InVision AG Trust Center

At InVision AG, we take security extremely seriously. We realize that our platform stores and processes sensitive information on behalf of our customers, including employee names, log in details, working times, and more. In 2011, we launched injixo, the world’s first cloud-based WFM (workforce management) application and we understood early on about the duty of care that we have with our customers’ data.

Our headquarters are located in Germany, a country that is in the vanguard of data security and privacy legislation. German companies had to offer best-in-class security provisions long before the days of GDPR and this industry leadership continues today.

InVision AG combines enterprise-class security provisions with business processes that ensure that our applications, systems, and networks protect your data at all times. To date, we have had zero security breaches and it’s a core mission for us to maintain that record. That’s why blue-chip organizations in security-conscious sectors including banking, insurance, and government trust us with their employees’ data every day.

On this page, we provide details about our security provisions.

Table of contents

Compliance

InVision AG complies with the data security and privacy legislation in all the countries where we operate and deploy our products. We pride ourselves on adopting industry best practices and complying with leading international standards such as ISO 27001.

ISO/IEC 27001

InVision is ISO/IEC 27001:2013 certified and independent compliance audits are carried out on an annual basis.

InVision’s Information Security Management System (ISMS) covers the provision, operation, maintenance, and management of the injixo platform. It sets out the obligations that we place on InVision employees and third-party suppliers who create, maintain, store, access, process, or transmit information within our development & staging environments, and the production environment that is accessed by customers.

Our ISO 27001 certificate is available here.

GDPR

InVision complies with all aspects of the EU and UK General Data Protection Regulation (GDPR). Details of our GDPR compliance are explained in our Data Processing Agreement:

English | German | French

Data Protection Officer

InVision employs a dedicated Data Protection Officer, who may be contacted at privacy@invision.de.

Data Subject Rights

InVision supports our customers in respecting the rights of data subjects, namely the right to request the erasure of personal information, rights of access, and data portability. We enable InVision customers to delete employee data on demand.

Amazon Web Services

InVision hosts all customer data on Amazon Web Services (AWS) data centers that are certified for ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. More information about AWS’s security standards compliance is here.

Subprocessors

By using InVision’s injixo platform, your data may also be processed by InVision’s subprocessors. The InVision privacy policy includes the list of 3rd party processors used by InVision:

English | German | French | Italian | Spanish

Contractual Commitments

General Terms and Conditions

The duties, rights, and obligations of InVision and its customers about the injixo platform are governed by the InVision General Terms and Conditions (GTCs). The GTCs can be found here:

English US | English UK | German | French | Italian | Spanish

Data Processing Agreement

The terms under which InVision processes customer data are shown in our Data Processing Agreement (DPA), which defines the categories of data processed, its retention, its deletion, and more. The DPA can be found here:

English | German | French

Technical and Organisational Measures (TOMs)

InVision publishes a set of Technical and Organisational Measures (TOMs), which describe the steps we take to safeguard the security of our customer’s data. The TOMs may be found in Annex 2 of the InVision Data Processing Agreement.

English | German | French

Cyber insurance

Our liability insurance includes cyber claim coverage. The insurance certificate is available on request.

 

Product Security

At InVision, security is not an afterthought. It is an integral part of the entire product journey, from design to implementation and deployment. We have developed a Secure Product Development Lifecycle (SPDL), which both proactively and retroactively discovers and resolves security vulnerabilities.

Secure Product Development Lifecycle

InVision’s SPDL is based on proven security best practices and implements a suite of robust checks across the software components, code, libraries, and services that are used at InVision.

Some of the SPDL checks include:

  • Multi-step approval process for changes to the production environment
  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA)
  • Automated and manual Dynamic Application Security Testing (DAST)
  • Third-party dependency scanning

Penetration Testing

In addition to our regular internal checks, every year we engage a respected third party that performs penetration tests. These rigorous tests examine our systems and applications for errors and vulnerabilities, simulating the behavior of a hostile actor. Penetration testing results are available on request on completion of this form.

Secure by Design

InVision’s injixo platform includes multiple features that enhance data security and privacy.

Authentication security

Options include username and password or single sign-on (SSO).

IP whitelisting

Any injixo account can restrict access to users whose IP address is within a specific range. Only users from the allowed IP addresses can sign in to your injixo account. 

Password policy

Passwords must have at least eight characters and must use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and special characters.

2-Factor authentication (2FA)

InVision offers 2FA for all users via SMS or an authenticator app.

Password storage

Passwords are encrypted using bcrypt. This encryption cannot be reversed.

Role-based access control and permissions

Administrators can apply specific permissions and data access rights to each user.

Audit trail

InVision’s injixo application includes features to identify the user who made any changes to the data, with a timestamp for each action.

 

Infrastructure Security

InVision’s injixo platform is software-as-a-service (SaaS) and it runs in the cloud. Since injixo hosts sensitive customer data, we have adopted very high cloud security standards. We ensure that those standards are enforced at all times to keep your data secure.

Perimeter Security

The physical security measures in place on InVision’s own premises are described in Annex 2, paragraph I.2 of our Data Processing Agreement.

English | German | French

InVision uses the data centers of Amazon Web Services. AWS infrastructure services include backup power and fire suppression equipment. More information about AWS’s facilities is here. AWS on-site security includes security guards, fencing, security feeds, intrusion detection technology, and other security measures. More information about AWS’s physical security is here.

Data Encryption

Encryption at Rest

All customer data is encrypted with AWS KMS encryption, which uses the AES 256 algorithm. This applies to live data and backups. Passwords are protected from attack by strong encryption algorithms and techniques such as salting.

