Secure Storage (ISO 27001 / 27018)
Since the ISO standards are the international best practices for information security, GDPR encourages companies to obtain ISO 27001 certification to show that information security is taken seriously at all levels of the organization.
The SuperOffice Information Security Management System ensures that every incident that happens in SuperOffice CRM Online is handled according to a strictly defined procedure.
External security consultants check the security policies and test defense and security controls on a regular basis. SuperOffice and our hosting partner are strongly committed to safeguarding all information in SuperOffice CRM Online.
Visma ITC AS is responsible for the hosting of SuperOffice CRM Online. All hardware, infrastructure, data storage and communication lines are managed and provided by Visma ITC.
Visma ITC has the following certifications: ISO 9001, ISO 20000, ISO 27001 and ISO 27018. The security statements and policies in this document apply both to SuperOffice AS, as the supplier, and Visma ITC, as the outsourcing partner of SuperOffice AS.
Access to Visma ITC’s office and facilities is controlled by an access control system in the building. Video surveillance is used at the entrance of the building. It is not possible to access Visma ITC facilities without being explicitly granted access or without the supervision of Visma ITC’s authorized personnel.
The personnel responsible for system administration, such as designers, developers and system administrators, are checked for qualifications, by means of interviews, tests and verification of references. The personnel are given appropriate trainings to ensure that they are highly qualified to fulfill their job responsibilities.
Physical and Environmental Security
All data in SuperOffice CRM Online is stored on secured servers located within EU/EEA. The main production system is located in two separate data centers in Norway. The data centers are secured both by humans and technical security measures. Access to the data centers is managed exclusively by Visma ITC, and its technical personnel are available 24x7/365.
SuperOffice CRM Online’s network is set up in accordance with the best security practices, with separate, isolated network zones for different parts of the system. Network monitoring provides stability and robustness to the solution due to proactive actions and fast problem detection. It also sends alerts to us when/if intruders are trying to break into the system.
All servers are connected to redundant power supplies. Redundant cooling systems are used to ensure a stable temperature and operating conditions in the server room. Fire protection measures are implemented in the facilities. In addition, a disaster recovery plan has been developed to ensure a quick recovery if needed.
The SuperOffice SaaS/web application is hosted on a set of virtualized, clustered Windows servers. The servers are built with complete redundancy on all levels, including redundant power supplies with separate UPS, raid mirroring of all disks and redundant network cards.
In addition, all servers are set up in a load-balanced and fault-tolerant environment for all server tasks; meaning there are separate server groups for web servers, database servers and file servers. All SuperOffice servers and networks are monitored on a 24x7 basis. Documents archived in SuperOffice are stored on Microsoft Azure servers in two redundant data centers within the EU.
All networks are protected with redundant firewalls. Communication between locations is secured by an encrypted VPN. Any changes to the firewall rules follow changes in Management procedures and are carefully logged.
All communication between our servers and the clients accessing our site is encrypted using Secure Socket Layer (SSL). All communication between SuperOffice mobile applications and the servers are also encrypted using SSL. We are always using internationally recognized cryptographic methods to protect information stored on our site, such as TLS and IPSEC/RSA256(SHA256withRSA)/HSTS.
Operational Procedures and Responsibilities
SuperOffice notifies at least 24 hours in advance about all scheduled outage. System status and any scheduled downtime are presented at the login screen of each user and on the status page: status.superoffice.com.
Service capacities and performance are continuously monitored. This way we can easily foresee the need for server and infrastructure upgrades. Our upgrade and patch management policy (schedule) is set to minimize operational impact on the customers. Patches of the system-critical issues are done as soon as possible.
Protection against Malicious Software
Centrally administered Antivirus software is installed on all servers and internally used desktops. The SuperOffice CRM Online environment is scanned for vulnerabilities daily and all protection tools are continuously being updated.
All data is backed up every night and stored in two separate secure environments. Backup sets are encrypted and transmitted over an encrypted VPN tunnel.
SuperOffice CRM is based on two types of data storage: Microsoft SQL Server Database and the Document Archive. All data is completely separated for each customer. All databases have a 30 days “point in time” backup. This means that a restore can be made from any specific date/time within the last 30 days. In addition, a monthly backup is performed and stored for 12 months. A yearly backup is stored for 10 years.
All document archives have continuous mirroring between two physically separated data centers and have individual backups in both locations. The backup runs once a day (usually at night). Document changes are backed up and stored for 30 days. Backup of deleted files (documents) are stored for 90 days.
Backup routines for third-party apps are subject to specifications and terms of service of the third-party app vendors and is not part of the SuperOffice CRM Online service scope.
Business Continuity Management
SuperOffice has established a disaster recovery plan. The production environment is set up with redundancy to provide high availability in the case of failures and to be able to handle high peaks of traffic to our site. SuperOffice and Visma ITC (our hosting partner) have common and coherent procedures for incident management, as well as disaster recovery.
Access Control to SuperOffice CRM Online Services
Any unauthorized access to the SuperOffice site is automatically blocked by a firewall. Secure Socket Layer (SSL) encryption and user authentication protect information and ensures that only users within the customer’s organization can access data.
For customer installations, we support username and password stored in SuperOffice CRM Online, Office 365 and G Suite (Google). Two factor authentication is supported when using Office 365 and G Suite.
Access to Personal Information
Users can at any time login in with their username/password on our site, access personal information and update contact details.
Access Management in the SuperOffice CRM Application
User access is managed by the customer. The customer is responsible for assigning the appropriate rights to individual users. User authentication is done through a username/password combination. The customer can create users with different access levels, according to their role or rights in SuperOffice CRM.
There is no central password policy enforced by SuperOffice. The customer should set their own password policy in accordance with their company’s password policy. The user/customer is responsible for keeping their usernames and passwords safe.
Operating System Access Control
Only authorized system personnel have access to and are able to perform OS dependent management on SuperOffice servers. Any patch management on OS and OS-dependent software is performed as soon as the new patches are released and tested in a test environment.
Audit Trail and Systems Access
All web access to the site is registered both in the database and in log files. The log files are backed up daily, and it is possible to go back in time to find information about who accessed a SuperOffice site at a specific time.
Only authorized personnel are given the right to manage log files and change system access levels. Logins and use of system rights are logged on servers. Logins are registered with a username and a source IP address.