Skip to main content

Compliance

GDPR compliant

FA is GDPR compliant with the EU General Data Protection Regulation 2016/679 (GDPR). This means that we have implemented the required policies and processes to meet GDPR, both internally and for our customer installations.

FA as a Processor

FA act as Processor for FA Customers' personal data stored by FA and our subcontractors. This is managed through Data Processing Agreements between FA and respective Customer and between FA and relevant subcontractors.

FA is keeping a record of processing activities carried out on behalf of our customers. These records, including valid subcontractors, are available in FA Helpdesk.

FA as a Controller

FA act as a Controller for personal data like any other company. This includes, for example, HR data for FA employees and customer and prospect registers. We follow both GDPR and local laws in the countries we operate in.

ISO 27001 compliance

FA is certified in accordance with ISO/IEC 27001:2013 standard. Within its organizational structure, FA has an information security management system (ISMS) that ensures the security of activities associated with developing, providing, and maintaining the FA platform. The goal role of the ISMS is to identify, assess and handle potential security risks. The ISMS ensures that FA has documented procedures for is also responsible for responding to security incidents and breaches, conducting audits and assessments, and providing training and awareness to employees. In addition to ISMS, the following practices are carried out by independent experts:

  • Release penetration test and yearly penetration test

    Penetration tests involve simulating a real-world attack by ethical hackers or security testers who attempt to exploit vulnerabilities and gain unauthorized access to systems or data. Release penetration tests are performed before releasing new software or updates to an existing system to ensure that no new vulnerabilities have been introduced.

    Penetration tests are performed by certified personnel on dedicated testing environments.

  • Monthly cloud review

    A monthly cloud review involves examining the security controls and configurations of the organization's cloud-based infrastructure to ensure that they are aligned with security policies and standards. The review includes evaluating access controls, encryption, network configurations, and other cloud security best practices

    The annual audit is an independent review of an organization's information security policies, procedures, and controls. The audit examines the effectiveness of the organization's security measures in protecting its assets, including data, systems, and networks.

  • Annual audit

The ISO 27001 compliance certificate is available by the link: ISO 27001 compliance certificate .

ISAE3402 Type 2 Assurance Report (SOC1)

FA is certified in accordance with the International Standard on Assurance Engagements (ISAE 3402), Type II Report also referred to as SOC 1. Annual audit reports are published in January.

The majority of the controls generally apply to all FA customers but only selected customer installations meeting required criteria are included in the testing samples and official general assurance report. The general annual assurance report is included in the FA plans Accelerate and Advance.

The report covers selected controls within the following control areas:

  • Access Management (AM)

  • Change Management (CM)

  • Backup and Recovery (BR)

  • Data Processing (DP)

  • Sub-Processor (SP)

Customer-specific ISAE3402 Type 2 assurance report only targeting the customer environment can optionally be conducted at an additional cost on a time and material basis. The customized assurance report is only available for the Advance plan.

Customized security audit

In addition to the FA annual security testing using an FA-defined cloud testing environment, it is also possible to conduct a customized security audit using the customer’s own cloud environment and data. This security audit can be conducted by the customer’s own independently selected security company. FA will provide the required support to the selected security company and the customer will contract and pay directly for the services provided by the security company.

FA’s external security company can be used for customer-independent security testing. The customer will then contract and pay directly to the security company.

The customized security audit is only available for plan Advance.