Visma Addo has established processes, methods and technologies and embraced proven standards to ensure security and accessibility for our customers. The nature of threats is constantly changing, so security awareness is a natural part of our development process and we constantly strive to be even better.
Data stored in Visma Addo are stored in Itadel and follows local European regulations and requirements regarding protection of data privacy. Itadel holds numerous certifications and declarations including ISO 27001, ISAE 3402 II and ISAE 3000. Physical measures to protect data includes:
- Locked and alarmed with 24/7 surveillance.
- External and internal video monitoring and traceability of access to the premises.
- Environmental control
- Uninterruptible power supply regularly tested against fictional power outages.
Services designed for security
From planning to deployment of new services or features, we follow our Security Development Lifecycle, meaning that security requirements are embedded and measured during development. Security requirements are based on a combination of legal, sector, client, best practices and compliance with privacy laws and regulations.
- We perform security audits and penetration testing using both internal and external experts.
- Our services are tested to ensure resilience against attacks like SQLi, XSS and CSRF, session hijacking, and other threats. Our baseline is OWASP top 10.
- The minimum Security Requirements that all development teams follow are:
- Passwords are never stored as text but are always “hashed and salted” server side. This means that even we at Visma are unable to find out what your password is. If you lose your password, Visma Addo will automatically generate a new one for you.
- Communication is always via an encrypted connection.
Monitoring and protection
When making our services available to our customers, they are carefully monitored. This includes continuous scanning for vulnerabilities, monitoring of intrusion attempts as well as abuse detection.
When incidents occur, we have a dedicated Security Incident team that provides the necessary coordination, management, feedback and communication. They also have responsibility for assessing, responding to and learning from information security incidents to make sure that we minimise the risk of them recurring.
Protection of information
- All our staff are covered by confidentiality agreements.
- All Visma staff are located in Europe.
- Our staff only have access to the systems and functions they need to perform their tasks.
- Our staff are bound by guidelines and rules as well as supervised and monitored when accessing client-specific information.
- Access to your stored information is limited to a few people in operations and technical support. Other support staff will only see your information when you actively approve it, for example via a support case. We comply with applicable rules of the retention of accounting records.
- Visma has extensive internal security guidelines, security reviews as well as a strong security organisation.
ISAE 3402 declaration
Visma Addo is in the process of receiving an ISAE 3402 declaration that will be made available here when it is finished (Q3 2019). ISAE (International Standards for Assurance Engagements) 3402 is a global standard for documentation and procedures at service providers. The declaration is a guarantee that Visma Addo handles all aspects of the operation, processes, risk assessments and safety in a professional and sound manner.