Data Security

We host our product infrastructure with multi-tenant, outsourced infrastructure suppliers.

The physical and environmental security protocols are reviewed for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Visma Creditro enforces a uniform password policy for our client products.

Clients who interact with our products through the user interface, must authenticate, before access is granted to non-public client data.

Client data is stored in multi-tenant storage systems, which is only available for clients through application user interfaces and application programming interfaces. Clients do not get access to the underlying application infrastructure.

The authorization model in each of our solutions is designed to ensure that only the assigned persons can get access to relevant functions, views, and customization options.

Authorization for datasets is granted by validating the users permissions against the attributes attached to each dataset.

Public product-API’s can be accessed by an API-key or through Oauth-authorization.

Creditro enforces industry standard access control and detection functions for the internal networks that support our products.

Network access control mechanisms has been designed to prevent network traffic using unauthorized protocols to reach the product infrastructure.

The implemented technical features is seperated from the infrastructure suppliers and includes Virtual Private Cloud (VPC) implementations, security group settings and traditional firewall rules.

We utilize a Web Application Firewall-solution (WAF) to protect hosted client-websites and other online applications.

WAF is designed to identify and prevent attacks against publicly accessible network services.

Security reviews of code stored in our source code vaults, is being done with appropriate intervals and checks for best coding practice and identifiable software errors.

In transit

Creditro enables HTTPS-encryption (also known as SSL or TLS) on all login sites and makes it freely available on all customer websites hosted on our Creditro products. Our HTTPS-implementation uses standard industry algorithms and certificates.

At rest

Creditro stores user passwords according to policies following standard industry security protocols. Creditro has implemented technologies to ensure that stored data is encrypted at rest.

Registration

Visma Creditro has designed its infrastructure to log extensive information about the system behavior, incoming traffic, system authorization, and other application requests.

Internal systems collect log data and warn relevant employees of malicious, irregular, or unintended activities. Our personnel, including security-, maintenance-, and support personnel, are vigilant and trained to handle events.

Response and tracking

Visma Creditro maintains a log of known security events, including descriptions, dates, and timestamps of relevant activities and the disposition of the events. 

Security, maintenance, and support personnel will investigate suspected and confirmed security events and identify and document appropriate countermeasures. 

Creditro will take appropriate actions for all available events to minimize damage to clients and products or unauthorized data publication. Notifications to clients will follow the terms agreed in our contracts.

Infrastructure availability

Infrastructure suppliers make a commercially fair effort to secure a minimum of 99,95 % uptime. The suppliers maintain a minimum of N+1 redundancy for power and network.

Fault tolerance

Backup- and replication strategies are designed to secure redundancy and failover protection during a critical system operation. Client data are backed up to multiple data storage facilities and are replicated across several availability points.

Online replicas and backups

Production databases are designed to replicate data between no less than a primary and secondary database wherever possible. All databases are backed up and maintained using industry-standard methods or better. 

Our products are designed to secure redundancy and problem-free failovers. The servers supporting our products have also been designed to prevent single points of failure. This design helps our services by maintaining and updating the product applications and backend while limiting possible downtime.