1. Purpose

The purpose of this Information Security Policy is to define the principles and controls used by Simply 365 Limited to protect the confidentiality, integrity, and availability of information assets, including customer data, operational data, and system data.

This policy applies to all employees, contractors, consultants, and third parties who access company systems or information.

2. Scope

This policy applies to:

• All internal systems and devices
• Cloud services and third-party platforms
• The company’s CRM system: Microsoft Dynamics
• Email and collaboration tools
• Customer data processed through our claims handling platform
• All business information, whether digital or physical

3. Governance and Responsibility

The Board of Directors has overall responsibility for information security.

Operational responsibility is delegated to senior management, who ensure:

• Implementation of appropriate controls
• Risk assessment and mitigation
• Compliance monitoring
• Incident response management

All employees share responsibility for maintaining information security.

4. Information Security Principles

Simply 365 Limited operates under the following principles:

• Confidentiality – Information is accessible only to authorised individuals
• Integrity – Information is accurate, complete, and protected from unauthorised modification
• Availability – Systems and data are available when required for business operations

5. Use of Microsoft Dynamics (CRM System)

The Company uses Microsoft Dynamics as its Customer Relationship Management (CRM) platform to manage customer records, service interactions, and operational workflows.

Security controls include:

5.1 Access Control

• Role-based access permissions
• Principle of least privilege
• Unique user accounts (no shared logins)
• Multi-factor authentication (MFA) where available
• Immediate access revocation upon staff termination

5.2 Data Protection

• Data stored within Microsoft’s secure cloud infrastructure
• Encryption in transit and at rest (where supported by the platform)
• Secure configuration aligned with vendor best practice

5.3 Monitoring

• Audit logging enabled where available
• Regular review of user access rights
• Monitoring for unusual or unauthorised activity

6. Data Classification

Information is classified as:

• Public
• Internal
• Confidential
• Highly Confidential (e.g., personal data, contractual data, sensitive operational information)

Personal data processed within Microsoft Dynamics is treated as Confidential or Highly Confidential.

7. Acceptable Use

Employees and authorised users must:

• Use company systems only for legitimate business purposes
• Not share passwords or authentication credentials
• Lock devices when unattended
• Avoid accessing systems on unsecured networks
• Report suspicious emails or activity immediately

8. Device Security

Where company devices are used:

• Devices must be password protected
• Automatic screen locking must be enabled
• Anti-malware protection must be active
• Operating systems and software must be kept up to date

Where remote working is permitted, secure access methods must be used.

9. Third-Party and Supplier Security

All suppliers who process data on behalf of Simply 365 Limited must:

• Enter into written contractual agreements
• Implement appropriate technical and organisational measures
• Comply with applicable data protection and security standards
• Notify the Company of any security incident affecting shared data

10. Incident Management

All suspected information security incidents must be reported immediately.

Examples include:

• Lost or stolen devices
• Suspected data breaches
• Phishing attempts
• Unauthorised access
• System vulnerabilities

The Company will:

• Investigate promptly
• Contain the incident
• Assess impact
• Notify affected parties and regulators where required
• Take corrective action

Where personal data is involved, obligations under applicable data protection legislation will be followed.

11. Backup and Business Continuity

• Critical data is backed up regularly
• Recovery procedures are tested where appropriate
• Business continuity planning is maintained to minimise service disruption

Microsoft Dynamics infrastructure resilience supports system availability, subject to vendor service levels.

12. Training and Awareness

All employees receive appropriate information security awareness guidance, including:

• Phishing awareness
• Password hygiene
• Data protection principles
• Incident reporting procedures

Security awareness is reinforced periodically.

13. Physical Security

Where applicable:

• Office premises are access controlled
• Visitor access is monitored
• Confidential documents are securely stored
• Clean desk principles are encouraged

14. Compliance and Review

This policy will be:

• Reviewed at least annually
• Updated in response to regulatory or operational changes
• Aligned with evolving cybersecurity risks

Compliance with this policy is mandatory. Breaches may result in disciplinary action.

15. Continuous Improvement

Simply 365 Limited is committed to ongoing improvement of its information security posture through:

• Regular risk assessment
• Security awareness enhancement
• System configuration review
• Supplier assurance processes
• Alignment with recognised security best practices

16. Contact Us

If you have any questions about this Information Policy then please contact:

Simply 365 Limited
Registered Office: C/O Partners In Enterprise Ltd Ground & Lower Ground Floor, 9 St Georges Place, Brighton, United Kingdom, BN1 4GB

Email: hello@simply365.co.uk
Phone: 0333 052 7218