Trust Assurance FAQs
Compiled answers to top questions about Visier to help you get a better sense of our practices.
Table of Contents
Security
Organizational Security
What is Visier’s approach to maintaining security awareness for employees?
At Visier, security is every employee’s responsibility. Considering our people are essential to the delivery of secure solutions, we instill the importance of security right from our new hire onboarding experience and reinforce this principle through regular training and awareness programs.
With empowerment and support from Visier’s Executive Leadership team, we have built a comprehensive Security Program that promotes the importance of security and the protection of customer data throughout the organization. Visier invests considerable resources to ensure that only qualified professionals make up the teams that manage and oversee our infrastructure.
What are Visier's security and privacy programs based on?
Visier has implemented and will maintain security and privacy programs that follow the National Institute of Standards and Technology (NIST) Cybersecurity framework and International Standards Organization (ISO) 27001. These programs consist of policies, procedures, and personnel training to assess and manage administrative and technical measures to safeguard Customer Data.
Do Visier employees undergo background checks?
All employees must successfully complete a standard background check. Employees with access to Customer Data must successfully complete an enhanced background check prior to being granted such access.
To see more details on what the background checks consist of, see Visier’s Customer Data Safeguards Policy https://www.visier.com/trust/docs/safeguards-policy/.
Does Visier perform due diligence on third-party vendors/service providers?
Visier has implemented third party risk management programs that assess cloud providers to ensure adequate processes are in place for any planned outsourced services. The assessments include security reviews, reviews of independent audit reports and/or certifications, penetration testing results, privacy programs, integrations with other systems, results of the proof of concept, etc. prior to onboarding the cloud providers. Additional measures are in place to monitor the performance of these contractual agreements in accordance with service level agreements.
Platform Security
Data Security
How do customers submit their Customer Data to Visier?
Customers may submit their Customer Data to Visier using one of the following methods:
- by manually initiated upload to Visier’s servers through the Visier People application using the encrypted browser protocol (HTTPS);
- by automated or manually initiated file upload to Visier’s servers using the secure file transfer protocol (sFTP), encrypted with Customer’s public/private SSH key, to the encrypted storage folder designated by Visier for Customer’s data uploads; or
- Customer-configured automated data connection workflow for a supported Source System via API (configuration options are available to Authorized Users with administrative-level access to the Services).
This is outlined in Visier’s Customer Data Safeguards Policy, see https://www.visier.com/trust/docs/safeguards-policy/.
Is customer data encrypted at rest and in transit?
Customer data is encrypted at rest (a minimum of AES 256-bit encryption) and while in transit (TLS 1.2 / TLS 1.3 with 128-bit or better encryption) using leading industry standards.
How is customer data encrypted?
To encrypt your data, we use a strong encryption key that is unique to you. This key is managed via a robust and secure key management process and periodically rotated to ensure the continued confidentiality of your data. You can also encrypt your data with our PGP public key when sending us your data through sFTP.
Is customer data separated/segregated from other customers?
Data is logically segregated by means of hardware and software configurations within our multi-tenant environment through uniquely encrypting each customer’s data files to ensure each customer organization can only view the data they are meant to have access to. Through a combination of encryption, regular rotation of encryption keys, and other technical controls, we ensure the confidentiality of customer data through logical separation on a per customer, per user basis.
Who has access to customer data?
Only a very limited number of Visier employees have access to customer data to provide customer support and manage customer requested changes. Authorized employees must undergo additional background checks and customer data access training prior to being granted access.
Our cloud computing and data center service providers do not have access to unencrypted customer data.
What access controls are in place at Visier?
You may see technical and organizational identity and access controls in place (such as, privileged access, segregation of duties (SoD), 2 factor authentication (2FA), etc.) within Visier’s SOC 2 Type II report (within the Visier Trust Assurance Package (TAP) and/or the Visier Trust Assurance & Artifacts Knowledge Base) or Customer Data Safeguards Policy.
