Described below is how we handle data security, and how we work with security in our organisation. From GDPR, encryption, and to authenitication, accesscontrol, and fail-safes.
How do we secure your data in GDPR compliance?
We have already surpassed 150,000 users who have verified themselves through our identity platform, and over 600 auditing, legal, and financial companies trust Creditro every day to safeguard their businesses against money laundering and fraud.
Our platform and entire solution are built around the handling of sensitive data and personal information. Feel free to reach out to email@example.com to receive a copy of your data processing agreement.
ISAE3000 Declaration with High Level of Security
At Visma Creditro, we annually obtain an ISAE3000 declaration, which confirms that personal data is processed in accordance with GDPR.
This declaration is prepared by an independent third party regarding Visma Creditro's compliance with data protection regulations, data protection provisions in other EU laws or national laws of member states, and the content of the data processing agreement.
Prevention of unauthorized product access
This is achieved through outsourced handling; we host our service with outsourced cloud infrastructure providers. Additionally, contractual relationships are maintained with suppliers to deliver the service in accordance with the data processing agreement, as per section 4.2.
Creditro relies on contractual agreements, including data processing agreements and suppliers' compliance programs, to safeguard data processed or stored by these suppliers.
Data Security Policies
Physical and environmental security
We host our product infrastructure with multi-tenant, outsourced infrastructure suppliers.
The physical and environmental security protocols are reviewed for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Visma Creditro enforces a uniform password policy for our client products.
Clients who interact with our products through the user interface, must authenticate, before access is granted to non-public client data.
Client data is stored in multi-tenant storage systems, which is only available for clients through application user interfaces and application programming interfaces. Clients do not get access to the underlying application infrastructure.
The authorization model in each of our solutions is designed to ensure that only the assigned persons can get access to relevant functions, views, and customization options.
Authorization for datasets is granted by validating the users permissions against the attributes attached to each dataset.
API-access (Application Programming Interface)
Public product-API’s can be accessed by an API-key or through Oauth-authorization.
Prevention of unauthorized product access
Creditro enforces industry standard access control and detection functions for the internal networks that support our products.
Network access control mechanisms has been designed to prevent network traffic using unauthorized protocols to reach the product infrastructure.
The implemented technical features is seperated from the infrastructure suppliers and includes Virtual Private Cloud (VPC) implementations, security group settings and traditional firewall rules.
Registration and breach prevention
We utilize a Web Application Firewall-solution (WAF) to protect hosted client-websites and other online applications.
WAF is designed to identify and prevent attacks against publicly accessible network services.
Static code analysis
Security reviews of code stored in our source code vaults, is being done with appropriate intervals and checks for best coding practice and identifiable software errors.
Creditro enables HTTPS-encryption (also known as SSL or TLS) on all login sites and makes it freely available on all customer websites hosted on our Creditro products. Our HTTPS-implementation uses standard industry algorithms and certificates.
Creditro stores user passwords according to policies following standard industry security protocols. Creditro has implemented technologies to ensure that stored data is encrypted at rest.
Visma Creditro has designed its infrastructure to log extensive information about the system behavior, incoming traffic, system authorization, and other application requests.
Internal systems collect log data and warn relevant employees of malicious, irregular, or unintended activities. Our personnel, including security-, maintenance-, and support personnel, are vigilant and trained to handle events.
Response and tracking
Visma Creditro maintains a log of known security events, including descriptions, dates, and timestamps of relevant activities and the disposition of the events.
Security, maintenance, and support personnel will investigate suspected and confirmed security events and identify and document appropriate countermeasures.
Creditro will take appropriate actions for all available events to minimize damage to clients and products or unauthorized data publication. Notifications to clients will follow the terms agreed in our contracts.
Infrastructure suppliers make a commercially fair effort to secure a minimum of 99,95 % uptime. The suppliers maintain a minimum of N+1 redundancy for power and network.
Backup- and replication strategies are designed to secure redundancy and failover protection during a critical system operation. Client data are backed up to multiple data storage facilities and are replicated across several availability points.
Online replicas and backups
Production databases are designed to replicate data between no less than a primary and secondary database wherever possible. All databases are backed up and maintained using industry-standard methods or better.
Our products are designed to secure redundancy and problem-free failovers. The servers supporting our products have also been designed to prevent single points of failure. This design helps our services by maintaining and updating the product applications and backend while limiting possible downtime.