Trust & Security

At Flex HRM, security is our top priority. We are committed to develop, deliver and
operate Flex HRM at the highest level of security.

We follow best practices and industry standards to ensure your data remains protected, available and compliant.


How we build secure software

Our approach to software development is proactive and driven by Continuous
Improvement. We utilize a robust CI/CD pipeline where every change is validated
through automated tests, ensuring security and quality are integrated into our code
from the very first line.


Secure Development Lifecycle (SDLC)

  • Environment Isolation: We maintain strictly separated environments for Development, Stage, and Production. This ensures that development activities never impact the live production environment or customer data.

  • Risk Management: Every change undergoes a risk assessment using a 5x5 matrix (Likelihood vs. Impact). High-risk changes require mandatory Threat Modeling (using STRIDE) to identify and mitigate potential security issues before code is even written.

  • Security Training: Our developers and Security Champions receive periodic security training, with a strong focus on the OWASP Top 10 vulnerabilities.

  • Infrastructure as Code (IaC): We manage our infrastructure with code instead of manual changes, ensuring that our environments are consistent, reproducible, and protected against manual configuration errors.

  • Code Review: We employ a strict "6-eyes" principle to ensure Separation of Duties (SoD). Every change requires approval from a minimum of 2 independent reviewers (excluding the author).

  • Audit Trails: All changes to code and infrastructure are logged and version-controlled, providing a complete history of our environment.


CI/CD Pipeline Security

We utilize a fully automated CI/CD (Continuous Integration/Continuous Deployment) pipeline that acts as a security gatekeeper, reducing human error and ensuring consistency.

  • Continuous Integration (CI): Every code change triggers an automated build and test sequence including Unit Tests and Integration Tests. When a new version is created, we run End-to-End (E2E) Tests to verify that the software is stable and secure before it moves forward.

  • Continuous Deployment (CD): We deploy updates in a controlled sequence: first to the Development environment, then to Stage (where Smoke Tests are performed), and finally to Production. This approach allows us to deliver daily updates and patch security vulnerabilities immediately without compromising reliability.

Automated Security Scanning

We further secure our software through comprehensive, regular scanning:

  • SAST (Static Application Security Testing): Scans source code for vulnerabilities.

  • SCA (Software Composition Analysis): Checks third-party libraries for known vulnerabilities and license compliance.

  • DAST (Dynamic Application Security Testing): Runs attacks against our Stage environment (a replica of Production) to find runtime weaknesses.

Penetration Testing

We validate our internal security controls by engaging a third-party vendor to conduct penetration tests on a yearly basis, ensuring we stay ahead of emerging attack vectors.

 

Protecting your data

We employ multiple layers of defense to ensure your data is encrypted, backed up, and strictly confined to compliant regions.


How we secure and restrict access to data

  • Role-Based Access Control (RBAC): We apply the Principle of Least Privilege, ensuring access is granted strictly based on roles and responsibilities.

  • Secure Authentication: All personnel access is secured using Single Sign-On (SSO) with enforced Multi-Factor Authentication (MFA). Administrative access is further restricted via strict IP whitelisting.

  • No Access: Developers have no read/write access to production data.

  • Privileged Access: Administrative access is restricted and limited to authorized personnel.

Ensuring your data is secure and stays within the EU

All personal data is stored and processed within Microsoft’s EU Data Boundary
(EU/EEA), ensuring strict compliance with European data protection regulations.

By hosting on Microsoft Azure, we build upon an industry-leading infrastructure
designed for mission-critical reliability and resilience. This ensures our customers
benefit from state-of-the-art physical security, redundant power systems, and
Microsoft's extensive, continuous investment in cybersecurity.


Safeguarding Data at all times

We leverage Azure’s FIPS 140-2 compliant infrastructure to ensure rigorous protection
for your information.

  • At Rest: All databases are encrypted using AES 256-bit encryption.

  • In Transit: We enforce HTTPS with a minimum of TLS 1.2 for all communications.


Backup & Recovery

We protect against accidental deletion, malicious modification, and ransomware using Backup Immutability (WORM state). We maintain a 1-month Long-Term Retention (LTR) policy, supported by differential backups every 12 hours and transactional backups every 10 minutes.


How we beat security threats

We actively defend our network perimeter and internal systems against malicious actors using a Defense-in-Depth strategy, combined with continuous 24/7 monitoring.


24/7 Monitoring & Response

  • Real-Time Monitoring: We utilize Visma's 24/7 Global Security Operations Centre (GSOC) where dedicated security experts and automated systems continuously analyze logs, monitor for anomalies, and respond to potential threats in real-time.

  • SIEM (Security Information and Event Management): We have a dedicated SIEM setup that streams security events to a separate, isolated Event Hub infrastructure. This ensures that security data is protected from tampering and is retained for 1 year for forensic analysis.

  • Continuous Threat Discovery: We use Microsoft Defender for Cloud, Defender EASM, and Orca Security to continuously map our digital attack surface, identify unknowns, and prioritize risks before they become issues.


Network Defences

  • DDoS Protection: We utilize a single public entry point with Layer 7 DDoS protection to minimize our attack surface.

  • Web Application Firewall (WAF): Our WAF actively blocks SQL injection, cross-site scripting, and other common web attacks.


Zero Trust Architecture

  • Deny by Default: Our network policies and Access Control Lists (ACLs) are configured to deny all traffic by default; only explicitly allowed traffic can pass.

  • Segmentation: We enforce strict network segmentation, isolating Customer Data, CI/CD pipelines, AI services, etc. into their own protected subnets.

  • Private Endpoints: Backend services communicate exclusively through secure, private connections, ensuring they are never exposed to the public internet. We utilize Network Security Groups (NSGs) to strictly filter internal traffic and ensure only authorized resources can communicate.


Patch Management

  • Shared Responsibility Model: While Microsoft manages security updates for the underlying infrastructure and operating systems, we are responsible for the application layer.

  • Rapid Response Protocol: We target the resolution of high and critical vulnerabilities within 24 hours, whenever possible.

Compliance Roadmap

We are committed to maintaining the highest standards of information security and operational excellence.

  • ISO 27001 Alignment: We currently operate in alignment with ISO 27001 standards. Our security controls, risk management processes, and policies are designed to meet these requirements.

  • Strategic Goals 2026: Achieving ISO 27001 and ISAE 3402 certification/report is our priority for 2026.


This document is for informational purposes and reflects the security posture of Flex
HRM as of the date of publication (last update 2025-12-18).

Vill du göra det enkelt att hantera allt som rör lön och HR?

Flex Applications Sverige AB
+4619-10 39 15
info@flexapplications.se