Security

Visma has been offering cloud solutions for more than 15 years. We have established processes, methods and technologies and embraced proven standards to ensure security and accessibility for our customers. The nature of threats is constantly changing, so security awareness is a natural part of our development process and we constantly strive to be even better.

In this part technical words and expressions are used. Follow this link for a comprehensive explanation of some of the most used ones.

Physical protection

Data stored in Visma's cloud systems are stored in data centres in Europe and follows local European regulations and requirements regarding protection of data privacy. Physical measures to protect data includes: 

  • Locked and alarmed with 24/7 surveillance.
  • External and internal video monitoring and traceability of access to the premises.
  • Enviromental control
  • Uninterruptible power supply regularly tested against fictional power outages.

National legislation will for some data require storage in specific countries. Read more about Visma's storage according to national requirements on the Product site.

Services designed for security

From planning to deployment of new services or features, we follow our Security Development Lifecycle, meaning that security requirements are embedded and measured during the service's lifetime. Security requirements are based on a combination of legal, sector, client, best practices and compliance with privacy laws and regulations.

Click here to see more
  • We perform security audits and penetration testing using both internal and external experts.
  • These include Security Testing of Source Code (SAST), Compiled Code(DAST), Manual Dynamic Testing and operational systems(DAST + PenTests).
  • Documentation of compliance against the Security Programs is maintained and is part of the KPI`s for the management of Visma in the different companies.
  • Our services are tested to ensure resilience against attacks like SQLi, XSS and CSRF, session hijacking, and other threats. Our baseline is OWASP top 10.
  • The minimum Security Requirements that all development teams follow are:
  • Passwords are never stored as text but are always “hashed and salted” server side. This means that even we at Visma are unable to find out what your password is. If you lose your password, you must generate a new one in your trusted environment.
  • Communication is always via an encrypted connection.

Monitoring and protection

When making our services available to our customers, they are carefully monitored. This includes continuous scanning for vulnerabilities, monitoring of intrusion attempts as well as abuse detection. Denial-of-service (DDoS) attack prevention, frequent penetration testing as well as data analytics to make sure that the operation is stable and secure.

Secure hybrid systems

Our transactional services, such as Visma.net AutoInvoice and Visma.net AutoPay, connect our clients’ on-premise systems with today’s modern digital information flows. This creates hybrid environments where maintaining data security has traditionally been a challenge.

Click here to see more

Visma is fully committed to providing state-of-the-art data security, to all hybrid combinations of on-premise systems and networked solutions our clients operate.

By using the Visma On Premises Gateway add-on service, you can setup a secure communication channel between your Visma on-premise system and your networked Visma solution.

The data flow between the client’s on-premise installation and any network resource will be protected by industry standard SSH encryption. Installation of the On Premises Gateway is simple, and requires no special technical knowledge or resources.

For further questions or more in-depth information, please get in touch with us at privacy@visma.com

Incident management

When incidents occur, we have a dedicated Security Incident team that provides the necessary co-ordination, management, feedback and communication. They also have responsibility for assessing, responding to and learning from information security incidents to make sure that we minimise the risk of them reoccuring. Incidents are reported on https://status.visma.com for general products or https://status.visma.net for the Visma.net product line, where customers can follow the progress of resolving the issues.

Protection of information

  • All our staff are covered by confidentiality agreements.
  • All Visma staff are located in Europe.
  • Our staff only have access to the systems and functions they need to perform their tasks.
  • Our staff are bound by guidelines and rules as well as supervised and monitored when accessing client specific information.
  • Access to your stored information is limited to a few people in operations and technical support. Other support staff can only see your information when you actively approve it, for example via a support case. We comply with applicable rules of retention of accounting records.
  • Visma have extensive internal security guidelines, security reviews as well as a strong security organisation.

FAQ

Q: How do we ensure that your services are up and running?

We always use totally redundant (at least two independent) Internet connections to the data centre. In case of an interruption there is an automatic transfer to a functioning connection, usually without the service being affected.

Q: How do we protect your information against cyber attacks?

  • We perform security audits and penetration testing using both internal and external experts.
  • Passwords are never stored as text but are always “hashed and salted.” This means that not even we at Visma can find out what your password is. If you lose your password, you must generate a new one.
  • All communication is via an encrypted connection.
  • Our services are tested to handle recurrent attacks from, for example, SQLi, XSS and CSRF, session hijacking, and other threats.
  • We continuously monitor our services.

Q: How do we physically protect your information?

  • Backups are taken several times daily and copies stored geographically separate from the operating environment.
  • Video monitoring and traceability of access to the premises.
  • Redundant climate control with environmental monitoring of gas, moisture, heat and water.
  • Fire alarm with automatic fire fighting equipment.
  • Uninterruptible power supply regularly tested against fictional power outages.
  • All data centres conform to recognised industry standards of physical security and reliability, including ISO / IEC 27001:2005.

Q: Have you had any external parties assess your security?

Yes, we have had several external companies assess our security. Our Visma Security group also run continuous security assessments on all of our services.

Q: Which guarantees and conditions apply?

The relationship between Visma and our customers regarding our services is governed by Visma's terms of use.