What is Visier’s data deletion process after contract expiration/termination?
Upon expiration or termination of the Agreement, or upon receipt of Customer’s written request signed by a duly authorized representative of Customer, Visier will delete and/or destroy, using methods consistent with NIST SP800-88r1, the Customer Data from its systems and storage media and any offsite storage and third-party facilities under its control within thirty (30) days. Upon request following such removal, Visier will provide Customer with a written certification of such removal within thirty (30) calendar days.
Application Security
What safeguards do you have in place for attacks against your solutions?
We use “defense in depth” to safeguard web applications from attack. Application-layer next-generation firewalls, load-balancers, and Runtime Application Self-Protection (RASP) are part of our security strategy. We implement application defense at network, session, function, and data levels to proactively eliminate vulnerabilities and threats.
Has Visier implemented a Secure Software Development Lifecycle (S-SDLC) for software development?
Our S-SDLC uses secure coding practices, static code assessments and reviews, and dynamic application testing to find exploitable conditions prior to the code being deployed to production. We leverage internal capabilities and external partners to continuously assess the network and find and remediate flaws before attackers can.
Are developers trained on secure coding?
Onboarding and ongoing training for all developers includes a set of robust security principles, practices, and coverage of OWASP Top 10 Security Risks at a minimum. Our code reviews ensure that validated code is used, and new code has been fully assessed.
Does Visier conduct testing of their solutions to identify potential vulnerabilities or errors requiring remediation before deployment to production?
Visier’s web application defense strategy builds on secure code to deliver secure solutions that provide insights, while protecting your data. We test all code and third-party libraries for security vulnerabilities before release, and regularly scan our network and systems for vulnerabilities. Third-party assessments are also conducted regularly.
Our teams are active bug hunters, and search for flaws at the code and run-time application levels throughout the S-SDLC.
Does Visier conduct web application penetration testing?
Visier engages a reputable and independent third-party organization to perform penetration testing on Visier applications at least annually. The executive summary report can be found within the Visier Trust Assurance Package (TAP) and/or the Visier Trust Assurance & Artifacts Knowledge Base.
Also, Visier performs regular internal web application vulnerability testing.
Does Visier share their vulnerability testing/scans externally?
Visier does not share vulnerability testing/scan reports externally due to confidentiality reasons.
Can customers perform their own penetration testing on Visier?
No more than twice per calendar year, on the customer’s reasonable request, Visier will provide appropriate support to the customer to perform penetration tests of Visier’s test servers for the Services.
To see more details on what is required for testing, see Visier’s Customer Data Safeguards Policy https://www.visier.com/trust/docs/safeguards-policy/.
What types of Single-Sign On (SSO) protocols/standards are supported by the solutions?
Visier fully supports SSO using identity provider (IdP) initiated logins via Security Assertion Markup Language (SAML) 2.0 compliant solutions. Visier’s customers have a choice in using SSO or 2FA authentication methods. Any customers not using SSO will automatically have 2FA enabled, unless explicitly requested by the customer in writing to disable 2FA.
How is user access managed within the solutions?
Visier makes pre-built security roles and configurations readily available within our solutions so your administrators can easily manage user access to meet your organization’s security requirements. You have full control and can customize the security roles to limit users’ visibility to only the data elements they are authorized to see. We also offer numerous checkpoints to ensure there is an opportunity for you to validate your requested configuration changes and review your data and business rules prior to your data being published and accessed by your larger user base.
Infrastructure Security
How does Visier secure its infrastructure?
Our global infrastructure has been designed from the ground up with security and availability in mind. We have carefully selected secure data center providers, built secure networks upon which we run our operations, and validate our technologies and processes for alignment with industry best standards and other US/global infrastructure benchmarks.
Below are a few key points on how we maintain a secure and robust infrastructure:
- Configuration — Using configuration management tools and system hardening standards based on industry best practices (e.g. CIS Benchmarks) to ensure consistent deployment of changes across our infrastructure.
