Visma has been offering cloud solutions for more than 15 years. Over the years, we have established processes, methods and technologies and embraced proven standards to meet our customers' security, privacy and accessibility needs. The nature of threats is constantly changing, so security awareness is a natural part of our development process and we constantly strive to be even better.

Services designed for security

From planning to deployment of new services or features, we follow our Security Development Lifecycle, meaning that security requirements are embedded and measured during the service's lifetime. Security requirements are based on a combination of legal, sector, client, best practices and compliance with privacy laws and regulations.

  • We perform security audits and penetration testing using both internal and external experts.
    • These include Security Testing of Source Code (SAST), Compiled Code(DAST), Manual Dynamic Testing and operational systems(DAST + PenTests).
  • Documentation of compliance against the Security Programs is maintained and is part of the KPI`s for the management of Visma in the different companies.
  • Our services are tested to ensure resilience against attacks like SQLi, XSS and CSRF, session hijacking, and other threats. Our baseline is OWASP top 10.
  • The minimum Security Requirements that all development teams follow are:
    • Passwords are never stored as text but are always “hashed and salted” server side. This means that even we at Visma are unable to find out what your password is. If you lose your password, you must generate a new one in your trusted environment.
    • Communication is always via an encrypted connection.

Monitoring and protection

When making our services available to our customers, they are carefully monitored. This includes continuous scanning for vulnerabilities, monitoring of intrusion attempts as well as abuse detection. Denial-of-service (DDoS) attack prevention, frequent penetration testing as well as data analytics to make sure that the operation is stable and secure.

Physical protection

For public cloud solutions, we use the vendor’s data centres for storage of information. They run around the clock and ensure operations by protecting against power outage, physical intrusion and network outage. These data centres conform to recognised industry standards of physical security and reliability.

For information regarding hosting of our different services, see data centres in our Transparency section.

Incident management

When incidents occur, we have a dedicated Security Incident team that provides the necessary co-ordination, management, feedback and communication. They also have responsibility for assessing, responding to and learning from information security incidents to make sure that we minimise the risk of them reoccuring. Incidents are reported on for general products or for the product line, where customers can follow the progress of resolving the issues.

Protection of information

  • All our staff are covered by confidentiality agreements.
  • All Visma staff are located in Europe.
  • Our staff only have access to the systems and functions they need to perform their tasks.
  • Our staff are bound by guidelines and rules as well as supervised and monitored when accessing client specific information.
  • Access to your stored information is limited to a few people in operations and technical support. Other support staff can only see your information when you actively approve it, for example via a support case. We comply with applicable rules of retention of accounting records.
  • Visma have extensive internal security guidelines, security reviews as well as a strong security organisation.
Redundancy A method to increase reliability by allowing two or more units (e.g. network or hardware) to work in parallel with the same information, providing a reflection of each other. If one of them breaks down, the other one takes over.
Anycast network An industry standard for addressing name resolution traffic (DNS) over the internet that gives servers the highest possible availability across the world and prevents cyber-attacks.
Penetration testing A controlled way to identify security weaknesses in our systems by contracting professional testers to attack our systems and share their findings with the development teams. This helps our development and operations teams to strengthen our security.
Hashing A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function) which is designed to also be a one-way function, that is, a function which is infeasible to invert. The only way to recreate the input data from an ideal cryptographic hash function's output is to try a large number of possible inputs to see if they produce a match.
Salting A method to prevent hacking by adding information before or after the hashed password. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.
SQLi SQL injection is a way to exploit security vulnerability in applications working with a database. The idea is to make a direct database query that circumvents the login system, and allows manipulation of the data.
XSS Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.
CSRF Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.


Q: How do we ensure that your services are up and running?

We always use totally redundant (at least two independent) Internet connections to the data centre. In case of an interruption there is an automatic transfer to a functioning connection, usually without the service being affected.

Q: How do we protect your information against cyber attacks?

  • We perform security audits and penetration testing using both internal and external experts.
  • Passwords are never stored as text but are always “hashed and salted.” This means that not even we at Visma can find out what your password is. If you lose your password, you must generate a new one.
  • All communication is via an encrypted connection.
  • Our services are tested to handle recurrent attacks from, for example, SQLi, XSS and CSRF, session hijacking, and other threats.
  • We continuously monitor our services.

Q: How do we physically protect your information?

  • Backups are taken several times daily and copies stored geographically separate from the operating environment.
  • Video monitoring and traceability of access to the premises.
  • Redundant climate control with environmental monitoring of gas, moisture, heat and water.
  • Fire alarm with automatic fire fighting equipment.
  • Uninterruptible power supply regularly tested against fictional power outages.
  • All data centres conform to recognised industry standards of physical security and reliability, including ISO / IEC 27001:2005.

Q: Have you had any external parts assess your security?

Yes, we have had several external companies assess our security. Our Visma Security group also run continuous security assessments on all of our services.

Q: Which guarantees and conditions apply?

The relationship between Visma and our customers regarding our services is governed by Visma's terms of use.