Security & Privacy

Information security is important to you. We feel the same way... why else would our company motto be: Security First! This page will go into detail about our approach to information security and privacy in order to give you the confidence that your information deserves.

iso-1

 

ISO 27001:2017 Certification

ISO 27001 is the international standard that provides a framework for organizations to independently demonstrate that they are in control of their Information Security. Avisi has been ISO 27001:2017 certified since 2017 and our information security is tested annually by an independent auditor. This certification shows that we continuously control our information processes and guarantees the confidentiality, integrity, and availability of (business-critical) information. We have done this by:

  • Systematically examining the organization's information security risks, taking account of the threats, vulnerabilities, and impacts.
  • Designing and implementing a coherent and comprehensive suite of information security controls to address security risks.
  • Implementing an audit and compliance process that ensures that the information security controls continue to meet our information security needs on an ongoing basis.
image2021-7-19_10-55-20

 

SOC 2 Type II Report

SOC 2 is an international standard with which IT service providers demonstrate they manage (customer)data based on a set of 'Trust Services Criteria'. These criteria include security, availability, integrity and confidentiality. It is determined whether an organization complies with SOC 2 on the basis of an assurance report. Avisi has been in possession of such a SOC 2 Type II report since 2021.

  • SOC 2 Type II means that the risk management process is continuously tested, as opposed to a one-off sample (SOC 2 Type I).

  • The SOC 2 Type II assurance is an annually recurring audit that tests whether the agreed processes and controls have been met and relates to a specific period.

  • We have opted for a SOC 2 Type II statement because we believe it is important to demonstrate the continuity of our control measures.

  • Service organizations gain insight into the extent (and quality) of the control measures we have taken to offer our services as reliably as possible.

  • The SOC 2 Type II statement demonstrates our continued commitment to security standards for our own operations and the processing of (customer) data.

 

image2020-4-1_10-46-6

 

GDPR Compliance

The European privacy law applies to all companies and organizations, including Avisi, that process personal data of customers, staff or other people from the EU. It goes without saying that we do everything we can to ensure that we meet the requirements of this legislation. To demonstrate this:

  • We have included privacy as a structural part of our periodical risk analyses.
  • Our own Team Security & Privacy continuously increases (information) security and privacy awareness by:
    • Training and educating our employees.
    • Maintain continuous dialogue with our suppliers, customers, and partners.
  • We create an overview of all our processing through complete and current data processing registers.
  • We draw up processing agreements with all relevant parties and keep them up to date.
  • We perform a Data Protection Impact Assessment (DPIA) when starting or changing a (new) data processing process.
image2020-4-1_10-59-13

 

Independent Audits

We work closely with independent third parties to test our policies and procedures in practice. These reviews are conducted at least once a year by respected audit and security firms who are independent and thorough in their evaluations. We take their reports very seriously and have implemented processes to address any concerns.

External and Internal Testing of Applications

At Avisi, we consider it essential that the applications we use and develop are not only of high quality but also are secure in use. In accordance with our policy and the ISO 27001 standard, our procedures include periodical activities that ensure the safety of our products and services. We do this by periodically testing our software and having it checked by a certified third party. In addition:

  • We periodically conduct risk analyses.
  • We periodically conduct (internal and external) audits.
  • We periodically conduct (internal and external) penetration tests.
  • We have monthly meetings with the Avisi Security Forum to discuss the latest trends, vulnerabilities, and legal issues.
image2020-4-1_11-44-22

 

Security

Since we continuously send and receive (sensitive) information, we ensure that our software and systems are as secure as possible. We guarantee this by:

  • Using SSL encrypted connections to and from our web servers.
  • Securely storing passwords in password vaults.
  • Using authentication for all information systems containing sensitive data.
  • Using a Wireless Intrusion Prevention System (WIPS).

We also continuously check that our software and systems meet:

  • Common Vulnerabilities and Exposures (CVEs).
  • Security Best Practices and OWASP Top 10.
image2020-4-1_11-22-0

 

Staff members

Our employees work with sensitive data every day, so it is important that you can trust us. We make sure that:

  • All our employees have a Certificate of Good Conduct (VOG).
  • All our employees are trained to make security and privacy a priority (Security First).
  • Only competent and authorized employees have access to sensitive information.
  • We have tight on- and off-boarding procedures for employees.
  • We only work on laptops with full disk encryption and we have a strict locking policy.
image2020-4-8_12-54-10

 

Continuous improvement

The continuous improvement of security and compliance processes, systems and information security controls is crucial for a high level of information security. We seek feedback from different teams, customers, (internal en external) auditors, suppliers and knowledge partners to continuously improve our security and privacy processes.