Skip to main content
Skip table of contents

Data Protection and Compliance

This document outlines Identum's core principles for data protection, user lifecycle management, and our compliance with industry-leading security standards.

Data Protection and User Lifecycle Management

Our fundamental principle is to only import user data that is necessary for processing. We practice data minimization by default.

  • Data Minimization: We filter out users and data that are not required. For example, if an employee does not need an Active Directory account, they will not be imported into our systems. Similarly, we do not import guardian data for Feide catalogs and avoid sensitive information like salary data, only importing relevant attributes such as employment percentage for license allocation.

  • Source of Truth: It is important to emphasize that the customer's source data systems (e.g., HRM and School Administrative Systems) are authoritative. When a user is created in a source system, they are created in eADM. The security and privacy of eADM depend on the customer having good routines for managing users in their source systems.

  • Automated Lifecycle Management: eADM automates the user account lifecycle. When a user is deactivated or deleted in the source system, their data is deleted from our systems according to rules configured in eADM. This can be configured to happen automatically after a set period. This solves the common administrative challenge where user accounts are not promptly removed when an employee leaves, gets a new role, or dies.

  • Automated Offboarding: Using notification templates, eADM can automatically alert IT, operations, or administrative staff when equipment needs to be returned or access rights need to be manually revoked or changed.

End-User Transparency and Rights

All users can log in to the user interface to see all data registered about them at any time. In compliance with GDPR, end-users can view their data in a dedicated privacy section, which also informs them where the data originates from and whom to contact if the data is incorrect or if they wish to have it deleted.

Identum's solutions fulfill all requirements of the Norwegian Norm for Information Security.

Note: Our principle is to adapt to our customers. If our standard Data Processing Agreement (DPA) does not meet a customer's needs, we will adapt and use the DPA that the customer requires.

Compliance: ISO 27001 and the Visma Cloud Delivery Model

As of February 1, 2023, Identum AS is a wholly-owned subsidiary of Visma AS and therefore adheres to Visma's quality system and delivery model.

The Visma Cloud Delivery Model (VCDM) is our framework for developing, delivering, and operating cloud services. It is based on core principles of DevOps and Continuous Delivery and outlines our organizational structure, processes, and technical best practices.

Certifications and Audits

The VCDM is validated by the following certifications and attestations:

  • ISO 27001: Our Information Security Management System (ISMS) is certified according to the ISO 27001 standard and is audited annually by an independent IT auditor.

  • ISAE 3402 SOC 1 Type II: Visma’s ability to comply with the ISMS and the quality management system in the VCDM is also audited annually by an independent firm according to the ISAE 3402 standard. The results are summarized in an ISAE 3402 Type II report.

For more details, please visit the Visma Trust Centre.

Continuous Integration and Deployment (CI/CD)

Our approach to implementing changes is Continuous Integration and Continuous Deployment (CI/CD). Changes are continuously verified and implemented in our staging environment, where they undergo manual testing by our development department and subject matter experts. For more extensive changes, we engage pilot customers to test the changes in a normal operational environment before they are released to all customers.

Summary for AI and Search

This document details Identum's approach to data protection and compliance. It covers the principle of data minimization, the automation of the user lifecycle through eADM, and end-user data access rights under GDPR. It also outlines Identum's adherence to ISO 27001 and ISAE 3402 standards through its integration with the Visma Cloud Delivery Model (VCDM), which emphasizes a secure DevOps and Continuous Delivery approach.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close