People will not use technology they do not trust. Demonstrating that our products and services are secure, and protects your privacy, is crucial for building that trust.
We protect your security and privacy through organisational, technical and physical measures, comprised of strict policies, industry- level standards and technical systems of compliance. These measures are designed to protect the confidentiality, integrity, availability of your data, and the resilience and legal compliance of our products and services.
The objective is to enable both the customer and Visma to operate our products and services in a secure and compliant manner, including with regards to the rights of individuals registered in the systems:
In connection with the GDPR, we have revised and improved our entire internal system of compliance, from the product roadmap and up to the data processing agreement found in our Terms of Service.
These pages describe this system in detail.
Our approach to security and privacy
In Visma Software SMB, we have a bottom-up approach to security and privacy, which means that rather than having a large, centralised security organisation, we focus on the development teams:
The development teams are the teams that build and run the products and services you use. They are the ones who know the product intimately, its strengths, weaknesses and context:
These pages describe many technical and organisational systems, measures and processes. However, at the end of the day, our software is made by people.
We focus on the people.
All employees in Visma have confidentiality- clauses in their employment contracts, and go through a two- part basic e-learning course in privacy annually. The development teams (and other teams or employees) receive additional training and support tailored to their needs and requirements. For example, most teams have a dedicated Security Engineer, who receives additional training in security and privacy. The Security Engineer works closely with the Security Team:
We have a dedicated Security Team and Security Operations Centre, which focuses on specialist guidance of the development teams, and providing assets and resources for them, such as threat intelligence, vulnerability scanning tools and best practices in areas such as encryption.
The Security Team also assemble and manage incident response teams if required (please see here for a description).
Our dedicated Data Protection Manager is also available for the teams. The Data Protection Manager, together with the Security Team, supports and guides the development teams through the laborious internal certification process for security and privacy, both in the design- and operational phases.
We believe that enabling the teams to take this responsibility for "their" product or service yields a far better level of security and privacy than the more traditional approach of “write code and hand it off to Operations”, just as having our Security Team and Data Protection Manager working hands-on on a day-to-day basis with the teams is a far better use of their competence than having them monitor systems and writing reports and policies (we do that also).
Visma’s corporate security and privacy framework
The Visma group has an extensive framework for security and privacy. This includes policies, guidelines, a corporate Chief Information Security Officer, Data Protection Council and Data Protection Officer, as mandated by the GDPR (General Data Protection Regulation). Starting from 2017, every employee in Visma has to go through an e-learning course in privacy.
Every company in Visma are subject to these controls and frameworks, which includes data processing agreements updated for the GDPR between all Visma- companies. Every company reports to the Data Protection Council annually on things like mandatory privacy- training of personnel, use of sub- processors, risk, security incidents and compliance with the corporate policies. The council in turn reports to Visma group management and owners.
You can find more information about the GDPR and privacy in the Visma group here: