Governance in SuperOffice
SuperOffice Quality Management System (SQS) is built on the structures of ISO standards, as well as on the GRC principle: Governance + Risk management + Compliance.
The processes established and executed by the SuperOffice’s Board of Directors are reflected in the organization’s structure and how it is managed and led toward achieving our goals.
SuperOffice SQS currently covers the Information Security Management System for all internal systems and the SuperOffice CRM Online cloud service offered to customers. Furthermore, SQS covers all processes related to privacy mandated by the General Data Protection Regulation (GDPR).
In SuperOffice we are working with the ESG sustainability framework. We are contributing positively to sustainability by working towards becoming carbon negative, by promoting diversity and being transparent about sustainability reporting. We have signed up for the UN Global Compact programme and we are transparent about our actions and how we are making progress in the ESG areas and goals relevant for our business.
As part of these programmes, we have also established a whistleblowing channel. This channel, and system, is independently operated and handled by BDO AS in Norway, part of the international network of accounting and consulting firms, company BDO.
This whistleblowing channel is open to employees, consultants, contractors, suppliers and partners of SuperOffice, as well as to external third parties affiliated with SuperOffice. Reports regarding instances of wrongdoing or objectionable conditions, whether ethical or legal, can be made via this channel in connection with SuperOffice and any of its business partners. Please use this link for accessing our whistleblowing channel.
An overall risk assessment is implemented in relation to information objects and is updated once a year. Our approach to security is based on risk assessments according to Article 24 in the EU General Data Protection Regulation (EU-GDPR) and the ICT regulations §3.
Risk management is a set of processes through which SuperOffice management timely and appropriately identifies, analyzes and responds to risks that might adversely affect the realization of our organization's business objectives. The response to risks typically depends on their perceived gravity and involves controlling, avoiding, accepting or transferring them to a third party.
We manage a wide range of risks: technological risks, information security risks, commercial/financial risks and, of course, external legal and regulatory compliance risks.
Information Classification and Control
It is important that breaches of confidentiality and insufficient integrity of information do not occur. It is, therefore, important that we protect information based on its criticality. Therefore, all main information and assets are registered and assigned to a designated owner.
The information is also classified to enable application of necessary and appropriate security controls. The information owner is responsible for maintenance and continuous application of approved and appropriate checks and improvements.
Third-party access to data
Any information stored in SuperOffice CRM Online is treated as confidential and not disclosed or sold to any third party. All information is stored securely and can only be accessed by the customer and the trusted SuperOffice personnel for site administration purposes.
SuperOffice follows the legal requirements provided by the EU in the REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of persons with regard to the processing of personal data and on the free movement of such data, and repealing DIRECTIVE 95/46/EC (General Data Protection Regulation - GDPR). All SuperOffice data are stored in EU/EEA. In the event SuperOffice chooses to use sub-contractors outside EU/EEA, such processing must be in accordance with the EU Standard Contractual Clauses for transfer to third countries, or another specifically stated lawful basis for the transfer of personal data to a third country.
Data Processing Agreements
Data Processing Agreements are signed between SuperOffice and the customer when signing the SuperOffice CRM Online Agreement. The purpose of the Data Processing Agreement is to regulate SuperOffice’s processing of personal data on behalf of the customer using SuperOffice CRM Online. Sub-Data Processing Agreements are signed between SuperOffice and sub-processors as well as App Store partners.
Secure Storage (ISO 27001 / 27018)
Data stored in SuperOffice CRM Online is protected by an ISO 27001 and ISO 27018 certified Information Security Management System. These ISO standards are international best practices for information security. That’s why GDPR encourages ISO 27001 certification to show that information security is taken seriously on all levels of the organization.
Our external security consultants check the security policies and test defense and security controls on a regular basis. SuperOffice and our hosting partners are strongly committed to safeguarding all the information in SuperOffice CRM Online.
Audits and ISAE 3402
The customer is entitled to perform periodic security audits, controls and inspections. The audit may include walking through main routines, random sampling, more comprehensive on-site checks and other suitable controls. The parties must cover their own costs associated with such audits, controls and inspections. The Customer must engage with a entitled and certified third-party party to perform such audits.
SuperOffice / Visma ITC as a processor performs a third-party security audits on a yearly basis. The purpose of such audits is to demonstrate the adequacy of the technical and organizational security measures employed by SuperOffice. Reports on the yearly audit performed by Ernst & Young (EY) are made available for the customers on request and based on ISAE 3402.
SuperOffice as a Controller performs regularly audits, controls and inspections carried out by a certified third party. Currently (2020) it is PwC. Reports on the audits performed by PwC are made available for the customers on request and based on ISAE 3000.
Secure Product Development
SuperOffice applies the Security by Design as well as the Privacy by Design principles in its software development methodology. All application codes are developed with end-to-end focus on security and privacy. New versions are tested by dedicated test personnel and are also subject to extensive external testing (beta/pilot-testing).
SuperOffice performs different tests, such as feature, integration, performance and load/stress tests. Both automated and manual testing are applied.
All the systems that are being developed for SuperOffice have clear security requirements, including the validation of data, security of code before production setting, and any use of cryptography. Structured methods like agile, scrum, etc. are used to control all parts of the development process.
All changes in the production environment follow current procedures. Dedicated test and development environments are used to test all changes, such as bug fixes and new releases before deployment to production. Independent test personnel regularly test new functionality.
Moreover, all software is tested and formally accepted by an internal owner and operator before it is transferred to the production environment.
Before putting any new changes into production, a threat and risk assessment, a security code review and penetration tests are systematically performed and documented. If no security issues are detected, the new functionality is implemented into the existing SuperOffice application.
SuperOffice AS has partnered with an independent security advisor – Watchcom AS, with the goal of developing secure applications and services.
Watchcom assists SuperOffice with security assessments, application security testing, penetration testing, consulting and advisory services. Watchcom works with international security standards such as: ISO27001, ISO27005, ISO 22301, ISO 30111, OWASP, WASC. These standards are the foundation to all work and all reports delivered to SuperOffice.
When the customer’s subscription to SuperOffice CRM Online services is terminated or expired, the account will be deactivated and no longer be accessible. Upon the termination of the agreement, the customer’s users with the administrator’s access level will, when trying to login, be directed to a site where they could download all data belonging to the customer. This data will be in a generic file-format. The download will be available for 30 days from the termination of the agreement. After 30 days, all data belonging to the customer will be removed from SuperOffice’s servers and data center facilities. Backups will remain available according to backup procedures.