Privacy
How we work with our cloud providers
Customer adoption of SaaS solutions is steadily increasing globally, showing that cloud technology drives better business.
Great cloud technology requires world-class cloud hosting. Visma has three primary cloud hosting providers: Amazon Web Services, Microsoft Azure and Google Cloud.
To ensure we best serve our customers, we have a close relationship with our cloud providers, ensuring they follow certain guidelines and following up with them regularly.
Contractual performance management
Once a month, Visma holds business review meetings with each cloud provider, where we discuss Operational reports, SLA performance and support issues. We also review the status of our onboarding-to-cloud-projects and various initiatives related to GDPR, Corporate Social Responsibility, training/certifications, and other topics.
In addition we have monthly project-related meetings regarding how we can increase cloud adoption in our markets.
Security and data protection
Each year, as part of the monitoring phase in our vendor management framework, the cloud providers must answer our assessments with questions related to corporate and financial information, data protection and governance. We also ask them about their Corporate Social Responsibility, where we seek their compliance related to anti-corruption and bribery, their supply chain, carbon footprint, renewable energy, anti-discrimination and diversity. The vendor also answers questions related to the assets (the systems and services we acquire from the vendor) in relation to data protection and also technical and organisational measures.
We do risk assessments on various data protection aspects of the processing that takes place as well as regular software and cloud architecture peer reviews of most of our products.
Compliance
Visma has a diverse group of subject-matter experts who consider new SOC reports from the cloud providers. The group looks at areas like privacy and security, change management, and identity and access management. We also look for changes in the control framework (e.g. new/deleted/changed controls) and the results of the tests done.
A final evaluation is performed to see how this affects our business, products and data, and if the customers should be informed.
