Visma has been offering cloud solutions for more than 15 years. Over the years, we have established processes, methods and technologies and embraced proven standards to meet our customers' security, privacy and accessibility needs. The nature of threats is constantly changing, so security awareness is a natural part of our development process and we constantly strive to be even better.

Services designed for security

From planning to deployment of new services or features, we follow our Security Development Lifecycle, meaning that security requirements are embedded and measured during the service's lifetime. Security requirements are based on a combination of legal, sector, client, best practices and compliance with privacy laws and regulations.

  • We perform security audits and penetration testing using both internal and external experts.
    • These include Security Testing of Source Code (SAST), Compiled Code(DAST), Manual Dynamic Testing and operational systems(DAST + PenTests).
  • Documentation of compliance against the Security Programs is maintained and is part of the KPI`s for the management of Visma in the different companies.
  • Our services are tested to ensure resilience against attacks like SQLi, XSS and CSRF, session hijacking, and other threats. Our baseline is OWASP top 10.
  • The minimum Security Requirements that all development teams follow are:
    • Passwords are never stored as text but are always “hashed and salted” server side. This means that even we at Visma are unable to find out what your password is. If you lose your password, you must generate a new one in your trusted environment.
    • Communication is always via an encrypted connection.

Monitoring and protection

When making our services available to our customers, they are carefully monitored. This includes continuous scanning for vulnerabilities, monitoring of intrusion attempts as well as abuse detection. Denial-of-service (DDoS) attack prevention, frequent penetration testing as well as data analytics to make sure that the operation is stable and secure.

Physical protection

For public cloud solutions, we use the vendor’s data centres for storage of information. They run around the clock and ensure operations by protecting against power outage, physical intrusion and network outage. These data centres conform to recognised industry standards of physical security and reliability.

For information regarding hosting of our different services, see data centres in our Transparency section.

Secure hybrid systems

Our transactional services, such as AutoInvoice and AutoPay, connect our clients’ on-premise systems with today’s modern digital information flows. This creates hybrid environments where maintaining data security has traditionally been a challenge.

Visma is fully committed to providing state-of-the-art data security, to all hybrid combinations of on-premise systems and networked solutions our clients operate.

By using the Visma On Premises Gateway add-on service, you can setup a secure communication channel between your Visma on-premise system and your networked Visma solution.

The data flow between the client’s on-premise installation and any network resource will be protected by industry standard SSH encryption. Installation of the On Premises Gateway is simple, and requires no special technical knowledge or resources.

For further questions or more in-depth information, please get in touch with us at

Incident management

When incidents occur, we have a dedicated Security Incident team that provides the necessary co-ordination, management, feedback and communication. They also have responsibility for assessing, responding to and learning from information security incidents to make sure that we minimise the risk of them reoccuring. Incidents are reported on for general products or for the product line, where customers can follow the progress of resolving the issues.

Protection of information

  • All our staff are covered by confidentiality agreements.
  • All Visma staff are located in Europe.
  • Our staff only have access to the systems and functions they need to perform their tasks.
  • Our staff are bound by guidelines and rules as well as supervised and monitored when accessing client specific information.
  • Access to your stored information is limited to a few people in operations and technical support. Other support staff can only see your information when you actively approve it, for example via a support case. We comply with applicable rules of retention of accounting records.
  • Visma have extensive internal security guidelines, security reviews as well as a strong security organisation.
Redundancy A method to increase reliability by allowing two or more units (e.g. network or hardware) to work in parallel with the same information, providing a reflection of each other. If one of them breaks down, the other one takes over.
Anycast network An industry standard for addressing name resolution traffic (DNS) over the internet that gives servers the highest possible availability across the world and prevents cyber-attacks.
Penetration testing A controlled way to identify security weaknesses in our systems by contracting professional testers to attack our systems and share their findings with the development teams. This helps our development and operations teams to strengthen our security.
Hashing A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function) which is designed to also be a one-way function, that is, a function which is infeasible to invert. The only way to recreate the input data from an ideal cryptographic hash function's output is to try a large number of possible inputs to see if they produce a match.
Salting A method to prevent hacking by adding information before or after the hashed password. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.
SQLi SQL injection is a way to exploit security vulnerability in applications working with a database. The idea is to make a direct database query that circumvents the login system, and allows manipulation of the data.
XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.
CSRF Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.

Responsible Disclosure Policy

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Visma security team. If you are a customer and have a question about security or a password or account issue, please contact us through the standard support channels available for your product.

Visma is committed to the security of our customers and their data and we believe that engaging with the security community is important. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers. If you believe you've discovered a security vulnerability in a Visma service, product or web property, we strongly encourage you to inform us as quickly as possible and to not disclose the vulnerability publicly until it has been addressed.

Visma does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to our Responsible Disclosure guidelines.

Responsible Disclosure Guidelines

  • Provide an appropriate level of detail on the vulnerability so that we can reproduce the issue.
  • Allow us a reasonable time period to address the issue before publishing any information or details about the vulnerability.
  • Target only your own accounts and devices when investigating and testing a vulnerability. Never attempt to access accounts, devices, or data that you don't own or don't have permission to access.
  • Do not use phishing or social engineering.

How to Report a Security Vulnerability

  1. Send a mail to If you feel that the email should be encrypted, our PGP key is available below.
  2. You will get an automated response confirming that we have registered the issue.
  3. A support ticket is automatically created and assigned to a Security Analyst.
  4. The Security Analyst will triage the issue and escalate to the correct team within Visma.
  5. The issue is fixed!

We believe in open communications and will keep you updated throughout this process. We aim to triage all reports within 12 business hours and address all vulnerabilities within 30 days.

Our PGP key

Click here for our PGP key

Version: Mailvelope v2.0.0



Q: How do we ensure that your services are up and running?

We always use totally redundant (at least two independent) Internet connections to the data centre. In case of an interruption there is an automatic transfer to a functioning connection, usually without the service being affected.

Q: How do we protect your information against cyber attacks?

  • We perform security audits and penetration testing using both internal and external experts.
  • Passwords are never stored as text but are always “hashed and salted.” This means that not even we at Visma can find out what your password is. If you lose your password, you must generate a new one.
  • All communication is via an encrypted connection.
  • Our services are tested to handle recurrent attacks from, for example, SQLi, XSS and CSRF, session hijacking, and other threats.
  • We continuously monitor our services.

Q: How do we physically protect your information?

  • Backups are taken several times daily and copies stored geographically separate from the operating environment.
  • Video monitoring and traceability of access to the premises.
  • Redundant climate control with environmental monitoring of gas, moisture, heat and water.
  • Fire alarm with automatic fire fighting equipment.
  • Uninterruptible power supply regularly tested against fictional power outages.
  • All data centres conform to recognised industry standards of physical security and reliability, including ISO / IEC 27001:2005.

Q: Have you had any external parties assess your security?

Yes, we have had several external companies assess our security. Our Visma Security group also run continuous security assessments on all of our services.

Q: Which guarantees and conditions apply?

The relationship between Visma and our customers regarding our services is governed by Visma's terms of use.

We use cookies to collect information on your interaction with our website and combine this with the data you provide us to build a profile so we can show you content tailored to your interests. By accepting, you allow us to collect and process your personal information as described here.