Trust centre
Customer trust and data security are essential to everything we do at ISPnext.
At ISPnext, the security of our customers' data is paramount. We maintain robust security policies and continuously invest in innovative security measures to protect customer data from cyber threats. Visit the sections below for more detailed information on our Certifications and audit assurance, Security and Privacy.
Key features
Certifications and audit assurance
ISO27001
ISPnext is committed to the highest possible information security. Therefore, we have implemented an Information Security Management System (ISMS) that meets the stringent requirements of the ISO 27001 standard. This international standard applies to all types of organisations and helps us establish, implement, monitor, maintain and improve effective information security policies. The ISO 27001 standard requires us to implement appropriate and proportionate security measures tailored to our organisation's specific risks. This ISMS enables us to ensure the confidentiality, integrity and availability of your data and strengthen the trust of our stakeholders.
You can request the documents below via security@ispnext.com:
- ISO 27001-certificate
- Declaration of applicability
ISAE 3402 type II
ISAE 3402 Type II is an internationally recognised assurance standard that helps organisations demonstrate the effectiveness of their IT security measures. This reporting includes an independent audit of the internal controls relevant to the security of your data and IT infrastructure. An ISAE 3402 Type II report provides increased assurance that your data is well protected. In addition, the report provides insight into ISPnext's security measures and demonstrates that we meet the highest standards. This helps you comply with relevant IT security laws and regulations. ISPnext confirms its commitment to IT security with an ISAE 3402 Type II report performed by an independent auditor. This confirms that our IT security measures are effective and meet the highest standards. The hosting and development of the BSM platform on the Microsoft Azure infrastructure" is the scope of our ISAE 3402 assurance and is based on the following processes:
- Development & testing
Strict development and testing procedures have been implemented to ensure the security of our software and IT systems. All new code is thoroughly tested for vulnerabilities and potential security risks. - Infrastructure
ISPnext uses Microsoft Azure's state-of-the-art IT infrastructure with advanced security measures to protect your data. Regular backups and disaster recovery plans ensure that your data is always available, even in case of emergencies. - Security & Privacy
Strict security policies and procedures are in place to protect your data from unauthorised access, use, disclosure, modification or destruction. We comply with all relevant data protection laws and regulations, such as the AVG. - Logging & Monitoring
We continuously monitor our IT systems for suspicious activity and potential threats. All logs are kept and analysed to identify and investigate any security incidents.
Through security@ispnext.com, you can request the document below:
- ISAE 3402 Type II report (NDA required)
FSQS-NL
ISPnext holds the FSQS-NL certification, which stands for the Financial Services Qualification System Netherlands. This certification confirms that ISPnext meets the stringent standards of the financial sector, enhancing trust in the quality and security of our software solutions. For you as a customer, this serves as additional assurance that you are partnering with a reliable and compliant supplier. With this certification, we reaffirm our position as a partner that minimises risks and ensures regulatory compliance.
Microsoft Azure
ISPnext has chosen Microsoft Azure solutions for the hosting and security of our solutions. Microsoft Azure offers a comprehensive range of security and compliance measures to protect data and IT infrastructure. Here is a list of the most important measures:
- ISO/IEC 27001: Information security management system certification.
- ISO/IEC 27018: Certification for the protection of personal data in the cloud.
- SOC 1, SOC 2, SOC 3: Audits for service organisations assessing the security, availability, integrity, confidentiality, and privacy of customer data.
- GDPR compliance: Full compliance with the General Data Protection Regulation.
- Microsoft Defender for Cloud: An integrated security and compliance management tool.
- Azure Security Center: Real-time monitoring of the security status of Azure environments.
- Encryption: Encryption of data at rest and during transmission using strong encryption methods.
- Identity and Access Management (IAM: Management tools for access and identity, including Azure Active Directory.
- Multi-Factor Authentication (MFA): Additional security layer for user authentication.
- Threat Detection and Prevention: Advanced threat detection and prevention tools, such as Azure Sentinel and Microsoft Defender.
- Network Security: Use of firewalls, secure network groups and VPN gateways for network security.
- Data Residency and Sovereignty: Capabilities to keep data in specific geographical locations to comply with legal and regulatory requirements.
Security
Our commitment to your security is evidenced by our ISO 27001 certification, which independently confirms that we meet the highest standards of information security. This certificate guarantees that we maintain the highest standards of information security. In addition, our ISAE 3402 type 2 assurance report provides transparency on our IT security controls and processes. This report provides detailed insights into our security measures and offers assurance that your data is safe.
We are fully compliant with GDPR, the European privacy legislation, ensuring that your personal data is handled with the utmost care and in line with the strictest privacy regulations. Your data is hosted in the secure Microsoft Azure environment, which offers an unparalleled level of security and reliability, ensuring your data is optimally protected.
