Information security procedures

Data security and integrity

We prioritise the security and integrity of data, which is why we have an information security management system and a comprehensive information security policy framework. We have been certified according to ISO27001 since 2018.

The information security and privacy management system is governed by the Chief Executive Officer (CEO) and supported by the Data Protection Officer (DPO) and Chief Information Security Officer (CISO). 

Our information security policy framework includes information classification, business continuity and disaster recovery, back-ups, access management, risk- and incident management, encryption and secure development.

Data privacy

We understand and respect the importance of data privacy and comply with the General Data Protection Regulation (GDPR). We only process personal data for legitimate purposes and with appropriate safeguards. In addition to the GDPR, some of the personal data we process for our customers are also covered by legislation on bank secrecy or similar legislation. We are committed to governing privacy accordingly.

Information security measures

To prevent any unauthorised or unlawful access, use, disclosure, modification, or destruction of data, we implement various technical and organisational measures, such as:

• Storing and processing data in multiple locations within Europe to ensure availability and resilience.
• Encrypting data in transit and at rest using advanced encryption standards and protocols.
• Enforcing strong password policies and multi-factor authentication for all our users and systems.
• Using anti-malware, firewall, IPS, and DDoS protection tools to detect and block any malicious or suspicious activity.
• Backing up data regularly and storing it in geographically redundant locations with encryption and access control.
• Assigning different access rights and privileges levels to other users and groups based on their roles and responsibilities.
• Restricting server access to authorised personnel only through a jump host, MFA, and dedicated VPN.
• Applying security patches and updates to all our devices and systems.
• Enforcing idle timeout policies for VPN, clients, applications, and servers.
• Providing security awareness training sessions and quizzes to all our staff annually.
• Training our developers on the OWASP Top 10 web application security risks and how to prevent them.
• Scanning our code for any errors, vulnerabilities, or quality issues before deployment.
• Conducting regular penetration testing and vulnerability scanning by external and internal experts.
• Separating different functions and tasks among various staff members to prevent conflicts of interest, fraud, or errors.
• Conducting internal and external security audits to verify the effectiveness of our security controls and compliance with relevant standards and regulations.
• A dedicated incident response team and a security operations centre that monitors, analyses, responds, reports, and escalates any security events or issues 24/7/365.
• Only allowing access to our systems and applications from trusted IP addresses or domains.