- Monitoring — Ongoing monitoring and scanning of our global infrastructure, networks, and information systems to identify and address threats and vulnerabilities.
- Reporting — Leveraging a Security Information and Event Management (SIEM) solution that merges numerous data sources (e.g. system and application logs, firewall logs, intrusion prevention and detection systems (IPS/IDS) logs) for timely review, reporting, and remediation.
- Change Management — Implementation of a change management process to ensure proposed changes to systems and processes do not negatively impact our operations and services.
- Training — Providing regular training on secure coding practices and securely deploying changes to our corporate and AWS infrastructure.
- Validations — Periodic security and internal control assessments, reviews, and audits to ensure the continued adequacy and effectiveness of our internal security controls.
Operational Security
Physical Security
How does Visier manage security in the offices?
Visier offices are protected with access badges, security personnel, and surveillance cameras that monitor all entry and exit points. We have also designed the delivery of our solutions to ensure that no customer data is required to be stored on premises at our offices.
Is the facility where customer data is stored physically secure?
We selected the world’s top data center provider, Amazon Web Services (AWS), to ensure they have sufficiently secure facilities and processes that can help us manage and process highly sensitive data. They have controls such as security cameras, physical ID passes for its authorized personnel, access control mechanisms to the infrastructure, environment controls such as uninterruptible power supply, temperature control, fire suppressant mechanisms, etc. We perform periodic assessments of the service provider to validate that their internal controls on physical security continue to meet our standards and requirements.
Vulnerability Management
Does Visier have a Threat and Vulnerability Management Program?
Visier’s comprehensive Vulnerability Management Program adopts a proactive and multi-layered defense strategy for protecting critical assets and information.
Visier’s Product and Infrastructure Security and Information Security teams continually monitor and scan our infrastructure, systems, and networks to identify threats and vulnerabilities. The team employs a risk-based approach towards prioritizing and remediating vulnerabilities to ensure security risks are addressed within a timely manner. Other key components of the program, such as frequent patching and platform security maintenance, ensure we proactively combat security threats to the core infrastructure that support our solutions.
When will Visier notify the customer if their data is affected by a security incident?
Visier will notify the customer of such security incidents within twenty-four (24) hours following confirmation.
To see more details on our security incident process, see Visier’s Customer Data Safeguards Policy https://www.visier.com/trust/docs/safeguards-policy/.
Who do I contact if I have seen a potential vulnerability or security issue or to make an enquiry about security of Visier services?
Please contact our security team at security@visier.com.
Secure Data Centers & Service Availability
Where are the solutions hosted?
Our solutions are hosted on Amazon Web Services (AWS) highly secure data centers with top-tier physical, technical, and environmental safeguards. The data centers are physically dispersed within each of our geographical regions (Canada, United States, Germany, and Singapore) for redundancy and to minimize impacts to the availability of our solutions in the event of an environmental disaster. Apart from maintaining geographically dispersed data centers, we also rely on AWS’ Availability Zones (AZ) for system resiliency and multi-site redundancy that enable encrypted and near-time data replication and recovery.
How does Visier ensure availability of its solutions?
Our Site Reliability Engineering (SRE) team regularly monitors our global infrastructure to plan for sufficient capacity. State-of-the-art technologies are leveraged to offer our customers reliable on-demand cloud computing and capacity management. Such technologies enable our solutions to easily scale and accommodate demand from both small and large enterprise customers.
How can I check the current uptime status of the Visier solutions?
We designed our solutions to be available around the clock except during maintenance windows, which are used to perform system updates, and infrastructure, security, and technology upgrades. You can view our near real-time system uptime reporting at https://status.visier.com/.
To see more details on when our maintenance windows are and non-standard maintenance notice communications, see Visier’s Support Policy https://www.visier.com/trust/docs/support-policy/.
