Addo Sign has established processes, methods and technologies and embraced proven standards to ensure security and accessibility for our customers. The nature of threats is constantly changing, so security awareness is a natural part of our development process, and we constantly strive to be even better.

1. Physical Protection 
2. Services Designed for Security 
3. Monitoring and Protection 
4. Incident management
5. Protection and information

Physical Protection

Data stored in Addo Sign are stored in IT-Relation and follows local European regulations and requirements regarding protection of data privacy. IT-Relation holds numerous certifications and declarations including ISO 27001, ISAE 3402 II and ISAE 3000. Physical measures to protect data includes:

• Locked and alarmed with 24/7 surveillance.
• External and internal video monitoring and traceability of access to the premises.
• Environmental control
• Uninterruptible power supply regularly tested against fictional power outages.

Services Designed for Security

From planning to deployment of new services or features, we follow our Security Development Lifecycle, meaning that security requirements are embedded and measured during development. Security requirements are based on a combination of legal, sector, client, best practices and compliance with privacy laws and regulations.

• We perform security audits and penetration testing using both internal and external experts.
• Our services are tested to ensure resilience against attacks like SQLi, XSS and CSRF, session hijacking, and other threats. Our baseline is OWASP top 10.
• The minimum Security Requirements that all development teams follow are:
• Passwords are never stored as text but are always “hashed and salted” server side. This means that even we at Visma are unable to find out what your password is. If you lose your password, Addo Sign will automatically generate a new one for you.
• Communication is always via an encrypted connection.

Monitoring and Protection

When making our services available to our customers, they are carefully monitored. This includes continuous scanning for vulnerabilities, monitoring of intrusion attempts as well as abuse detection.

Incident Management

When incidents occur, we have a dedicated Security Incident team that provides the necessary coordination, management, feedback and communication. They also have responsibility for assessing, responding to and learning from information security incidents to make sure that we minimize the risk of them recurring.

Protection of Information

• All our staff are covered by confidentiality agreements.
• All Visma staff are located in Europe.
• Our staff only have access to the systems and functions they need to perform their tasks.
• Our staff are bound by guidelines and rules as well as supervised and monitored when accessing client-specific information.
• Access to your stored information is limited to a few people in operations and technical support. Other support staff will only see your information when you actively approve it, for example via a support case. We comply with applicable rules of the retention of accounting records.
• Visma has extensive internal security guidelines, security reviews as well as a strong security organisation.