Data protection and data security

At Bokio we have two important tasks that are sometimes confused. We protect your data against others getting hold of it (data protection) and make sure that you can trust that your data is safe in Bokio (data security).

It’s important to understand that these two tasks sometimes conflict. For example, we could easily resolve the data protection by deleting all the data we have. This is an extreme example, but we are faced with many similar but less obvious choices. We will always prioritise data security as it’s so serious to lose accounting data.

How we work with data security

Technically, it differs a little depending on what kind of data we’re talking about. For the majority of our data we have 3 layers of backups. Firstly, a 90-day point in time restore. Secondly, a long-term backup that extends to an entire accounting cycle. And thirdly, we have a light 30-day backup which we move to another service.

Some data, such as images and files, are stored differently, and here the backup solution differs. In this case, the data is protected as we have the possibility to restore data for a certain time after deletion. There is also a long-term backup.

All data and backups are also replicated across multiple servers and data centres.

Another important part of this is that we ensure that only certain staff have access to administer these services, and in addition, that no login has access to all backups. We also use multifactor authentication and monitoring for these logins.

How we work with data protection

All data we possess is encrypted both during transmission (TLS) and during storage. It is also set so that you as a user must use TLS to use the service.

Our internal processes contain several parts that are designed to protect your data:

  • As few people as possible have access to our databases, and these people are given special instructions on how to make sure their accounts are secure and how to increase security.
  • We protect our accounts with several extra security layers in addition to username/password.
  • All new code must be reviewed before it can be sent out for production.
  • We train our employees internally to understand the importance of data security, privacy and what they are allowed to do.
  • In particular, we train our developers to know when a DPIA (Data Protection Impact Assessment) needs to be done.
  • Our subcontractors should all either be located in Europe or meet the requirements of Privacy Shield. They must also comply with the GDPR regulations, and we must have a signed agreement with them.