Privacy & data handling

Privacy Policy.

How Smpl collects, uses, stores, and shares data. Including data accessed through connected services and the Smpl MCP connector.

Last updated: July 2026
1

Overview

Smpl Security (“Smpl”, “we”, “us”), a product of Praxis Global, provides a cloud security posture management (CSPM) platform. We connect to the cloud services your organisation uses, analyse their configuration for security misconfigurations, and report findings with remediation guidance. This policy explains what data we collect, how we use and store it, who we share it with, and how long we keep it. It applies to our web application at smplsecurity.ai, our API, and the Smpl MCP connector.

2

Information we collect

We collect the following categories of data:

  • Account information. Name, email address, organisation name, and authentication identifiers when you create an account or are invited to one.
  • Connected service data. When you connect a service (Google Workspace, GCP, AWS, GitHub, GitLab, Slack, Salesforce, HubSpot, Stripe, Supabase, Vercel, Resend, Cloudflare, and similar), we access configuration metadata, access-control settings, and resource inventories through that service’s API. Access is requested with the minimum scopes required to perform a scan, and is read-only wherever the provider supports it.
  • Scan results and findings. Security findings, severity ratings, affected assets, remediation status, compliance evidence, and historical scan data generated by our scans.
  • Credentials and tokens. OAuth tokens and API keys for connected services. These are encrypted at the application layer using AES-256-GCM before storage (see Section 4).
  • Usage and diagnostic data. Log data, IP address, browser type, and product interaction events collected via PostHog, used to operate, secure, and improve the service.
3

How we use information

We use the data described above to:

  • scan connected services and generate security findings and compliance evidence;
  • display findings, remediation guidance, and compliance status to authorised members of your organisation;
  • send notifications you have configured, such as alerts on new critical findings;
  • operate, secure, troubleshoot, and improve the service;
  • analyse usage patterns and product interactions (via PostHog) to improve user experience;
  • process billing through our payment provider; and
  • comply with legal obligations.
We do not sell personal data. We do not use your connected service data or scan results to train machine-learning models for any customer other than your own organisation.
4

How we store and protect data

Data is stored in Supabase PostgreSQL databases with encryption at rest. OAuth tokens and API keys for connected services are additionally encrypted at the application layer using AES-256-GCM before being written to the database, and are decrypted only at the moment they are needed to perform a scan. Access to production data is restricted to authorised personnel and protected by multi-factor authentication and role-based access controls. All network traffic is encrypted in transit using TLS 1.2 or higher.

5

Third parties and sub-processors

We share data with the following service providers strictly to operate Smpl. Each processes data on our behalf under its own terms and security commitments:

  • Supabase — database (PostgreSQL), authentication, and storage.
  • Vercel — application hosting and serverless compute.
  • Stripe — subscription billing and payment processing.
  • Resend — transactional and notification email delivery.
  • PostHog — product analytics and usage tracking.

We also access data from the services you choose to connect, using the credentials you provide. We do not otherwise share your data with third parties except where required by law, to protect the rights and safety of Smpl or others, or as part of a merger, acquisition, or sale of assets, in which case we will notify you.

6

The Smpl MCP connector

Smpl offers a remote Model Context Protocol (MCP) server that lets AI assistants, such as Claude, access your Smpl data on your behalf. When you authorise the connector:

  • authorisation uses OAuth 2.0 with an explicit consent step; you can revoke access at any time from your Smpl account settings;
  • the connector exposes a limited set of tools that read your security findings and compliance status, and that update the status of a finding;
  • the connector returns only the data required to answer a request and does not access your AI assistant’s conversation history, memory, or unrelated files;
  • requests made through the connector are subject to this Privacy Policy. Data handled by your AI assistant is additionally governed by that assistant provider’s own privacy policy.
7

The Smpl Security Stripe App

Smpl Security is available as an app on the Stripe App Marketplace. When you install the app and connect your Stripe account via OAuth:

  • we request read-only access to your Stripe account’s charges, payment intents, customers, webhook endpoints, and balance — the minimum permissions required to run posture scans;
  • your OAuth access token is encrypted before storage and decrypted only at scan time; it is never logged or transmitted to third parties;
  • the app does not read, store, or process payment card numbers, bank account details, or other financial instrument data — it reads configuration metadata only;
  • scan findings are stored as described in Section 4 and are accessible only to authorised members of your Smpl organisation;
  • you can disconnect the Stripe App at any time from your Stripe Dashboard or from your Smpl account settings, at which point your OAuth token is deleted and no further scans are performed.
8

Data retention

We retain account information for as long as your account is active. Connected service data, scan results, and findings are retained while the relevant connection exists and for up to 90 days after a connection is removed or an account is closed, after which they are deleted or anonymised, except where a longer period is required to meet legal, accounting, or security obligations. Credentials and tokens for a connected service are deleted promptly when that service is disconnected. You may request deletion of your data at any time (see Section 10).

9

International transfers

Smpl and its sub-processors may process data in countries other than the one in which you are located. Where data is transferred across borders, we rely on appropriate safeguards, such as standard contractual clauses or adequacy decisions, to protect it in accordance with applicable data protection laws.

10

Your rights

Depending on your location, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise these rights, or to disconnect a service and have its data removed, use the controls in your account settings or contact us at the address below. We will respond within the time required by applicable law (30 days for GDPR, 45 days for CCPA).

11

GDPR compliance

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following provisions apply:

  • Legal basis. We process your personal data on the basis of: (a) contractual necessity — to provide the Service you signed up for; (b) legitimate interest — to secure and improve the Service; and (c) consent — where you have opted in to analytics or marketing communications.
  • Data subject rights. You have the right to access, rectify, erase, restrict processing of, or port your personal data. You also have the right to object to processing based on legitimate interest and to withdraw consent at any time.
  • Data controller. Praxis Global is the data controller for account and usage data. For connected service data, your organisation is the data controller and Smpl acts as a data processor.
  • Data Protection Officer. You may contact our privacy team at privacy@smplsecurity.ai for any data protection inquiries.
  • Supervisory authority. You have the right to lodge a complaint with your local data protection authority if you believe your data has been processed unlawfully.
12

CCPA compliance

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights:

  • Right to know. You may request details about the categories and specific pieces of personal information we have collected, the sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete. You may request deletion of personal information we have collected, subject to certain exceptions (e.g., legal obligations, ongoing service delivery).
  • Right to opt out. We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
  • Non-discrimination. We will not discriminate against you for exercising your CCPA rights.
  • Authorised agent. You may designate an authorised agent to make requests on your behalf. We may require verification of the agent’s authority.

To exercise any of these rights, contact us at privacy@smplsecurity.ai or use the controls in your account settings. We will respond within 45 days.

13

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you through the service or by email.

14

Contact us

For privacy questions or data requests, contact us at privacy@smplsecurity.ai or support@praxisglobal.ai. We will respond within 30 days.

Smpl Security is a product of Praxis Global.
Website: smplsecurity.ai