Business Continuity and Disaster Recovery
What is Visier’s approach to business continuity and disaster recovery?
Our integrated approach for ensuring the resiliency/recovery of our services and operations is guided by the Visier Business Continuity Policy. Several teams across Visier work together to maintain business continuity plans and processes to ensure the organization is capable of operating critical functions during a major disruption or disaster (e.g. natural calamities, pandemic outbreak). The Executive Management team has defined a comprehensive business continuity strategy covering:
- Disaster Recovery
- Business Continuity
Visier’s Disaster Recovery Plan (DRP) addresses the recovery/resilience of information assets (e.g. customer data, networks, servers, and other resources within the data centers) to ensure customers can access our solutions in the event of a disaster. The DRP is regularly tested to ensure that services can be recovered within the stipulated timelines. The DRP is reviewed at least annually by Visier management and our external auditor (as part of the annual SOC 2 Type II audits) and updated based upon lessons learnt.
Visier’s Business Continuity Plan (BCP) addresses risks across several areas (including human, business, and technology) to ensure we can continue business operations in the event of a disaster. To ensure the plan addresses different teams and requirements, our business continuity planning process involves the whole organization. Amongst other areas, the plan covers the following:
- Secondary and alternative measures are considered and implemented when primary resources or functions are impacted because of a disaster.
- Pandemic Planning, and the maintenance of holistic health and safety plans to ensure the well-being of Visier employees, customers, and stakeholders.
- Ensuring employees are well-equipped with secure technologies to work remotely for prolonged periods during times Visier’s offices are unavailable for any reason.
- Performing regular testing and other validation procedures to ensure we are still able to meet security and availability commitments to customers.
- Identifying and training resources (e.g. table-top exercises, other simulated activities) to ensure critical resources can be recovered within the stipulated timelines.
To see more information relating to business continuity and disaster recovery, see Visier’s SOC 2 Type II report or Customer Data Safeguards Policy https://www.visier.com/trust/docs/safeguards-policy/.
Does Visier share their Disaster Recovery plan and test results externally?
Visier does not share its Disaster Recovery plan and its test results due to confidentiality reasons. The plan is reviewed by the external auditor as part of the annual SOC 2 Type II audits, see Visier’s SOC 2 Type II report.
Privacy
Do employees go through privacy training?
All employees complete mandatory privacy training during onboarding and periodically thereafter. Authorized employees provisioned with access to customer data are required to complete additional training.
How are Visier solutions designed and developed with privacy in mind?
We have embedded the privacy by design principles of data stewardship, transparency, user control and responsible use into how we build our products and solutions and operate our services. This means we deliberately and proactively consider privacy impacts during the concept and design stages and throughout product development. This helps to maximize the value of the data while reducing privacy risks introduced at the various stages of the data lifecycle. We look for opportunities to make privacy-enhancing design choices to help comply with legal requirements or to meet best practices. In addition, we incorporate privacy reviews and approvals for all major releases before they become generally available.
To learn more on how Visier applies Privacy by Design, see https://www.visier.com/trust/privacy/privacy-by-design/.
Does Visier hold any privacy certifications?
Visier has achieved TrustArc’s Privacy Verification and International Privacy Verification seals which publicly exemplifies our dedication and commitment towards upholding industry-established, internationally-recognized, privacy principles and standards.
Where is customer data/personal data stored?
Mindful that our customers may be faced with organizational restrictions on where data may be stored, Visier has strategically established data centers in Canada, Germany, Singapore, or the United States to enable customers to comply with data localization and data residency.
What is Visier’s Privacy Statement?
Please see https://www.visier.com/privacy/.
Does Visier have a Data Privacy Addendum (DPA) with Standard Contractual Clauses (SCCs)?
The DPAs can be found on Visier’s Trust & security site, see https://www.visier.com/trust/docs/dpa-intl/ for global or https://www.visier.com/trust/docs/dpa/ for US.
What personal data can and cannot customers transfer to Visier for processing?
