Organisational Security¶
Adminflow is committed to upholding rigorous standards for security across every facet of our operations. From organizational policies and risk assessments to application and cloud security, we ensure that both our infrastructure and our people are aligned to safeguard the data we process and maintain.
Information Security Policy¶
Adminflow has an Information Security Policy. Our CEO emphasizes:
“As a company, information processing is fundamental to our success, and the protection and security of that information is a board-level priority. Whether it is employee or customer information, we take our obligations under the GDPR and Data Protection Act 2018 seriously.” Stefan Okstveit, CEO
Risk Assessment¶
Adminflow performs risk assessments on a regular basis, including supplier risk assessments.
Employee and Subcontractor Screening¶
Adminflow conducts background checks on all new employees in accordance with applicable local laws. All new employees and subcontractors undergo screening to ensure high standards in education and background.
Confidentiality¶
All employee, vendor, and subcontractor contracts include a confidentiality agreement.
Removing Access¶
Access is removed when personnel leave the company. Confidentiality obligations remain effective beyond the term of employment.
Access Control¶
Access Control and Authentication¶
Adminflow requires all personnel to use an identity provider with multi-factor authentication (MFA) on all applicable applications, where available. Access to data is restricted on a need-to-know basis, utilizing least-privilege principles, with regular audits and monitoring. MFA is also available for Adminflow customers.
Role-Based Access Control¶
Access to data within Adminflow is governed by role-based access controls, with permission levels tailored to user roles.
Office Premises¶
Adminflow maintains a 100% Software-as-a-Service (SaaS) model, with no local data network or confidential information stored at office premises.
Permissions and Authentication¶
Access to customer data is limited to authorized personnel who require it for job responsibilities.
Cloud Security¶
Data Hosting¶
Adminflow data is hosted within the EU/EES region.
Data Loss Prevention¶
Adminflow conducts daily backups through complete database snapshots within a secure backup window from 02:00 to 02:30 UTC. Each snapshot is retained for 15 days, securely stored in the AWS Cloud Stockholm region, and further replicated to AWS Cloud Frankfurt region, ensuring enhanced reliability and security.
Intrusion Detection and Prevention¶
Adminflow employs security monitoring tools to detect anomalous behavior, acting promptly on incidents or security events.
Ransomware Protection¶
Immutable backups of customer data are maintained in separate locations for additional security.
Capacity and Change Management¶
Adminflow performs ongoing capacity and change management for all infrastructure.
Penetration Testing¶
Adminflow engages third-party security partners annually for penetration testing, with a dedicated security team addressing any issues identified.
Security Incident Response¶
Incidents are escalated to our Information Security Incident Response Team (ISIRT) to ensure rapid response and business continuity.
Application Security¶
Development and Framework Security Controls¶
Adminflow development follows security-by-design principles, based on the OWASP Top 10 guidelines. Secure, modern frameworks limit exposure to common security risks.
Quality Assurance¶
Our QA team performs manual testing on our application user interface.
Separate Environments¶
Testing and staging environments are logically separated from production, and no customer data is used in development or testing environments.