Security

Visma has been offering cloud solutions for more than 15 years. Over the years, we have established processes, methods and technologies and embraced proven standards to meet our customers' security, privacy and accessibility needs. The nature of threats is constantly changing, so security awareness is a natural part of our development process and we constantly strive to be even better.

Services designed for security

From planning to deployment of new services or features, we follow our Security Development Lifecycle, meaning that security requirements are embedded and measured during the service's lifetime. Security requirements are based on a combination of legal, sector, client, best practices and compliance with privacy laws and regulations.

  • We perform security audits and penetration testing using both internal and external experts.
    • These include Security Testing of Source Code (SAST), Compiled Code(DAST), Manual Dynamic Testing and operational systems(DAST + PenTests).
  • Documentation of compliance against the Security Programs is maintained and is part of the KPI`s for the management of Visma in the different companies.
  • Our services are tested to ensure resilience against attacks like SQLi, XSS and CSRF, session hijacking, and other threats. Our baseline is OWASP top 10.
  • The minimum Security Requirements that all development teams follow are:
    • Passwords are never stored as text but are always “hashed and salted” server side. This means that even we at Visma are unable to find out what your password is. If you lose your password, you must generate a new one in your trusted environment.
    • Communication is always via an encrypted connection.

Monitoring and protection

When making our services available to our customers, they are carefully monitored. This includes continuous scanning for vulnerabilities, monitoring of intrusion attempts as well as abuse detection. Denial-of-service (DDoS) attack prevention, frequent penetration testing as well as data analytics to make sure that the operation is stable and secure.

Physical protection

For public cloud solutions, we use the vendor’s data centres for storage of information. They run around the clock and ensure operations by protecting against power outage, physical intrusion and network outage. These data centres conform to recognised industry standards of physical security and reliability.

For information regarding hosting of our different services, see data centres in our Transparency section.

Secure hybrid systems

Our transactional services, such as Visma.net AutoInvoice and Visma.net AutoPay, connect our clients’ on-premise systems with today’s modern digital information flows. This creates hybrid environments where maintaining data security has traditionally been a challenge.

Visma is fully committed to providing state-of-the-art data security, to all hybrid combinations of on-premise systems and networked solutions our clients operate.

By using the Visma On Premises Gateway add-on service, you can setup a secure communication channel between your Visma on-premise system and your networked Visma solution.

The data flow between the client’s on-premise installation and any network resource will be protected by industry standard SSH encryption. Installation of the On Premises Gateway is simple, and requires no special technical knowledge or resources.

For further questions or more in-depth information, please get in touch with us at trust@visma.com.

Incident management

When incidents occur, we have a dedicated Security Incident team that provides the necessary co-ordination, management, feedback and communication. They also have responsibility for assessing, responding to and learning from information security incidents to make sure that we minimise the risk of them reoccuring. Incidents are reported on https://status.visma.com for general products or https://status.visma.net for the Visma.net product line, where customers can follow the progress of resolving the issues.

Protection of information

  • All our staff are covered by confidentiality agreements.
  • All Visma staff are located in Europe.
  • Our staff only have access to the systems and functions they need to perform their tasks.
  • Our staff are bound by guidelines and rules as well as supervised and monitored when accessing client specific information.
  • Access to your stored information is limited to a few people in operations and technical support. Other support staff can only see your information when you actively approve it, for example via a support case. We comply with applicable rules of retention of accounting records.
  • Visma have extensive internal security guidelines, security reviews as well as a strong security organisation.
Redundancy A method to increase reliability by allowing two or more units (e.g. network or hardware) to work in parallel with the same information, providing a reflection of each other. If one of them breaks down, the other one takes over.
Anycast network An industry standard for addressing name resolution traffic (DNS) over the internet that gives servers the highest possible availability across the world and prevents cyber-attacks.
Penetration testing A controlled way to identify security weaknesses in our systems by contracting professional testers to attack our systems and share their findings with the development teams. This helps our development and operations teams to strengthen our security.
Hashing A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function) which is designed to also be a one-way function, that is, a function which is infeasible to invert. The only way to recreate the input data from an ideal cryptographic hash function's output is to try a large number of possible inputs to see if they produce a match.
Salting A method to prevent hacking by adding information before or after the hashed password. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.
SQLi SQL injection is a way to exploit security vulnerability in applications working with a database. The idea is to make a direct database query that circumvents the login system, and allows manipulation of the data.
XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.
CSRF Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.

Responsible Disclosure Policy

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Visma security team. If you are a customer and have a question about security or a password or account issue, please contact us through the standard support channels available for your product.

Visma is committed to the security of our customers and their data and we believe that engaging with the security community is important. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers. If you believe you've discovered a security vulnerability in a Visma service, product or web property, we strongly encourage you to inform us as quickly as possible and to not disclose the vulnerability publicly until it has been addressed.

Visma does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to our Responsible Disclosure guidelines.

