Security

Visma has been offering cloud solutions for more than 15 years. We have established processes, methods and technologies and embraced proven standards to ensure security and accessibility for our customers.. The nature of threats is constantly changing, so security awareness is a natural part of our development process and we constantly strive to be even better.
 
In this part technical words and expressions are used. Follow this link for a comprehensive explanation of some of the most used ones.

Physical protection

 

Data stored in Visma's cloud systems are stored in data centres in Europe and follows local European regulations and requirements regarding protection of data privacy. Physical measures to protect data includes: 

  • Locked and alarmed with 24/7 surveillance.
  • External and internal video monitoring and traceability of access to the premises.
  • Enviromental control
  • Uninterruptible power supply regularly tested against fictional power outages.

National legislation will for some data require storage in specific countries. Read more about Visma's storage according to national requirements on the Transparency site

Services designed for security

From planning to deployment of new services or features, we follow our Security Development Lifecycle, meaning that security requirements are embedded and measured during the service's lifetime. Security requirements are based on a combination of legal, sector, client, best practices and compliance with privacy laws and regulations.

Click here to see more
  • We perform security audits and penetration testing using both internal and external experts.
  • These include Security Testing of Source Code (SAST), Compiled Code(DAST), Manual Dynamic Testing and operational systems(DAST + PenTests).
  • Documentation of compliance against the Security Programs is maintained and is part of the KPI`s for the management of Visma in the different companies.
  • Our services are tested to ensure resilience against attacks like SQLi, XSS and CSRF, session hijacking, and other threats. Our baseline is OWASP top 10.
  • The minimum Security Requirements that all development teams follow are:
  • Passwords are never stored as text but are always “hashed and salted” server side. This means that even we at Visma are unable to find out what your password is. If you lose your password, you must generate a new one in your trusted environment.
  • Communication is always via an encrypted connection.

Monitoring and protection

When making our services available to our customers, they are carefully monitored. This includes continuous scanning for vulnerabilities, monitoring of intrusion attempts as well as abuse detection. Denial-of-service (DDoS) attack prevention, frequent penetration testing as well as data analytics to make sure that the operation is stable and secure.

Secure hybrid systems

Our transactional services, such as Visma.net AutoInvoice and Visma.net AutoPay, connect our clients’ on-premise systems with today’s modern digital information flows. This creates hybrid environments where maintaining data security has traditionally been a challenge.

Click here to see more

Visma is fully committed to providing state-of-the-art data security, to all hybrid combinations of on-premise systems and networked solutions our clients operate.

By using the Visma On Pre

mises Gateway add-on service, you can setup a secure communication channel between your Visma on-premise system and your networked Visma solution.

The data flow between the client’s on-premise installation and any network resource will be protected by industry standard SSH encryption. Installation of the On Premises Gateway is simple, and requires no special technical knowledge or resources.

For further questions or more in-depth information, please get in touch with us at privacy@visma.com.

 

Incident management

When incidents occur, we have a dedicated Security Incident team that provides the necessary co-ordination, management, feedback and communication. They also have responsibility for assessing, responding to and learning from information security incidents to make sure that we minimise the risk of them reoccuring. Incidents are reported on https://status.visma.com for general products or https://status.visma.net for the Visma.net product line, where customers can follow the progress of resolving the issues.

Protection of information

  • All our staff are covered by confidentiality agreements.
  • All Visma staff are located in Europe.
  • Our staff only have access to the systems and functions they need to perform their tasks.
  • Our staff are bound by guidelines and rules as well as supervised and monitored when accessing client specific information.
  • Access to your stored information is limited to a few people in operations and technical support. Other support staff can only see your information when you actively approve it, for example via a support case. We comply with applicable rules of retention of accounting records.
  • Visma have extensive internal security guidelines, security reviews as well as a strong security organisation.



Security Operations Centre

The Security Operations Centre (SOC) is our central security- and intelligence hub.  The SOC assists our development- and other teams with actionable intelligence, and takes an active part when events occur.  The SOC is an integral part of our event management system, and focuses on monitoring, collection and analysis of data to assist the teams in protecting our services.  

 

Responsible Disclosure Policy

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Visma security team. If you are a customer and have a question about security or a password or account issue, please contact us through the standard support channels available for your product.

Click here to see more
Visma is committed to the security of our customers and their data and we believe that engaging with the security community is important. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers. If you believe you've discovered a security vulnerability in a Visma service, product or web property, we strongly encourage you to inform us as quickly as possible and to not disclose the vulnerability publicly until it has been addressed.

Visma does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to our Responsible Disclosure guidelines.

Responsible Disclosure Guidelines

  • Provide an appropriate level of detail on the vulnerability so that we can reproduce the issue.
  • Allow us a reasonable time period to address the issue before publishing any information or details about the vulnerability.
  • Target only your own accounts and devices when investigating and testing a vulnerability. Never attempt to access accounts, devices, or data that you don't own or don't have permission to access.
  • Do not use phishing or social engineering.

How to Report a Security Vulnerability

  1. Send a mail to responsible-disclosure@visma.com. If you feel that the email should be encrypted, our PGP key is available below.
  2. You will get an automated response confirming that we have registered the issue.
  3. A support ticket is automatically created and assigned to a Security Analyst.
  4. The Security Analyst will triage the issue and escalate to the correct team within Visma.
  5. The issue is fixed!

We believe in open communications and will keep you updated throughout this process. We aim to triage all reports within 12 business hours and address all vulnerabilities within 30 days.

Our PGP key

Click here for our PGP key

FAQ

Q: How do we ensure that your services are up and running?

We always use totally redundant (at least two independent) Internet connections to the data centre. In case of an interruption there is an automatic transfer to a functioning connection, usually without the service being affected.

Q: How do we protect your information against cyber attacks?

  • We perform security audits and penetration testing using both internal and external experts.
  • Passwords are never stored as text but are always “hashed and salted.” This means that not even we at Visma can find out what your password is. If you lose your password, you must generate a new one.
  • All communication is via an encrypted connection.
  • Our services are tested to handle recurrent attacks from, for example, SQLi, XSS and CSRF, session hijacking, and other threats.
  • We continuously monitor our services.

Q: How do we physically protect your information?

  • Backups are taken several times daily and copies stored geographically separate from the operating environment.
  • Video monitoring and traceability of access to the premises.
  • Redundant climate control with environmental monitoring of gas, moisture, heat and water.
  • Fire alarm with automatic fire fighting equipment.
  • Uninterruptible power supply regularly tested against fictional power outages.
  • All data centres conform to recognised industry standards of physical security and reliability, including ISO / IEC 27001:2005.

Q: Have you had any external parties assess your security?

Yes, we have had several external companies assess our security. Our Visma Security group also run continuous security assessments on all of our services.

Q: Which guarantees and conditions apply?

The relationship between Visma and our customers regarding our services is governed by Visma's terms of use.

We use cookies to collect information on your interaction with our website and combine this with the data you provide us to build a profile so we can show you content tailored to your interests. By accepting, you allow us to collect and process your personal information as described here.