Quality assurance and management system

Management system

Compello uses a number of recognized products as integrated components in our management system. Below we have listed the systems that we use on a daily basis to control the company's daily operations.

Sales and consulting

For control of customers, orders, and basis for invoicing, we use Microsoft Dynamics 365 for Sales. The system contains all customer documentation, agreements, customer orders and other important correspondence.

Our CRM gives us full control from offers to orders to be handled further by the consulting department. In this way, we have full control and can execute customer orders at the agreed time and price. The departments consultant managers follows up orders that have been handed over from sales to the consulting department and ensures that there are no deviations in relation to the agreement.

All customer projects are run according to the Prince-2 project management framework, and all our consultants are Prince-2 certified.

Support

For control of our incoming support, we use Microsoft Dynamics 365 Customer Support. This gives all our incoming support cases a case id.

The solution is adapted to ITIL according to Incident / problem management, service desk, and partly ICT infrastructure management and software asset management. The system contains functions for handling registered assignments / cases, automated processes, escalation, SLA, the customer's own web pages, e-mail handling, document management etc.

The tool gives our support department a good overview of our support at any time.

Product development

Our development processes are based on agile principles, and we operate according to SCRUM and Kanban principles. We utilise well-known tools for source code control, code versioning, project management and release management, including GIT for source control, Microsoft Azure DevOps for project and release management, and Microsoft Visual Studio as the integrated development environment (IDE).

Economy and finance

For our accounting we use Microsoft Dynamics 365 Business Central, integrated with Younium for billing of our subscriptions and transactions-based products. Our external financial auditor is Ernst & Young.

Operations

Compello host our SaaS solutions in the Microsoft Azure cloud platform. Our operations engineers manage and monitor the services remotely from our office at Oslo, Norway. Our operations staff do not have physical access to the hosting premises.

The cloud platform facilities in Microsoft Azure are independently certified according to more standards than any other cloud vendor, including ISO 27001, ISO 9001, ISO 22301, ISO 20000-1:2011, ISO 27018, SOC 1 and 2 Type 2, CDSA, CSA Star Attestation and PCI Level 1 to mention some. An updated list of applicable standards and certifications can be found at the Microsoft Azure Trust Center (https://www.microsoft.com/en-us/trust-center).

Compello only uses Azure services where we can control that data is processed within the EU/EEC, primarily using Azure data centres in Ireland and the Netherlands, with back-up to the Azure Norway East data centre.

Quality assurance system

Personnel manual

The company uses internal information pages (intranet) for communication to employees. The company's current personnel manual / handbook is hosted in Sticos Personal.

The handbook provides answers to employees' questions about the rights and duties of the employment relationship.

The handbook provides guidelines for:

• Confidentiality
• Meeting Policies
• IT Security
• GDPR compliance and processes
• Safety representatives and HSE

Routine descriptions for use of support and CRM tools

To ensure good quality of information entered into our tools, routine documents have been established that cover the most important value chains in Compello.

Our CRM and support tools are important management tools in our daily operations and the quality of information that is entered is therefore very important. This is done by routine documentation and internal training. Routine documents are continuously updated on our intranet.

Routine descriptions for handling and escalation of support

In the company we have the following channels into our support department:

The support processes are adapted to ITIL according to Incident and Problem Management, Service Desk operation and (in part) ICR Infrastructure Management and Software Asset Management.

Environmental standards

Compello is certified according to the Norwegian “Miljøfyrtårn” (Eco-lighthouse) standard, which is recognised by the EU commission according to article 45 of the EC 1221/2009 regulation. See https://eco-lighthouse.org for more information on this certification.

Product security

Compello participates fully in the Visma Application Security Program - VASP. Compello is a 100% owned subsidiary of Visma. It is mandatory to participate in VASP for any commercial software developed by any Visma group company.

VASP is a custom-made application security program based on leading industry standards and best practices, and embedded directly into our production systems. It is a tiered and scalable programme, where the requirements that a product has to comply with are tailored to the product in question; its technology, delivery model, market and other factors.

The objective of the programme is to ensure that our products are managed, developed and operated throughout its lifecycle in a secure and compliant manner with regards to application security, data protection and privacy, both for us as a provider and you as a customer.

VASP protects our customer's security and privacy through organisational and technical measures, designed to protect the confidentiality, integrity, and availability of the customer's data, and the resilience and legal compliance of our products and services.

The VASP program itself is audited annually by external auditors.

Compello, as a participant in the VASP program, is audited at least annually in an internal audit. These audits are performed by both a member of the Visma security team and the Visma Data Protection Officer and/ or representatives of the DPO, to ensure that two different roles review the product before it gets “the green light”.