Encryption in Transit

All data that is transferred via insecure networks is encrypted in transit with Transport Layer Security (TLS), using strong cipher suites. InVision also uses methods including as HTTP Strict Transport Security (HSTS) to further maintain the integrity of encrypted channels. Customers are invited to use tools such as Qualys' SSL Labs and Security Headers to verify the TLS ciphers and algorithms in use by InVision.

Tenant Isolation

InVision ensures the data of each customer is stored and processed separately from the data of other customers. This is achieved via logical customer separation in a multi-tenant environment. Each customer is assigned a unique identifier.

Business Continuity

InVision has a documented Business Continuity Management (BCM) Policy that governs our disaster recovery planning. The goal is to ensure that your data is always available, even following a severe outage. Our availability target is described in our General Terms and Conditions (GTCs). We have significantly exceeded this target since the launch of our injixo platform in 2011. The GTCs are here:

English US | English UK | German | French | Italian | Spanish

InVision maintains a system status webpage that is publicly accessible. It includes system availability details, scheduled maintenance, service incident history, and relevant security events. It can be found here.

 

Security Policies

InVision has developed and maintains a comprehensive set of security policies that underpin our entire operation.

Here are some examples of our policies in action.

Security Awareness, Training, and Assurance

Everyone at InVision lives and breathes the security and privacy policies. Every employee must complete an annual data protection and information security training course. 100% completion is mandatory and the results of the training are registered. Naturally, registration is done in compliance with data protection regulations.

Security Incident Response Plan

InVision’s Security Incident Response Plan (SIRP) is a critical element of our security policies. The SIRP is a solid protocol that enables us to take corrective action in response to security-related incidents effectively, consistently, and in a timely fashion. Any potential threats to customer data are treated with the utmost urgency and importance. The Security Incident Response Plan is triggered when customer data has been compromised, or when it potentially could be compromised. Our security specialists are highly skilled in investigating security incidents and they apply industry best practices, ensuring compliance with all legal obligations. For example, in case of a data breach, InVision immediately notifies the Data Controller in accordance with our GDPR obligations, including the Technical and Organizational Measures (TOMs).

The Policies

The suite of policies includes information security, bring-your-own-device, mobile device and teleworking, people operations, security training & awareness, asset management, access control, physical security, change management, secure development, supplier relations, incident management, business continuity, compliance, and many more. The majority of them refer to relevant clauses of industry standards documentation, e.g. ISO/IEC 27001.

Some examples:

  • Mobile Device and Teleworking Policy This is designed to prevent unauthorized access to mobile devices both within and outside InVision’s premises. It sets out six rules that must be followed by employees when taking mobile computing devices off-site, e.g. not leaving equipment unattended and ideally physically locked, keeping the operating system up-to-date, encryption, passwords, and more. It sets out five rules for teleworking, including prevention of unauthorized access, local area network (LAN) configuration, protection of the company’s intellectual property, and a list of permitted and prohibited types of activity that may be performed by teleworkers.
  • Acceptable Use of Information Assets Policy The purpose of this policy is to define clear rules for the use of information systems and other information assets, e.g. computers and smartphones belonging to InVision. It sets out acceptable use, e.g. the assets are only to be accessed by the employee, illegal materials and unlicensed software must not be installed and company data must not be transferred. Information asset keepers are recorded in an inventory and assets must be returned upon termination of employment contracts. Malware protection is mandatory and there are strict obligations for user accounts, passwords, internet use, email, and other messaging services. All data created, stored, sent, or received through information systems is the property of InVision and the company reserves the right to monitor the systems for compliance.
  • Access Control Policy This is designed to define the rules for access to systems, equipment, facilities, and information based on business and security requirements. The basic principle is that access to systems is forbidden unless explicitly authorized to individual users or groups of users. The policy includes the registration procedure for each system and provides access profiles for various functions within the organization, e.g. Engineering, Platform Engineering, Finance, People Operations, Marketing, Support, and Recruiting. Access rights are reviewed twice per year and there is a defined process for implementing the access control policy.
  • Backup Policy This policy is a critical component of the business continuity policy (BCP) and is designed to ensure that backup copies are created at defined intervals and regularly tested. Backup copies must be created as defined in the BCP. The platform engineering team is responsible for backing up all information, software, and system images. Backups must be stored in multiple locations as defined in the policy and logs must be maintained. Restoration testing is performed at intervals.
  • Incident Management Policy The purpose of this policy is to ensure early detection of security events and weaknesses and then execute rapid corrective actions. It defines an information security event, an information security incident, and a security weakness. It lays out responsibilities for reporting events, incidents, and weaknesses and the criteria that are used to classify them. It describes how major and minor events are to be handled, reported upon, and learned from.

 

Find out more

Existing Customers

If you are an existing injixo customer, we are here to answer all your security-related questions and concerns. InVision’s Security Team is ready to answer any questions your IT, InfoSec, Privacy, and Compliance teams might have about our products. Your Customer Success Manager will be pleased to organize this.

Security Incidents

To report a suspected security incident with the injixo platform, please raise a high-priority support ticket in the normal way. Please include as much detail as you can, so our team can find and correct the problem without delay.

New Customers

If you are in the process of becoming an injixo customer and you are in contact with a member of our sales team already, please reach out to them directly with any questions you may have about security. They’ll be happy to help and if necessary, introduce you to the right experts in our team. If you’re not in conversation with our sales team already, you can contact them at contact@injixo.com.