Personal data that is permissible can be name, work location, employee information, gender, etc. Customers should not submit national identifiers, government-issued IDs, credit card numbers, etc.
To see more examples of data that are permissible and data that should not be submitted, see the DPAs https://www.visier.com/trust/docs/dpa-intl/ for global or https://www.visier.com/trust/docs/dpa/ for US.
How does Visier manage international personal data transfers?
When Visier transfers personal data from the EEA, the UK, or Switzerland to another country such as the United States (US), appropriate data transfer solutions such as Visier’s Data Privacy Addendum (DPA) that incorporates the European-Commission-approved Standard Contractual Clauses (SCCs) and the UK-approved international data transfer addendum, are used.
Following the adequacy decision by the European Commission (EC), Visier also relies on the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as a legal basis for transfers of personal data from the EU to the US. Visier will rely on the UK extension to the EU-U.S. DPF and the Swiss-U.S. DPF when applicable local authorities approve the adequacy decisions. In the meantime, Visier continues, and will continue to offer a DPA with SCCs to every customer who needs one in addition to reliance on the EU-U.S. DPF.
To view our participation in the EU-U.S. Data Privacy Framework, see https://www.dataprivacyframework.gov/.
How does Visier support General Data Protection Regulation (GDPR) requirements?
Visier has an appointed Data Protection Officer (DPO) to oversee it's Privacy and Data Protection Program which includes comprehensive privacy policies and notices, adopting privacy-by-design in how we design, build and govern our solutions, enhancing contract language, refreshing employee privacy training, managing vendor relations, and preparing records of processing activities to ensure that we know what data we collect, where it resides, and the purposes for processing.
To learn more about Visier's commitment to privacy and compliance with GDPR, see https://www.visier.com/trust/privacy/gdpr/.
Does Visier comply with California Consumer Protection Act (CCPA)?
Visier monitors emerging regulations and takes the necessary actions to comply with the California Consumer Protection Act (CCPA).
For more information see the CCPA Privacy notice https://www.visier.com/ccpa-privacy-notice/.
Where do customers get more information to help them conduct a Data Transfer Impact Assessment (DTIA) with respect to the use of Visier services?
Visier has put together an information sheet to help support customer’s assessment here: https://www.visier.com/trust/privacy/data-transfer-impact-assessment/.
Please note that this document is for informational purposes only and does not constitute legal advice. Visier customers are responsible for conducting their own independent risk assessment of data transfers in connection with their use of Visier services. Visier’s obligations to customers are outlined in the respective customer agreements and this document does not form part of, or modify, any agreement between Visier and Visier customers.
Does Visier utilize sub-processors to process or have access to customer data?
At Visier, we use sub-processors to perform certain technical, administrative and support functions required in the provision of services. A sub-processor is a third-party entity that has, or may have access to, or may process, customer data.
For the current list of sub-processors and their purpose of processing, see https://www.visier.com/trust/privacy/sub-processors/.
Does Visier perform due diligence on the sub-processors?
Before we engage a new sub-processor, we conduct a comprehensive vendor assessment including reviewing the vendor’s privacy and security practices to ensure they meet our standards. We require sub-processors to sign a Data Privacy Addendum (DPA) with Standard Contractual Clauses (SCCs) that provides protections at least as protective as those in our DPA with customers and they always include SCCs as a data transfer mechanism.
Can I be notified of any changes to the sub-processors list?
Visier customers with an active subscription may subscribe to receiving notifications of new sub-processors by filling out this form.
How do I unsubscribe to Visier’s newsletter(s) or other marketing communications?
You may choose to stop receiving those communications by using the unsubscribe link included in our emails or by contacting our marketing team at marketing@visier.com.
Who do I contact if I have privacy questions or want to exercise my privacy rights?
Please contact our privacy team at privacy@visier.com.
To see details on what your privacy rights and choices are, see Visier’s privacy statement https://www.visier.com/privacy/.What is the contact information for Visier’s Data Protection Officer (DPO)?