The starting point for the internal audit is that the product DevOps team - led by the team's Security Engineer - does a comprehensive Security Self-Assessment - SSA, which also includes a Data Protection Self Assessment (DPSA). The SSA and DPSA cover areas such as data classification, privacy and data protection by design, adherence to formal requirements and standards, potential attack surfaces, access control mechanisms, password storage, crypto/hash algorithms, application misuse scenarios, software dependencies, file upload validation, secret management, phishing, testing and quality assurance, secure deployment practises, infrastructure permissions, host and network security, security logging and threat intelligence. In the annual audit the SSA and DPSA is reviewed, and any security or data privacy findings are classified according to severity, upon which the team has a set timeline to fix them according to the severity level. The purpose of the internal audit is to ensure compliance towards our Quality Management System, and to identify areas of improvements for the product or service, the team and the security programs themselves. Follow-up actions are registered and followed up in the Security Maturity Index, Architecture Index and if appropriate as risks.

The Maturity Index is an internal tool used to measure the live status of a product in various areas such as Security, UX (User Experience), Architecture and Technology. It allows strengths and weaknesses to be identified over time for each product and is used to prioritise development in terms of security and data protection. The maturity index status is part of the monthly management reporting, and is shown and discussed at every board meeting.

Any drop measured in the Maturity Index score, is immediately brought to the attention of the DevOps team’s Security Engineer. If the problem is not fixed within 30 days, the issue is escalated to the Product Owner. If the problem is not fixed within 60 days, the issue is escalated to the Managing Director of Compello. Finally, if the problem is not fixed within 90 days, it is further escalated to the Chairman of the Board and other Compello Board members.

In short, the Security Self-Assessment tells us what we should be doing. The maturity index tells us if we’re actually doing it.

VASP covers a wide range of security-related areas, including:

Dynamic Application Security Testing (DAST)

We do an automated external pentest every week using the cloud tool Detectify.com. Any security findings must be fixed within set timelines depending on severity.

Penetration testing (PENTEST)

We do a comprehensive manual penetration test at least annually conducted by the Visma PENTEST team. The PENTEST team is manned by experienced ethical hackers, and they use advanced hacker tools to check the application for any vulnerabilities. Any security findings must be fixed within set timelines depending on severity.

Static Application Security Testing (SAST)

We use Coverity on Polaris to automatically scan the source code for vulnerabilities at least weekly. Any security findings by the tool are analysed, and identified vulnerabilities must be fixed within set timelines depending on severity.

Software Composition Analysis (SCA)

We use Aikido to automatically scan the source code for vulnerabilities and potential license issues in any included open source libraries at least weekly. Any issues discovered are analysed and classified on severity, and identified vulnerabilities must be fixed within set timelines depending on severity.

Responsible Disclosure

We participate fully in Visma’s Responsible Disclosure program, where we invite ethical hackers to pentest our application, and report any findings to us. This is managed through a tool called Integrity, and any discovered vulnerabilities must be fixed within set timelines depending on severity.

Finally we run SonarQube static code analysis on every source code check-in to aid developers in creating clean and safe code.

Technical and Organisational Measures

Compello PROCESS is hosted out of data centers in the Microsoft Azure West and North Europe regions, located in the Netherlands and Ireland respectivbely, and are owned and operated by Microsoft.

Microsoft Azure is a cloud computing platform that features a growing collection of integrated cloud services—analytics, computing, database, mobile, networking, storage, and web. Microsoft has made an industry-leading commitment to the protection and privacy of user’s data. Microsoft were the first cloud provider recognized by the European Union’s data protection authorities for their commitment to rigorous EU privacy laws. Microsoft was also the first major cloud provider to adopt the new international cloud privacy standard, ISO 27018.

Microsoft Azure is independently certified towards more security and privacy related standards than any other Cloud provider, including ISO 27001, ISO 9001, ISO 22301, ISO 20000-1:2011, ISO 27018, SOC 1 and 2 Type 2, CDSA, CSA Star Attestation and PCI Level 1 to mention some. An updated list of applicable standards and certifications can be found at the Microsoft Azure Trust Center (Microsoft Compliance Offerings).

1. Access-control to premises and facilities - Confidentiality (Article 32 Paragraph 1 Point b GDPR)
   
   The hosting centres (in the following = HC) are owned and operated by Microsoft.
   
   Updated documentation on the security of the HC premises can be found in Microsoft Azure security documentation available on the Microsoft Azure Trust Center site. Some highlights are described below.
   
   The HC facility is designed to run 24 x 7 and employs various measures to help protect operations from power failure, physical intrusion, and network outages. The HCs comply with industry standards for physical security and reliability and they are managed, monitored, and administered by Microsoft operations personnel. They are designed for “lights out” operation.
   
