Tidvis
Security

Information Security

The security of our services is of the utmost importance to us at Tidvis and a cornerstone of our entire organization. We handle sensitive data about people who need support, which entails a great responsibility.

Tidvis works systematically and continuously to develop and ensure quality within the organization. Our security work is guided by a policy framework encompassing access control, cyber hygiene, information classification, supplier security, incident management, and continuity. We strive for a healthy and positive security culture where all employees have good knowledge of information security and understand the importance of incident reporting.

Operational Environment

  • All operations take place at established cloud providers within the EU/EEA.
  • Every customer is kept logically separated in their own environments so that data is never mixed between customers.
  • All traffic between users and Tidvis is encrypted over TLS 1.2 or higher.
  • Data at rest is encrypted with AES-256.
  • Regular, encrypted backups with geo-redundancy within the EU.

Access Control

  • Role-based access control (RBAC) managed by the customer's administrator.
  • Log in for end users with BankID.
  • Multi-factor authentication (MFA) for Tidvis' internal administrators.
  • The principle of least privilege: only personnel who need access to resolve a specific case are granted access, and all such work is logged.
  • Logging of administrative actions and centralized log follow-up.

Data Processor and GDPR

When a customer uses Tidvis, the customer is the data controller and Tidvis is the data processor. We sign Data Processing Agreements (DPA) with all customers and disclose our sub-processors upon request. Read more in our privacy policy.

Security Culture and Training

  • All employees are subject to confidentiality agreements and security policies.
  • Recurring training in cyber hygiene, GDPR, and incident management.
  • Clear procedures for reporting suspected deviations and incidents.

Incident Management

Tidvis has documented routines for detecting, classifying, escalating, and rectifying security incidents. In the event of a personal data breach, we inform the affected customer without undue delay so that the customer can, in turn, report to the Swedish Authority for Privacy Protection (IMY) within 72 hours according to GDPR.

Vulnerability and Supplier Management

  • Recurring vulnerability scanning and external penetration testing.
  • Information is classified based on sensitivity and handled accordingly.
  • Subcontractors are audited before engagement and followed up regularly regarding information security and data protection.

Continuity and Backup

Tidvis is operated with redundancy at multiple levels. Backups are taken daily, stored geographically separately within the EU, and tested regularly. We have a continuity plan to be able to restore the service even during major outages.

Contact for Security Matters

If you have discovered a vulnerability or have questions about our security work, you can reach us at security@tidvis.se.