Responsible Disclosure Guidelines

  • Provide an appropriate level of detail on the vulnerability so that we can reproduce the issue.
  • Allow us a reasonable time period to address the issue before publishing any information or details about the vulnerability.
  • Target only your own accounts and devices when investigating and testing a vulnerability. Never attempt to access accounts, devices, or data that you don't own or don't have permission to access.
  • Do not use phishing or social engineering.

How to Report a Security Vulnerability

  1. Send a mail to responsible-disclosure@visma.com. If you feel that the email should be encrypted, our PGP key is available below.
  2. You will get an automated response confirming that we have registered the issue.
  3. A support ticket is automatically created and assigned to a Security Analyst.
  4. The Security Analyst will triage the issue and escalate to the correct team within Visma.
  5. The issue is fixed!

We believe in open communications and will keep you updated throughout this process. We aim to triage all reports within 12 business hours and address all vulnerabilities within 30 days.

Our PGP key

Click here for our PGP key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mailvelope v2.0.0
Comment: https://www.mailvelope.com

xsFNBFolcs0BEADhn3g0A+sHKKJLzxhI6oRNAXf+nDNoTiwVA5J+mk88NPhk
vIDA0MfvhvTInHJZSgtwV0QpyCoF2zxnP28pNT+EjxeiZkpbVKjEeXEyV9vG
wH+bocKAnHKtvVD6NPFnzeb9xat2MxbcWCOeYBPVauEOXNdcGqWjkx7CNYU2
YT3NwR0Ytw68nFZyJc8dm7x2UQW7SKIwJdW9jx3Zyu1wDCRmFCzsWuUn/vGw
TjrXhJtrqgvLwIDafDLFgiYWeT1I22LPWKWFPTLySzH1dNx3ZrF6eEQoWLhH
JuRSOgQ7IQ0WASxsGiQU1oEy8vWgiA4ZKT4BLdJH0/E0NeDotZICe+LR3HGq
1w+bYawim1+YBjsQrYcH6MqY5VZ3sCcvknN4xAbA2SZNv8YATrG1gfKUd0M/
yrSDJbF/ZE5xxTcSFC0vN9nF8UyCkTtTLTBIDA2p2ZHkEyVaxmVX9lS0GnAM
X62HmNpUC0cjBxGQUwyEPdduO6IOmrF/uGGFos2svzfveD1bMAyUAf5hcx1N
NsqspUiF3x3xjhT2Qzm12aBuATN5Jmckf4IVNkpZw6Ou1KPfpWej7hIb74oZ
DGYtTgyEhNTfOaEsklh1wcJL6JP07QdMBKOKf+TTjlXdiDSpNUju+W3Ci1Om
cxwzi/jLzSKsEfmgSl6NlW4lK5uxHCqwWMhWKQARAQABzT9WaXNtYSBSZXNw
b25zaWJsZSBEaXNjbG9zdXJlIDxyZXNwb25zaWJsZS1kaXNjbG9zdXJlQHZp
c21hLmNvbT7CwXUEEAEIACkFAlolctAGCwkHCAMCCRACIJNLR31TqAQVCAoC
AxYCAQIZAQIbAwIeAQAA+WcP/jv/n9MSXRhbK1wDZEnicvAnPblh0BYnhVen
H54AHkPHflWuAHHLYlS7Ez1Pjp9sBA7ZhVgW7Gw7GgnvvGSWCcs4/NjJKh1Q
wWIDyu6ikqxewfy160Qd1QbVIMkiBy902ZG0YJivDPGGFscCa5YRODNT5GcY
XI4WNd5Xj3DCf7qDImWTTZvCq5waq5O2pE0d2flzesvDuxta0gj9SbS1Soiq
LAeqzv0Y8nnTkK7HcF/dbnqqw/I3zGlo4Y5zwgEdlRFcMtXiN3pRQx3ZacVV
4YvI2XWNGxABMqqoJU6zXfjGaVZHfkXrCkf0xPC3nYStL1iontCaNAscH6iZ
EcR2l8qOreJdvNwY3L0U1FIJbKyHGo63Cb3k0yw1DITKh6QQnwZCaL2B9BER
eJ59l9ipwO2/G0U5yjsds8xsLpwN3R1Lwx20dY/IOaamsNGeskR2nmmlz3vP
sTRKO6CMKNnLphaXC3l0pvkil4Cilk4X3l0YFocjwSFQLv145l7yIm1yovdV
bHan5kckuShbRiqA4J8JgMAJvEPhStI0ISQ/aUUXSMtWQ+AX7BC6iTGjAbHY
39GJDC3EjxCXXjqmYSb8lx3CbODB02rOXfK5qjuZTc/ppAT6sEv3QNPP/+Ku
N7MVJ968J4Q3CazsnCRLGu5f8yeh7VT00mlzrs4kBW1ZvW0PzsFNBFolcs0B
EADKyvqR/qhZUFixJCOH+ZXcTQfT1IxcPoqUH+ItaPp+6zRU4sbe03G/VI+G
q5BJWlwcesn4qJLn+B8EpFka/+sXozGV144b1qFcQIfetog9b71pLkDNA3hZ
t8FP3nW1iddr1wLQ/qPwlwScOsnZOjo1fJK/s/ATxzDALZkI6YufHZmx5RPV
H6z4d/IKWSaFUDe/boEw78DMHFbiOdgrVMVjAVbhlI5iiG6dnekv4M3tdJd2
qPbeeawd+x7bQVPTCLvUrPhaev2wIHQVUNB6XCAgJcxP8PBnFbKPjvGxeKUf
YrpPlf2BqeQ+08aSNdJYw9szu0PHp2oNPh+mna7XtL9GtpcvoTtKRPVNunFz
eaiOtf8Xo7s51UUML8jkrTu36/RL45qfNIhksY31BOS5Gu0Gi2qpMv9rJ3tB
4AMcteGO24J0KZTZkJrULQMEj083U/r+KwXyuLH6o+R9Pnhq7jpDNu5xNmjo
eGWyPaVGVw+DyTMAn82O3Mo8u/8DFlRXuxvauDFzRumW6rJGf9XXYrnIEb1t
bD34nzp4V+PusAwdwWAwF8ABF5lMMYlhUUfq4o0Y6zqNYMMwW2Au4+0KFtER
STfS9i2w0NHUdS89b+Gh3xn4VxSk5veUnFx/FsXo/Rfr/teGO3xIxnESH9oV
78t7k6roTLV20jtQPfQTqq7XWQARAQABwsFfBBgBCAATBQJaJXLRCRACIJNL
R31TqAIbDAAA0loQANM/XFObeQa/rGlMI6K6j9nt/CISbRDkDzAXY0Vk93Ik
02N1fvkJHBq8zi900UOn9vCJTLeu3VBpR/sBwh16Qtq3mHhCG/2WyniBkgdz
iyknLQ0SGW09AFac3NQHYQ8bGJc/+iAWlCQvYlzIqtZfux3kUoz1uUIpbE7x
rA6O0JJ2s7YZDpAbN+tGCcfEG/JqfRvk5lLNoQWG+KCIsZKWyDVBe+9Uht+d
0HusOm2RBnTJ/JS5Dvs0yDUodtYWnplxjOOkn80/MmYZoD2Ue60vGabrgLmg
pt1Vbo6m6lMWKYPb1GQ+H1C4f0SfHSgu2SfWQIRRpaxStvRKQdp+p8M8ZOYi
nyxA2zSKoM4VJBDkHdfL/IjrgElPIllTAI0se9ZqS0CEq/7d4u+TpEn+mwjz
4t/dMqcYxN2F0JJ7ec1Z0RB/SUgX2CJggmnsZG1vNQV6EFOEuVN6rKFedjgP
AerySOPJ2DHXmdmppSbP5lRzwKyWwGnh7c/ksaku4HTz8/hIjoTmcnWpOuf/
Wl2413InypvPslfs7MwrWrzcvMm83QQz9SK5rq1kjIFAjhke3P+AFENvC6BY
Ulef1fKRZVse//nCDYj5+puI3rIzhbiH2tfox9zrY3U5i4EMTjUD6XI9E1xf
1KR0Aq+5JIiBF15X1wcG5kXQx5W1i7YdmsGHI83h
=O8N3
-----END PGP PUBLIC KEY BLOCK-----

