Security FAQs

Visier's responses to commonly asked questions from customers.

Introduction

We proactively compiled answers to top questions about security at Visier to help you get a better sense of our practices. Please also visit the Security page to learn about our approach to security at an organizational, platform, and operational level.

Compliance and Risk

What information security standards and frameworks do you follow?

Visier policies, practices and internal controls are generally based on standards and frameworks including and not limited to:

  • ISO/IEC 27001; ISO/IEC 27002
  • ITIL and COBIT frameworks
  • Relevant publications from the United States National Institute of Standards and Technology (NIST)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • EU General Data Protection Regulation (GDPR)
  • E.U. – U.S. and Swiss – U.S. Privacy Shield Frameworks

Yes. Our Risk Management Program and practices are based on the Visier Enterprise Risk Management Policy in addition to supporting guidelines and standards. These practices also adhere to industry best practices in identifying, assessing, addressing, reporting, and monitoring risks.

The Governance, Risk and Compliance (GRC), Information Security (IS), Privacy, and Legal teams regularly conduct internal and external risk assessments. Such risk assessments include relevant acquisitions, new initiatives and changes across the organization; as well as changes in the external technological landscape, and legal and regulatory requirements. Significant risks are routinely reported to Executive Management to ensure there is continuous and adequate oversight.

We provide our customers and prospects with a SOC 2 Type II audit report upon request each year. Presently, Visier does not pursue the SOC 1 report as it is not applicable to the nature of our service offerings.

We are continually enhancing our security, data privacy, and governance practices. Visier provides customers with reasonable assurance on a robust internal control environment through several sources, including third-party audits and attestations, certifications, and self-assessments. Examples include and are not limited to:

  • Undergoing a SOC 2 Type II audit on an annual basis, and an external web application penetration test on a quarterly basis.
  • Achieving CSA STAR Level 1 status and making our responses to the CSA CAIQ publicly available on the CSA STAR Registry.
  • Providing customers with access to the Visier Trust Assurance Package (TAP). Updated on a continuous basis, this package contains several artifacts mentioned above, architectural diagrams, frequently asked questions, and more. 

Visit the Compliance page to learn more about our audits and certifications. To request for the Visier Trust Assurance Package, please contact your Customer Account Manager or Account Executive. 

General Security

Do you have a Threat and Vulnerability Management Program?

Yes. Visier’s Threat and Vulnerability Management Program is based on industry best practices and emerging security trends. Our Information Security (IS) team performs assessments of threats via vulnerability scans for potential flaws across information assets within Visier’s offices and data centers. From this assessment, operational teams then deploy a risk-based approach to prioritizing and remediating any vulnerabilities.

We are continuously monitoring our global infrastructure to identify potential threats and vulnerabilities. Visier’s Security Information and Event Management (SIEM) tools are configured to send close-to-real-time notifications of any abnormal events and activities to relevant teams (e.g. Information Security, Information Technology and Site Reliability Engineering) for their review and action (if required).  

Click here to read more about how we maintain a secure and robust infrastructure.

We do not share infrastructure-level reports externally. Visier makes considerable investments in engaging a reputable third-party public accounting audit firm to provide a report on our internal control environment via the annual Visier SOC 2 Type II report. The auditors review the existence and management of infrastructure-level protections as part of such audits annually.

Our SOC 2 Type II report has sufficient information to provide customers reasonable assurance on our secure processes and practices. To obtain a copy of this report, please contact your Customer Account Manager or Account Executive.

Visier fully supports single-sign-on (SSO) using identity provider (IdP) initiated logins via Security Assertion Markup Language (SAML) compliant solutions. We make pre-built security roles and configurations readily available within our solution so your administrators can easily manage user access to meet your organization’s security requirements.

Yes. Our Security Incident Response Plan (SIRP) is based on the Visier Security Incident Management Policy, as well as industry best practices, guidance from the US NIST, and other leading information security frameworks and standards. Our Information Security (IS) and Privacy teams educate employees on how to report security and privacy incidents. Once reported, the Incident Response Team (IRT) investigates to confirm, contain, recover, and assess severity and impact.

In the event of a confirmed incident involving customer data, we will notify designated contacts at affected customer organizations within stipulated timelines (in accordance with mutually signed service agreements and contracts).

To report a security issue to Visier’s Information Security (IS) team, please contact [email protected]

Data Security

Who has access to my data?

Only a very limited number of authorized Visier employees have access to customer data in order to provide customer support and manage customer-requested changes. Access to customer data must be requested, reviewed, and approved by management per Visier’s change management process. Visier uses a role-based access control (RBAC) process that incorporates the principles of least privilege and segregation of duties (SoD).

Yes. Customer data is always encrypted at rest and while in transit using leading industry standards. To encrypt your data, we use a strong encryption key that is unique to you. This key is managed via a robust and secure key management process and periodically rotated to ensure the continued confidentiality of your data. Your data will remain encrypted while being transmitted within our secure networks using the Advanced Encryption Standard (AES).

Your data is stored only in data centers that are located within your chosen geographic region (either in Canada, the United States, or Germany). Your data is restricted from being replicated and/or stored outside of your chosen geographic region through technical measures and controls.

Your data is securely destroyed within 30 days upon termination of the service subscription. We use industry best practices and leading standards to facilitate and ensure the irrevocable deletion of your data.

System Resiliency

How do you ensure high system uptime for your solutions and services?

Our infrastructure is designed and architected to be highly available. Visier’s data centers are physically dispersed within each of our geographical regions (Canada, the United States, and Germany) for redundancy and to minimize impacts to the availability of our solution in the event of an environmental disaster. 

Apart from maintaining geographically dispersed data centers, we also rely on Amazon Web Service’s (AWS) Availability Zones (AZ) for system resiliency and multi-site redundancy that enable encrypted and near-time data replication and recovery. This structure enables customers to access their data despite environmental threats in their region.

We designed our solutions to be available around-the-clock except during maintenance windows, which are used to perform system updates, infrastructure, security, and technology upgrades. You can view our near real-time system uptime reporting at https://status.visier.com/.