Our security policies and practices are constantly monitored by our IT Security Board, a team that ensures that our security measures are always up to date. We deliberately take a transparent approach and are happy to inform you in detail about our security measures.
Knowledge and awareness
At ISPnext, the security of your data and systems is paramount. We aim for everyone in our organisation to have the same high standards to protect your information. Below you can read how we achieve this:
- New employees
From the start, we inform new ISPnext employees about our commitment to security and privacy. We do this through a presentation during induction training. In addition, it is mandatory to complete an information security training course. This forms an essential part of our security plan. - Phishing tests
To train our employees to recognise and report phishing emails, we regularly send test phishing emails. These test emails contain valuable tips on recognising phishing and the right way to report it. We offer various training courses where employees learn more about the different types of cyber threats and how to recognise them. - External expertise and testing
ISPnext engages reputable external IT security specialists to optimise our processes. Both our infrastructure and the software developed by ISPnext are periodically scanned for vulnerabilities. Security tests on our software are an integral part of our ISPnext Security Framework. These tests are performed annually to identify technical vulnerabilities, which is an important part of our ISAE 3402 Type II assurance reporting. - Collaboration is essential
By paying continuous attention to security and privacy, and by involving our employees in this process, we at ISPnext create a secure working environment for everyone. We believe that this shared responsibility is the best basis for protecting your data.
Privacy
In this privacy policy, we use a number of definitions (these definitions apply in both singular and plural):
- Regulation: these privacy rules.
- Privacy legislation: AVG (General Data Protection Regulation).
Explanation of regulations
ISPnext is not allowed to process the data provided. Privacy legislation is designed to protect the privacy of individuals. This legislation limits the permitted use of your personal data by others. Under this law, ISPnext has a duty to its customers:
- to be informed about how and for what purpose data is processed by ISPnext;
- to know who may access the data;
- to consent to the processing of certain data
ISPnext values your privacy. Therefore, ISPnext explains in these regulations how it handles your data, the purpose of its use and for which processing of data ISPnext must explicitly request your consent. ISPnext may process your personal data if you become or are an ISPnext customer, visit the website, are an employee of ISPnext, sign up for ISPnext newsletters or contact us via the contact form. ISPnext collects your IP address, name, company name, phone number, email address and interests in our solutions. We also process employees' BSN number and a copy of their ID card. This data allows us to:
- be able to settle financially and administratively the agreement that customers conclude with ISPnext;
- provide our services;
- fulfil our obligations as an employer;
- contact customers or interested parties if necessary;
- further develop/optimise our services;
- offer you tailor-made information (direct marketing).
Provision of personal data to third parties
ISPnext does not provide personal data to persons or companies outside the ISPnext organisation unless:
- this is required by law;
- this is necessary for the performance of an agreement that ISPnext has concluded with you;
- you have given your consent to do so.
Duties/secure access/secrecy/retention period
- ISPnext processes your personal data only in accordance with the law. This means (inter alia) that the data shall only be processed for the purpose for which it is obtained and in a proper/careful manner in accordance with the law.
- Your personal data can only be viewed by the personnel of ISPnext, unless otherwise provided in these Regulations. All your personal data will be protected by ISPnext against unauthorised access.
Security consists:
- from having a personal password for each employee to log into the digital environment;
- the employees of ISPnext have a duty of confidentiality in respect of all personal data provided to ISPnext;
- ISPnext has taken technical measures to secure the system it uses against external breaches in accordance with the law;
- your personal data will not be kept longer than necessary for proper administration.
Your rights as a data subject
- right to information: the right to know whether and which of your personal data are being processed and for what purpose;
- right of inspection: the right to inspect and copy data insofar as this does not infringe the privacy of another person;
- the right to correct, supplement or delete data if necessary (right of correction and deletion). The right to request (partial) deletion of your data can only be met if keeping the data is not of significant interest to another person and the data should not be kept on the basis of a statutory regulation;
- the right to object: the right to oppose the processing of your data in certain cases;
- the right to data portability: the right to receive the personal data held on you in order to transfer it to another organisation;
- the right to human review in automated decisions. In the case of an automated decision, there is the right to have the decision made by human intervention.
If you want to exercise your rights, you can notify us by email at security@ispnext.com. If your request is refused, you will be explained why. One reason may be that your file contains information that is or could be of interest to others. You will be informed by ISPnext within one month after receipt of your request. If you have a complaint about the processing of your personal data, you can also contact ISPnext and ISPnext will try to find a solution together with you. Do you have any (other) comments/questions/suggestions or would you like to object to direct marketing by ISPnext? For that too, you can contact us in writing. Naturally, ISPnext will also treat personal data provided in this context confidentially and with care. Our current contact details can be found on the contact page.
Our general terms and conditions can be found here.