FAQ

Q: How do we ensure that your services are up and running?

We always use totally redundant (at least two independent) Internet connections to the data centre. In case of an interruption there is an automatic transfer to a functioning connection, usually without the service being affected.

Q: How do we protect your information against cyber attacks?

  • We perform security audits and penetration testing using both internal and external experts.
  • Passwords are never stored as text but are always “hashed and salted.” This means that not even we at Visma can find out what your password is. If you lose your password, you must generate a new one.
  • All communication is via an encrypted connection.
  • Our services are tested to handle recurrent attacks from, for example, SQLi, XSS and CSRF, session hijacking, and other threats.
  • We continuously monitor our services.

Q: How do we physically protect your information?

  • Backups are taken several times daily and copies stored geographically separate from the operating environment.
  • Video monitoring and traceability of access to the premises.
  • Redundant climate control with environmental monitoring of gas, moisture, heat and water.
  • Fire alarm with automatic fire fighting equipment.
  • Uninterruptible power supply regularly tested against fictional power outages.
  • All data centres conform to recognised industry standards of physical security and reliability, including ISO / IEC 27001:2005.

Q: Have you had any external parties assess your security?

Yes, we have had several external companies assess our security. Our Visma Security group also run continuous security assessments on all of our services.

Q: Which guarantees and conditions apply?

The relationship between Visma and our customers regarding our services is governed by Visma's terms of use.