CSI is strongly committed to maintaining and developing the reliability and security of its software, as security plays a critical role for all CSI customers. CSI’s security practices include role-based access control, data encryption, continuous improvement, and preparedness for exceptional situations.

CSI’s services are primarily provided in Finland, and employees are authorized to handle customer data only within the EU.

For OnPremise customers, the CSI database is located in the customer’s private network. Customers using the software as a cloud service can choose to host their database in Finland or Sweden. Cloud customers’ SQL connections are SSL-encrypted, and Azure cloud services use Transparent Data Encryption (TDE). VPN connections are encrypted, and integrations with third-party systems use the HTTPS protocol.

The CSI team is trained to consider security from design through deployment. CSI employees’ access to data is determined by their job role, and they are permitted to handle customer data only to perform tasks specified in the service agreement and only to the extent necessary. All employees have signed a confidentiality agreement. Any remote connections to a user’s computer or customer database are logged in the customer’s records.

If a copy of the customer’s database is needed to provide services, it is stored on a separate server and deleted immediately when no longer required. Similarly, data from a cloud customer who has terminated their software agreement is removed from the cloud service after a historical copy of the database has been delivered to the customer.

CSI applies DevSecOps practices to ensure security is built into the entire development lifecycle. The software development process includes code reviews by both developers and testers. Components used in development are sourced from trusted suppliers.

Systems are continuously monitored with automated daily vulnerability scans and alerts. Security is constantly improved in collaboration with customers and based on internal monitoring systems and employee observations. Core systems undergo annual external security assessments and penetration testing to validate controls and identify areas for improvement.

To manage security incidents, CSI has an Incident Response Playbook that provides guidelines for detecting, documenting, analyzing, classifying, and escalating incidents.