This document defines the technical and organisational security measures (TOMs) applied to all standard service offerings provided by OpusCapita except where a Customer is responsible for security and privacy. OpusCapita internal organisation is generally aligned to meet specific data protection requirements. 

For on premise solutions and otherwise when the security measures depend on customer’s security policies or actions taken by customer thereunder, this description applies only if not governed by such customer’s policies or actions. Measures described Access Control to premises and facilities shall only apply if the customer uses a Software as a Service (SaaS) solution. 

Organisation of Information Security

OpusCapita has a wide-ranging set of information security policies and guidelines based on the ISO 27000 -series, approved by senior management. OpusCapita organisation includes a full-time information security manager. 

OpusCapita is committed to corporate security management and development as well as having an objective to ensure undisturbed business operations in all circumstances. The security activities are governed by commitment to protect employees, information, processes, and assets as well as the corporate reputation. 

Site Access Control

For preventing unauthorized persons from gaining access to data processing sites that process or use personal data OpusCapita has implemented physical access controls. Personal Data stored in professionally hosted data centers and data processed in qualified premises provide effective physical access control including electronic lock systems, alarm systems and CCTV monitoring. Access to data centers and premises is granted only to authorized persons. Visitors are always accompanied. 

OpusCapita supports remote and home office work enabling processing of Personal Data outside the secure premises. OpusCapita ensures Personal Data is processed with adequate security measures outside the office by e.g. for personnel having a security guideline in place required to be followed and awareness of secure remote and home office working in form of reminders and relevant training. OpusCapita only accepts certain devices for work purposes which include security controls including anti malware software and secure transmission capability (e.g. VPN). 

System and Data Access Control

Access control ensures systems for Personal Data processing cannot be accessed without authorization and that only authorized persons have access to data so that Personal Data cannot be read, modified, copied, or removed during processing and storage. 

Access to Personal Data and systems is granted by following the need to know and least privilege principles.  All access to systems with Personal Data is granted through a proper process including identification, authentication and authorization. Personal user accounts are in use where a user is personally responsible for the account. Special access, including privileged access and shared accounts are granted to an absolute minimum number of users only for a justified need and granted only if a normal user account cannot be used. Privileged access is granted for a limited period of time. Access is reviewed regularly in systems, and unnecessary access removed. 

For common internal systems Single-Sign-On (SSO) is used and 2-factor authentication provided for critical applications and functions. 

Transmission Control

To ensure Personal Data cannot be read, modified, or removed without authorization during electronic transfer Personal data electronically transmitted using public data networks is encrypted. Access to internal processing systems is limited by strict access control. Session timeout controls are used for sensitive computer applications and network connections where possible. 

Disclosure Control

For preventing accidental or unauthorized disclosure of Personal Data to unauthorized party’s data flows are tracked. All internal data transfers are encrypted and access to systems and data limited. Internal guidelines exist for employees to prevent accidental or unauthorized disclosure. 

Input control

To establish whether and by whom Personal Data has been entered, modified, or removed in data processing systems only authorized users can access the systems including Personal Data according to access controls. Access to personal data is logged and logs stored preventing unauthorized modification or deletions of events. Access logs are stored for the minimum duration mandated by external compliance requirements. 

Order control

For ensuring that Personal Data is processed on behalf of a customer in strict accordance with the customer instructions OpusCapita provides Data Protection Agreements for signing. 

Availability control

For ensuring Personal Data is protected against accidental destruction or loss, necessary data recovery planning is in place and data is backed up on regular intervals. Systems and infrastructure for Personal Data storing and processing are designed with resilient service architecture utilizing redundant technologies and minimizing single points of failures. Services are provided including SLAs based on recovery time objectives (RTO) and recovery point objectives (RPO) ensured by service capacity planning and monitoring. Incident Management and Problem Management procedures are in place. 

Separation Control

To ensure Personal Data collected for different purposes can be processed separately OpusCapita stores customers data logically separated based on individual customer accounts. The data collected for different purposes is also processed separately. 

Job control

To ensure Personal Data is processed only in accordance with the Controllers directions OpusCapita has defined security roles and responsibilities of employees and third parties. Security responsibilities and tasks are included in the terms and conditions of employment and subcontracting agreements. Relevant commitment to data secrecy or Non-Disclosure Agreements (NDA) are in place with employees and subcontractors, valid after the termination of employment or contract. Personnel screening is carried out to the extent necessary for the role and allowed by effective legislation. 

Everyone processing personal data is made aware of security instructions, appropriate handling of assets and information, and required to participate in Security, Personal Data protection and Code of Conduct training provided by OpusCapita. 

Integrity control

Measures designed to ensure that data is authentic and has not been maliciously or accidentally altered during processing, storage or transmission includes checksums and re-transmission for data in transit where needed. 

Data retention and deletion control

For ensuring retention and deletion of Personal Data, storage time is defined by the Customer, and Personal Data is deleted in a secure way after expiration of data storage time or immediately when Personal Data is no longer needed. Data on paper (documents, drafts, test materials, production waste, materials defined by Customer for disposal) is physically destroyed locally using secure containers operated by professional disposal companies or a shredder with proper destruction class. Electronic data is deleted using a secure method ensuring no data can be retrieved. 

Endless automation possibilities

OpusCapita Invoice Process Automation allows you to automate manual routines in your invoice handling process, such as automating the approval flow or pre- setting default postings. In addition to the workflow, automation is based on rules on header or line-item level, or the posting dimensions. You

Still considering?

Here is short recap on the why.

Book a meeting with us to discuss more. It’s not binding.

Speed up
your e-transition

Gain more e-invoicing receivers
without any daily effort

Stop putting effort into maintaining your customers’ delivery preferences, as our solution continuously checks for the receivers’ e- invoicing capability for you. Whenever possible, your invoices are sent out electronically, reducing PDF and paper delivery and lowering your price per transaction. In addition, you can boost your digitalization further by easily campaigning for more of your invoice receivers to register for e-invoicing, in our complimentary Business Network Portal.Sounds interesting? Scroll down for more info!

Give visibility to all
who need it

Discover our Business Network Portal
for track&trace and reporting

Discover the meaning of easy transaction follow-up by granting access to track&trace for anyone in your organization without extra cost. Business Network Portal provides a real-time view to all data that has been exchanged and sent, including e-invoices, PDFs sent by email, as well as paper invoices. The simple portal view makes it also easy, for example for your customer service team, to see, download and exchange billing event data in their interaction with your customers.

Why choose OpusCapita?

All your invoices sent in
all formats & channels

Enjoy seamless & compliant invoice Sending as e-invoices, PDFs or paper in the Northern & Central Europe.

Automatic e-transition without any daily effort

Benefit from automated channel management and gain more e-invoicing receivers, boosting digitalization.

Manual work replaced
with digital
reliability & speed

Automate your AR process, improving productivity, reducing errors and Significantly speeding up your billing.

Let us know you’re interested

Just submit your email and phone number. We will then contact you shortly to book a meeting.

We’re here to discuss your case!

Heikki Pulli
Sales Director +358 50 386 6233
Heikki Pulli
Sales Director +358 50 386 6233
Heikki Pulli
Sales Director +358 50 386 6233
Heikki Pulli
Sales Director +358 50 386 6233

Speed up your digitalzation

Here is short recap on the why.