Product Security
Admicom is committed to delivering secure software solutions that meet the high security standards of our customers. This includes both our cloud-based SaaS and desktop applications. As part of this commitment, we have established robust and repeatable processes and practices to ensure the secure development and operation of all our products, regardless of their deployment environment.
Secure Software Development Lifecycle (SDLC)
We maintain a clearly defined, high-level Secure SDLC framework to ensure that security is integrated into every stage of development. The framework is utilized in all our development work and by all our teams. This structured approach ensures that both internal processes and outputs align with industry best practices and the expectations of our customers.
Threat-Driven Security Requirements
Our sprint processes include defining and setting security requirements based on threat modelling, security best practices such as OWASP ASVS and OWASP Top 10 as well as customer expectations. This ensures that development efforts proactively address potential risks relevant to the application and its environment.
Security Champions in Agile Teams
Each development team includes a dedicated Security Champion who oversees security matters during sprints. This role ensures that security remains a priority and is effectively integrated into daily workflows, including sprint planning, reviews, and retrospectives. Our Security Champions collaborate across team boundaries, ensuring that our security practices are integrated and not confined to isolated silos.
Focused Security Training
Our teams, including developers, platform engineers, and other relevant roles, participate in regular, role-specific security training. These programs are tailored not only to web application and software development but also to infrastructure, tooling, and operational practices. Top management also receives security awareness training to stay informed about key risks and responsibilities. Their active involvement reinforces a strong security culture and ensures organizational alignment and support for secure product development.
Regular Security Testing
We conduct annual security testing on all our SaaS applications and platforms. Findings from these tests are logged as actionable tickets in our development teams' ticketing system. This integration ensures that security issues are addressed systematically within the same workflows as other development priorities.
Secure Cloud Operations
The SaaS platforms we operate are continuously monitored for potential threats and anomalies. This ensures a proactive approach to identifying and mitigating risks to the operational environment. Incidents are identified through a combination of automated detection mechanisms, such as intrusion detection systems, anomaly detection, and manual oversight by our operations team.
Once an incident is detected, it is handled following a well-defined incident response process. All incidents are documented in detail and treated as learning opportunities, feeding into our continuous improvement processes.
To ensure resilience, we have implemented disaster recovery processes. These include regular backups and rehearsals of our recovery plans to minimize downtime in case of critical incidents.
Authentication and Authorization
User authentication is based on an email address and password. In addition, users can authenticate using their Microsoft or Google identities. Users can also add a layer of authentication with MFA or eID authentication such as Smart ID.
Each tenant is separated via user access privileges, and user privileges are managed by administrators chosen by the customer. Access rights define the user's general permissions within the application, as well as ownership, viewing, and editing rights for individual types or entities.
Log Data and Monitoring
The SaaS platform stores log data and analytics related to its use. Log entries may include information such as timestamp, user identity, the part of the application accessed or modified, and the originating IP address. To ensure log integrity and support forensic readiness, log data is securely stored in a centralized location, separate from the systems that generate the logs. Access to audit trails and logging infrastructure is controlled and limited to personnel responsible for operations, including product developers and platform engineers. Access is role-based and monitored to ensure accountability.
Data Transfer Protection
All data transferred between the client device and the SaaS platform is encrypted using a secure HTTPS/TLS connection with modern encryption algorithms and an encryption key.
Backups
All data stored in the SaaS platform is regularly backed up or automatically secured in multiple locations using a distributed system. Backup copies are retained for a defined period in accordance with regulatory and business requirements. The platform supports both partial and full restorations based on the nature of the incident. To ensure readiness, restore procedures are tested periodically to validate the integrity and availability of backup data.
Services and Third Parties
Admicom uses reliable and secure third-party service providers to deliver its services. These providers are responsible for physical server security, security updates, and compliance. Proper agreements have been made with all service providers. Our services are primarily hosted within the EU, with a few exceptions. Regardless of location, all services are fully compliant with the GDPR.
Continuous Improvement
We believe security is not a one-time effort but a continuous process. By embedding security across development, operations, training, project management, and executive decision-making, we ensure that our SaaS offerings deliver the reliability and assurance expected by our customers. This holistic approach fosters a culture of continuous improvement and proactive risk management.
Regulatory Compliance
Admicom complies with the data protection legislation in force in Finland and EU when processing personal data. All personal data is handled confidentially and responsibly.