David Simpson Apps

Trust Centre

David Simpson Apps is a software company based in Nottingham, England.

As a monday.com silver marketplace partner, we develop monday.com applications that are trusted by 1000s of organisations worldwide.

Controls

Access control to premises and facilities

  • Access issued according to role and necessity
  • Careful selection of service personnel with long-term affiliation requirements
  • Visitors escorted on premises at all times

Access control to systems

  • Privileges for insertion, modification, and deletion of data are assigned based on a documented authorisation scheme
  • Periodic review of all user accounts to verify accounts remain justified and up to date; central management of system access where possible
  • Password management enforced; authentication requires at minimum username and password, with multi-factor authentication (MFA), and hardware backed MFA enabled wherever possible
  • No access permitted for guest users or anonymous accounts
  • Secure communication protocols enforced for all external services

Access control to data

  • Documented authorisation scheme governs all data access rights
  • Principle of least privilege applied to all accounts; administrative privileges minimised to only those who require them
  • Physical printouts containing sensitive data are destroyed using a cross-cut shredder
  • Automated logging of all user access via IT systems
  • Measures in place to prevent unauthorised use of data communication equipment
  • Test and production environments are strictly separated, with separate access privileges

Disclosure control

  • All mobile devices used to access company systems are encrypted and secured with a device passcode
  • VPN or equivalent encrypted protocol required for all remote access, data transport, and external communications
  • Data in transit protected with TLS 1.2 or higher on all endpoints

Input control

  • Personal accounts assigned according to documented authorisation scheme — no shared accounts permitted
  • User activities on IT systems are logged to support accountability and forensic investigation

Job and processor control

  • Sub-processors are carefully selected and assessed before engagement
  • Data Processing Agreements (DPAs) compliant with GDPR are in place with all sub-processors who handle personal data
  • Sub-processor list maintained and updated — see ourSubprocessors page for the current list

Availability control

  • System functionality and restoration capabilities are tested to ensure recovery from interruption, with appropriate fault-reporting mechanisms in place
  • Redundancy and failover systems in place for critical services
  • Disaster Recovery Plans (DRP) documented and reviewed periodically
  • Our apps are hosted on monday.com's infrastructure, which benefits from AWS multi-region availability and uptime SLAs — see trust.monday.com

Organisational controls

  • Periodic security and privacy training for all employees
  • Employee Handbook includes instructions on data security and privacy obligations
  • Regular review, assessment, and evaluation of the effectiveness of these technical and organisational measures
  • Contractual non-disclosure obligations included in every employee on-boarding contract
  • Segregation of duties applied across critical processes
  • Background screening conducted for all new hires
  • Incident response procedures documented and rehearsed

Infrastructure controls

  • Device management policies enforce technical controls including passwords, automatic screen lock, OS updates, and full-disk encryption on all company devices
  • Antivirus and endpoint security software deployed across all devices (anti-malware, web filtering, data loss prevention)
  • Capacity management processes in place to ensure services scale to meet demand
  • Network services secured and monitored; cabling and physical network infrastructure protected from tampering