO). 99.9998% trailing 12-month uptime.
Incident Response
Documented incident response plan with defined severity tiers, escalation paths, and notification timelines. Security events are logged, triaged, and tracked to resolution. Clients are notified of security incidents affecting their fund within defined SLA windows.
Designed against recognized standards
Our controls are modeled on established frameworks. We don't name-drop certifications we don't hold — but the engineering decisions behind the platform reflect these standards throughout.
Platform architecture, access controls, availability commitments, and audit logging are all mapped to the five TSCs: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Infrastructure controls, identity management, configuration baselines, and incident response procedures follow NIST 800-53 control families, informed by the founder's direct implementation experience.
Audit trail design, data retention policy (7 years), and read-only access roles are built specifically to support the Form 5500 audit process and DOL examination requests.
Client-sponsored SOC 2 audit path
Some Trustee boards and their counsel require a SOC 2 Type II attestation report as a condition of engagement. We support this. Our anchor clients have the option to co-sponsor our formal attestation — which means your fund directly influences the timing and scope of our audit, and receives the attested report.
Engagement scoping
We work with your counsel to define the audit scope — which Trust Services Criteria, which systems, which observation window.
CPA firm selection
We coordinate with a qualified AICPA-licensed CPA firm. You may also nominate your own preferred auditor.
Observation & report
Typical observation window is 6 months. Attested report is issued to Simplorium and shared directly with your fund. Timeline: 9–12 months from engagement.
We're also happy to make our control documentation available to your fund's existing auditor under NDA — no formal engagement required.
The experience behind the controls
Simplorium is built by Scrypster — a software engineering firm with 20+ years of experience building production systems for regulated industries including financial services, government, and public safety. The founding team has direct, hands-on implementation experience with:
This isn't theoretical familiarity. The security decisions in Simplorium reflect real-world implementation experience — the kind you get from shipping production systems that went through actual audits, actual DOL examinations, and actual incident response.
What funds and their counsel ask us
Does Simplorium have a SOC 2 Type II report?
Not yet — and we want to be straight with you about that. We made a deliberate choice to invest first in building the right control environment rather than rushing a paper audit. The platform is designed against the SOC 2 Trust Services Criteria and we'll share our control mapping with your auditor under NDA.
For funds whose review process requires a third-party attested report, we offer a client-sponsored audit engagement — see the section above.
Can our fund's auditor review your controls?
Yes. We'll provide a controls matrix mapped to the SOC 2 TSCs and NIST 800-53 under NDA. Your auditor can review our documentation, ask questions, and conduct whatever diligence your engagement requires. Contact us to arrange this — it typically takes a week to schedule.
Where is fund data stored? Who can access it?
Each fund runs in a logically isolated environment on AWS in the United States (us-east-1, with multi-AZ redundancy). Data does not leave the US. No other fund's staff, administrators, or systems can access your fund's data — this is enforced at the infrastructure layer, not just by policy.
Access is restricted to: your authorized TPA staff (with RBAC roles), your designated read-only Trustee and auditor accounts, and Scrypster engineering staff (for platform support, logged and auditable).
What happens to our data if we leave Simplorium?
Your fund's data is yours. Upon termination of your agreement, we provide a full data export in standard formats (CSV/JSON) within 30 days. After the export is confirmed, all fund data is deleted from our systems per our data retention policy, with written confirmation provided.
Has Simplorium had a security breach?
No. Simplorium has had no security incidents resulting in unauthorized access to fund data. Our incident log — including near-misses and resolved vulnerabilities — is available for review under NDA as part of our security diligence package.
How do you handle vulnerability disclosure?
We maintain a responsible disclosure policy. Security researchers who identify vulnerabilities can use the contact form on our demo page. We acknowledge reports within 2 business days and commit to a remediation timeline based on severity. We do not pursue legal action against good-faith researchers.
Questions your counsel will ask — we have answers.
Schedule a security review call with our team. We'll walk through our control environment, answer your auditor's questions, and discuss the attestation path if you need it.