   Microsoft uses industry standard access mechanisms to protect Azure’s physical infrastructure and HC facilities. Access is limited to a very small number of operations personnel, who must regularly change their administrative access credentials. HC access, and the authority to approve HC access, is controlled by Microsoft operations personnel in alignment with local HC security practices.
   
   Access to physical HC facilities is guarded by outer and inner perimeters with increasing security at each level, including perimeter fencing, security officers, locked server racks, multifactor access control, integrated alarm systems, and around-the-clock video surveillance by the HC operations center.
   
   Compello employees or customers do not have physical access to the HC.
   
   
2. Access control to systems - Confidentiality (Article 32 Paragraph 1 Point b GDPR)
   
   Customers/end-users can only access the solutions through the Compello PROCESS client applications (Compello PROCESS web client and/or Compello PROCESS Mobile Client), which incorporate a role-based granulated access control with user name and password. All data traffic is encrypted over the https protocol.
   
   
3. Access control to data - Confidentiality (Article 32 Paragraph 1 Point b GDPR)
   
   Data storage for the Compello PROCESS solution is done through Microsoft Azure SQL Server, Microsoft Azure Blob Storage and Microsoft Azure Queue Storage native cloud services. All customer files are stored in Azure Blob Storage, which store all data encrypted-at-rest.
   
   End-users have no direct access to the data storage areas, and can only interact with their data in the solution through the Compello PROCESS client software, which incorporate granulated access control with user name and password.
   
   Authorized Compello operations staff can access data through log in to the Microsoft Azure Management Portal. Users must be authenticated through their Active Directory user name and password + a one-time code from the integrated 2-factor authentication. All such access is logged, and any configuration change or modification of data is logged.
   
   Microsoft HC engineers do not have default access to cloud customer data. Instead, they are granted access, under management oversight, only when necessary. Virtual access to customer data is restricted based on business need by role-based access control, multifactor authentication, minimizing standing access to production data, and other controls. Access to customer data is also strictly logged, and regular audits (as well as sample audits) are performed to attest that any access is appropriate. In addition, Microsoft uses encryption to safeguard customer data and help maintain control over it. When data moves over a network—between user devices and Microsoft datacenters or within datacenters themselves—Microsoft products and services use industry-standard secure transport protocols. Also all files stored in Azure Blob Storage are encrypted at rest by default using AES 256 encryption – this encryption cannot be disabled.
   
   
4. Input control - Integrity (Article 32 Paragraph 1 Point b GDPR)
   
   Key user events are logged, including when a user has accessed the system (login/logout) and actions that the user has done on the invoices (e.g. approved, added comment, etc.). Additional logging is provided on database and webserver level by standard Microsoft Azure logging mechanisms. These system logs are available for analysis by Compello operations staff.
   
   
5. Disclosure control - Confidentiality (Article 32 Paragraph 1 Point b GDPR)
   
   Unauthorised disclosure of personal data is avoided by Cross-premises connectivity which enables the establishing of connections between a virtual network and multiple on-premises sites, or other virtual networks in Azure, by using VPN gateways or third-party virtual appliances.
   
   
6. Job control - Confidentiality (Article 32 Paragraph 1 Point b GDPR)
   
   Compello have selected to use the Microsoft Azure platform for hosting of the Compello PROCESS service. Microsoft runs some of the largest and most demanding cloud solutions in the world, and their Microsoft Azure platform and data center services are among the most professional and secure anywhere in the world. This is attested by their unparalleled compliance track record towards relevant international standards.
   
   Compliance documentation can be downloaded from: https://servicetrust.microsoft.com/Documents/ComplianceReports
   
   
7. Availability control - Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)
   
   Availability control of Microsoft Azure services are described in the Microsoft Azure Trust Center documentation. Some specific highlights are included below:
   
   Each Compello customer has a separate Microsoft Azure SQL Database instance, and backups are automatically taken as part of the Azure SQL service.
   
   Point-in-time restores can be done up to 35 days back in time using standard Azure backup/restore functionality. All backups are stored geo-redunandant meaning backups will always be replicated across multiple data centers in neighbouring regions (for Compello the neighbouring regions are West Europe and North Europe), minimizing the risk for data loss.
   
   Each customer has a separate Microsoft Azure Blob Storage area, where uploaded files (scanned and eInvoices as well as any related attachments) are stored. Data is stored geo-redundant meaning data will always be replicated across multiple data centers in neighbouring regions (for Compello the neighbouring regions are West Europe and North Europe), minimizing the risk for data loss. In addition, we take a separate back up of all Blob Storage accounts that are stored in the Azure Norway East region for additional security.
   
   Microsoft guarantees 16 9’s durability of stored objects (99.99999999999999%) over any given year. Data in Blob storage is stored encrypted-at-rest.