Data Security

Described below is how we handle data security, and how we work with security in our organisation. From GDPR, encryption, and to authentication, access control, and fail-safes. 

GDPR - bløde kanter

How do we secure your data in GDPR compliance?

We have already surpassed 150,000 users who have verified themselves through our identity platform, and over 1000 auditing, legal, and financial companies trust Creditro every day to safeguard their businesses against money laundering and fraud.

Our platform and entire solution is built for handling sensitive data and personal information. Feel free to reach out to to receive a copy of our data processing agreement.

ISAE3000 Declaration with High Level of Security

At Visma Creditro, we annually obtain an ISAE3000 declaration, which confirms that personal data is processed in accordance with GDPR.

This declaration is prepared by an independent third party and relates to Visma Creditro's compliance with data protection regulations, data protection provisions in other EU laws or national laws of member states, and the content of the data processing agreement.

ISAE 3000 - bløde kanter (1)

Prevention of Unauthorised Product Access

This is achieved through outsourced handling; we host our service with outsourced cloud infrastructure providers. Additionally, contractual relationships are maintained with suppliers to deliver the service in accordance with the data processing agreement, as per section 4.2.

Creditro relies on contractual agreements, including data processing agreements and suppliers' compliance programs, to safeguard data processed or stored by these suppliers.

Data Security Policies

Physical and environmental security

We host our product infrastructure with multi-tenant, outsourced infrastructure suppliers.

The physical and environmental security protocols are reviewed for SOC 2 Type II and ISO 27001 compliance, among other certifications.


Visma Creditro enforces a uniform password policy for our client products.

Clients who interact with our products through the user interface, must authenticate, before access is granted to non-public client data.


Client data is stored in multi-tenant storage systems, which is only available for clients through application user interfaces and application programming interfaces. Clients do not get access to the underlying application infrastructure.

The authorisation model in each of our solutions is designed to ensure that only the assigned persons can get access to relevant functions, views, and customisation options.

Authorisation for datasets is granted by validating the users permissions against the attributes attached to each dataset.

API-access (Application Programming Interface)

Public product-API’s can be accessed by an API-key or through Oauth-authorisation.

Prevention of unauthorised product access

Creditro enforces industry standard access control and detection functions for the internal networks that support our products.

Access control

Network access control mechanisms have been designed to prevent network traffic using unauthorised protocols to reach the product infrastructure.

The implemented technical features are separated from the infrastructure suppliers and includes Virtual Private Cloud (VPC) implementations, security group settings and traditional firewall rules.

Registration and breach prevention

We utilise a Web Application Firewall-solution (WAF) to protect hosted client-websites and other online applications.

WAF is designed to identify and prevent attacks against publicly accessible network services.

Static code analysis

Security reviews of code stored in our source code vaults, is being done with appropriate intervals and checks for best coding practice and identifiable software errors.

Transmission control

In transit

Creditro enables HTTPS-encryption (also known as SSL or TLS) on all login sites and makes it freely available on all customer websites hosted on our Creditro products. Our HTTPS-implementation uses standard industry algorithms and certificates.

At rest

Creditro stores user passwords according to policies following standard industry security protocols. Creditro has implemented technologies to ensure that stored data is encrypted at rest.

Access control


Visma Creditro has designed its infrastructure to log extensive information about the system behaviour, incoming traffic, system authorisation, and other application requests.

Internal systems collect log data and warn relevant employees of malicious, irregular, or unintended activities. Our personnel, including security-, maintenance-, and support personnel, are vigilant and trained to handle events.

Response and tracking

Visma Creditro maintains a log of known security events, including descriptions, dates, and timestamps of relevant activities and the disposition of the events. 

Security, maintenance, and support personnel will investigate suspected and confirmed security events and identify and document appropriate countermeasures. 

Creditro will take appropriate actions for all available events to minimise damage to clients and products or unauthorised data publication. Notifications to clients will follow the terms agreed in our contracts.

Availability control

Infrastructure availability

Infrastructure suppliers make a commercially fair effort to secure a minimum of 99,95 % uptime. The suppliers maintain a minimum of N+1 redundancy for power and network.

Fault tolerance

Backup- and replication strategies are designed to secure redundancy and failover protection during a critical system operation. Client data are backed up to multiple data storage facilities and are replicated across several availability points.

Online replicas and backups

Production databases are designed to replicate data between no less than a primary and secondary database wherever possible. All databases are backed up and maintained using industry-standard methods or better. 

Our products are designed to secure redundancy and problem-free failovers. The servers supporting our products have also been designed to prevent single points of failure. This design helps our services by maintaining and updating the product applications and backend while limiting possible downtime.