To reach Visier’s DPO, please email: dpo@visier.com, by phone to: 1-888-277-9331, or send a letter by post to: Visier Privacy Office, #400-858 Beatty Street, Vancouver BC, V6B 1C1.
Compliance & Legal
What third-party audits and attestations, certifications, and/or self-assessments does Visier have?
Visier has a SOC 2 Type II audit report that can be found individually or within the Visier Trust Assurance Package (TAP) on the Visier Trust Assurance & Artifacts Knowledge Base. Please note that the report must be opened using Adobe Acrobat Reader, downloadable from Adobe’s website. Further troubleshooting instructions can be found in the Visier Trust Assurance Package (TAP) or Visier SOC 2 Type II Report articles.
Visier have also completed the CSA Consensus Assessments Initiative Questionnaire (CAIQ) and successfully achieved the CSA STAR Level 1 status, see https://cloudsecurityalliance.org/star/registry/visier-inc/services/visier-inc.
When will Visier’s next SOC 2 Type II report be released?
Visier’s SOC 2 Type II report typically releases in March of every year.
Is Visier ISO 27001 certified?
No, Visier is currently not ISO 27001 certified.
Does Visier have a security/trust portal for customers to download security documents for themselves?
Yes, Visier’s Trust Assurance & Artifacts Knowledge Base.
Existing customers may access this portal and download Trust Assurance documents (such as the SOC 2 report) themselves. If you are a prospective customer, you will need to reach out to your Account Executive for assistance in obtaining such documents.
What standards and frameworks are Visier policies based on?
The structure and content of Visier’s policies are based on several industry standard frameworks, best practices, laws, and regulations including but not limited to:
- ISO/IEC 27001; ISO/IEC 27002
- ITIL and COBIT frameworks
- Relevant publications from the United States National Institute of Standards and Technology (NIST)
- EU-U.S. Data Privacy Framework (DPF)
Will Visier be able to share their policies to customers/prospects?
Visier does not share organizational policies in their entirety with external parties due to confidentiality reasons. In lieu of sharing the individual policies, there are multiple places where customers and prospects can see what policies Visier has:
- A brief description of Visier policies on Visier’s Trust & security site, see https://www.visier.com/trust/compliance/visier-corporate-policies/.
- A listing of policies in the Visier SOC 2 Type II report.
- A Table of Contents page of policies, standards, plans and programs in the Visier Trust Assurance Artifact document within the Visier Trust Assurance Package (TAP) or Trust Assurance & Artifacts Knowledge Base.
Are policies periodically reviewed and approved?
Policies are reviewed and approved by Executive Management at least annually and are made readily available to all Visier employees on the corporate intranet.
Are employees made aware and trained on the policies?
Employees are trained on select policies as part of the new hire onboarding process and on an annual basis.
Where can I find publicly available Visier legal documents?
Visier’s legal documents can be found on Visier’s Trust & security site, such as:
- Master Software as a Service Agreement (MSA)
- Services Support Policy
- Customer Data Safeguards Policy
- Insurance Schedule
- Data Privacy Addendum (DPA)
- Acceptable Use Policy
Please see the Documents section of the site: https://www.visier.com/trust/docs/msa/.
I have an issue I need help with, how do I get support?
You may log support issues 24 hours a day, 7 days a week, 365 days a year, by logging into https://help.visier.com/visiersupport, by creating a new case in the support section of the Visier Community website, or clicking on the ‘help’ icon from your SaaS Services. Your Technical Support Analyst is available to respond to requests and log issues during Business Hours.
To see more details on how issues are managed and when to expect a resolution, see Visier’s Support Policy https://www.visier.com/trust/docs/support-policy/.
Does Visier have an external code of conduct?
Visier’s external code of conduct can be found on Visier’s Trust & security site, see https://www.visier.com/trust/code-of-conduct/.