This document defines the technical and organisational security measures (TOMs) applied to all standard service offerings provided by OpusCapita except where a Customer is responsible for security and privacy. OpusCapita internal organisation is generally aligned to meet specific data protection requirements.
For on premise solutions and otherwise when the security measures depend on customer’s security policies or actions taken by customer thereunder, this description applies only if not governed by such customer’s policies or actions. Measures described Access Control to premises and facilities shall only apply if the customer uses a Software as a Service (SaaS) solution.
OpusCapita has a wide-ranging set of information security policies and guidelines based on the ISO 27000 -series, approved by senior management. OpusCapita organisation includes a full-time information security manager.
OpusCapita is committed to corporate security management and development as well as having an objective to ensure undisturbed business operations in all circumstances. The security activities are governed by commitment to protect employees, information, processes, and assets as well as the corporate reputation.
For preventing unauthorized persons from gaining access to data processing sites that process or use personal data OpusCapita has implemented physical access controls. Personal Data stored in professionally hosted data centers and data processed in qualified premises provide effective physical access control including electronic lock systems, alarm systems and CCTV monitoring. Access to data centers and premises is granted only to authorized persons. Visitors are always accompanied.
OpusCapita supports remote and home office work enabling processing of Personal Data outside the secure premises. OpusCapita ensures Personal Data is processed with adequate security measures outside the office by e.g. for personnel having a security guideline in place required to be followed and awareness of secure remote and home office working in form of reminders and relevant training. OpusCapita only accepts certain devices for work purposes which include security controls including anti malware software and secure transmission capability (e.g. VPN).
Access control ensures systems for Personal Data processing cannot be accessed without authorization and that only authorized persons have access to data so that Personal Data cannot be read, modified, copied, or removed during processing and storage.
Access to Personal Data and systems is granted by following the need to know and least privilege principles. All access to systems with Personal Data is granted through a proper process including identification, authentication and authorization. Personal user accounts are in use where a user is personally responsible for the account. Special access, including privileged access and shared accounts are granted to an absolute minimum number of users only for a justified need and granted only if a normal user account cannot be used. Privileged access is granted for a limited period of time. Access is reviewed regularly in systems, and unnecessary access removed.
For common internal systems Single-Sign-On (SSO) is used and 2-factor authentication provided for critical applications and functions.
To ensure Personal Data cannot be read, modified, or removed without authorization during electronic transfer Personal data electronically transmitted using public data networks is encrypted. Access to internal processing systems is limited by strict access control. Session timeout controls are used for sensitive computer applications and network connections where possible.
For preventing accidental or unauthorized disclosure of Personal Data to unauthorized party’s data flows are tracked. All internal data transfers are encrypted and access to systems and data limited. Internal guidelines exist for employees to prevent accidental or unauthorized disclosure.
To establish whether and by whom Personal Data has been entered, modified, or removed in data processing systems only authorized users can access the systems including Personal Data according to access controls. Access to personal data is logged and logs stored preventing unauthorized modification or deletions of events. Access logs are stored for the minimum duration mandated by external compliance requirements.
For ensuring that Personal Data is processed on behalf of a customer in strict accordance with the customer instructions OpusCapita provides Data Protection Agreements for signing.
For ensuring Personal Data is protected against accidental destruction or loss, necessary data recovery planning is in place and data is backed up on regular intervals. Systems and infrastructure for Personal Data storing and processing are designed with resilient service architecture utilizing redundant technologies and minimizing single points of failures. Services are provided including SLAs based on recovery time objectives (RTO) and recovery point objectives (RPO) ensured by service capacity planning and monitoring. Incident Management and Problem Management procedures are in place.
To ensure Personal Data collected for different purposes can be processed separately OpusCapita stores customers data logically separated based on individual customer accounts. The data collected for different purposes is also processed separately.
To ensure Personal Data is processed only in accordance with the Controllers directions OpusCapita has defined security roles and responsibilities of employees and third parties. Security responsibilities and tasks are included in the terms and conditions of employment and subcontracting agreements. Relevant commitment to data secrecy or Non-Disclosure Agreements (NDA) are in place with employees and subcontractors, valid after the termination of employment or contract. Personnel screening is carried out to the extent necessary for the role and allowed by effective legislation.
Everyone processing personal data is made aware of security instructions, appropriate handling of assets and information, and required to participate in Security, Personal Data protection and Code of Conduct training provided by OpusCapita.
Measures designed to ensure that data is authentic and has not been maliciously or accidentally altered during processing, storage or transmission includes checksums and re-transmission for data in transit where needed.
For ensuring retention and deletion of Personal Data, storage time is defined by the Customer, and Personal Data is deleted in a secure way after expiration of data storage time or immediately when Personal Data is no longer needed. Data on paper (documents, drafts, test materials, production waste, materials defined by Customer for disposal) is physically destroyed locally using secure containers operated by professional disposal companies or a shredder with proper destruction class. Electronic data is deleted using a secure method ensuring no data can be retrieved.
OpusCapita Invoice Process Automation allows you to automate manual routines in your invoice handling process, such as automating the approval flow or pre- setting default postings. In addition to the workflow, automation is based on rules on header or line-item level, or the posting dimensions. You
Stop putting effort into maintaining your customers’ delivery preferences, as our solution continuously checks for the receivers’ e- invoicing capability for you. Whenever possible, your invoices are sent out electronically, reducing PDF and paper delivery and lowering your price per transaction. In addition, you can boost your digitalization further by easily campaigning for more of your invoice receivers to register for e-invoicing, in our complimentary Business Network Portal.Sounds interesting? Scroll down for more info!
Discover the meaning of easy transaction follow-up by granting access to track&trace for anyone in your organization without extra cost. Business Network Portal provides a real-time view to all data that has been exchanged and sent, including e-invoices, PDFs sent by email, as well as paper invoices. The simple portal view makes it also easy, for example for your customer service team, to see, download and exchange billing event data in their interaction with your customers.
Enjoy seamless & compliant invoice Sending as e-invoices, PDFs or paper in the Northern & Central Europe.
Benefit from automated channel management and gain more e-invoicing receivers, boosting digitalization.
Automate your AR process, improving productivity, reducing errors and Significantly speeding up your billing.
Just submit your email and phone number. We will then contact you shortly to book a meeting.