Data Security
Described below is how we handle data security, and how we work with security in our organisation. From GDPR, encryption, and to authenitication, accesscontrol, and fail-safes.
How do we secure your data in GDPR compliance?
Our platform and entire solution are built around handling sensitive data and personal information. Therefore, we annually obtain an ISAE3000 statement, which is a statement about how personal data is handled in compliance with GDPR.
Download Visma Creditro's ISAE3000 statement here.
The statement is prepared by an independent third party regarding Visma Creditro's compliance with the General Data Protection Regulation, data protection provisions in other EU law or national law of member states, as well as the content of the data processor agreement.
We are already past more than 150.000 users, whom have verified themselves with our identity platform, and more than 450 accountants, law firms and financial businesses use Creditro to secure their business against money laundering and fraud on a daily basis.
You can always write to info@creditro.com to receive a copy of your data processor agreement.
Prevention of unauthorized product access
This happens as an outsourced service; We host our service with an outsourced cloud-based infrastructure supplier. Contractual relations are maintained with suppliers to deliver the service i accordance with the data processor agreement, cf. § 4.2.
Creditro is dependant on contractual agreements, including data processor agreements and complianceprogrammes from suppliers to secure data being processed or stored by said suppliers.
Read more about our data security policies
Physical and environmental security
We host our product infrastructure with multi-tenant, outsourced infrastructure suppliers.
The physical and environmental security protocols are reviewed for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentification
Visma Creditro enforces a uniform password policy for our client products.
Clients who interact with our products through the user interface, must authenticate, before access is granted to non-public client data.
Authorization
Client data is stored in multi-tenant storage systems, which is only available for clients through application user interfaces and application programming interfaces. Clients do not get access to the underlying application infrastructure.
The authorization model in each of our solutions is designed to ensure that only the assigned persons can get access to relevant functions, views, and customization options.
Authorization for datasets is granted by validating the users permissions against the attributes attached to each dataset.
API-access (Application Programming Interface)
Public product-API’s can be accessed by an API-key or through Oauth-authorization.
Prevention of unauthorized product access
Creditro enforces industry standard access control and detection functions for the internal networks that support our products.
Access control
Network access control mechanisms has been designed to prevent network traffic using unauthorized protocols to reach the product infrastructure.
The implemented technical features is seperated from the infrastructure suppliers and includes Virtual Private Cloud (VPC) implementations, security group settings and traditional firewall rules.
Registration and breach prevention
We utilize a Web Application Firewall-solution (WAF) to protect hosted client-websites and other online applications.
WAF is designed to identify and prevent attacks against publicly accessible network services.
Static code analysis
Security reviews of code stored in our source code vaults, is being done with appropriate intervals and checks for best coding practice and identifiable software errors.
Transmission control
In transit
Creditro enables HTTPS-encryption (also known as SSL or TLS) on all login sites and makes it freely available on all customer websites hosted on our Creditro products. Our HTTPS-implementation uses standard industry algorithms and certificates.
At rest
Creditro stores user passwords according to policies following standard industry security protocols. Creditro has implemented technologies to ensure that stored data is encrypted at rest.
Access control
Registration
Visma Creditro has designed its infrastructure to log extensive information about the system behavior, incoming traffic, system authorization, and other application requests.
Internal systems collect log data and warn relevant employees of malicious, irregular, or unintended activities. Our personnel, including security-, maintenance-, and support personnel, are vigilant and trained to handle events.
Response and tracking
Visma Creditro maintains a log of known security events, including descriptions, dates, and timestamps of relevant activities and the disposition of the events.
Security, maintenance, and support personnel will investigate suspected and confirmed security events and identify and document appropriate countermeasures.
Creditro will take appropriate actions for all available events to minimize damage to clients and products or unauthorized data publication. Notifications to clients will follow the terms agreed in our contracts.
Availability control
Infrastructure availability
Infrastructure suppliers make a commercially fair effort to secure a minimum of 99,95 % uptime. The suppliers maintain a minimum of N+1 redundancy for power and network.
Fault tolerance
Backup- and replication strategies are designed to secure redundancy and failover protection during a critical system operation. Client data are backed up to multiple data storage facilities and are replicated across several availability points.
Online replicas and backups
Production databases are designed to replicate data between no less than a primary and secondary database wherever possible. All databases are backed up and maintained using industry-standard methods or better.
Our products are designed to secure redundancy and problem-free failovers. The servers supporting our products have also been designed to prevent single points of failure. This design helps our services by maintaining and updating the product applications and backend while limiting possible downtime.
You can learn more about our products here:
Read more about our Compliance-solution Creditro Comply. Creditro Comply delivers automatic handling of KYC-processes and risk-assessments based on intelligent data. Creditro is always up to date in the current legislation so you can rest assured that your business remains compliant. Our solution can automate your processes and save you up to 95% of time spent on KYC related work. In fact, our customers end up using less than 5 minutes per KYC case.
Read more about Creditro for accountants. Our platform can also give you preliminary risk assessments and in connection with your KYC-check you can automatically have a credit assessment of your client and simultaneously screen against fraud.
Read more about Creditro for lawyers. As a lawyer, you must always be well equipped to detect fraud. With Creditro your ability to detect and screen for financial crime will grow more efficient. For our intelligent tools never sleep, they provide constant real-time in-depth knowledge and overview of your clients.
Read more about Creditro for financial industries. With our compliance platform you can save up to 75% of the manual workload associated with KYC-related tasks. In short we put your clients through an automatic KYC-check and set up rules and variables to detect which clients can be automatically approved and which clients needs further investigation.