ISAE 3402 Type II assurance for your peace of mind
Our security isn't just a promise—it's independently verified. We successfully undergo an annual ISAE 3402 Type II assurance engagement, resulting in a third-party report on our operational excellence and security controls. This report gives you detailed insights into the design and implementation of controls relevant to your internal processes and financial statement audits.
Our agents watch over our software 24/7
Our infrastructure is monitored around the clock by dedicated performance experts from our central control room. Want to check our current system status? Visit our live status page to see real-time performance metrics and any scheduled maintenance.
Check our current status
Backed by Visma's global security standards
As part of Visma, we deliver security standards that small organizations simply cannot match independently. You benefit from the robust architecture, proven technology, and security expertise of one of Europe's largest software companies. Our infrastructure leverages Visma's enterprise-grade security framework, giving you enterprise protection at an accessible scale.
Frequently asked questions
As your data processor, our commitment is to you, the data controller. We only process your data to provide our HR and payroll services, acting strictly in accordance with your instructions and the terms of our Data Processing Agreement (DPA).
To guarantee security and data residency, all customer data is stored in secure Microsoft Azure datacenters located within the European Union (EU).
We are transparent about the sub-processors we use to support our service. Any data processing by third parties is strictly governed by our DPA and vetted to ensure full compliance with the General Data Protection Regulation (GDPR).
Our complete privacy statement is available at nmbrs.com/privacy.
We are dedicated to the principles of the GDPR. We don't view compliance as a one-time event, but as an ongoing commitment to robust data protection.
Our program is led by a dedicated Data Protection Officer (DPO), registered with the Dutch Data Protection Authority, who oversees our data handling practices.
We act as your Data Processor, and all our activities are governed by a clear Data Processing Agreement (DPA). This ensures we process your data exclusively for HR and payroll purposes, always in accordance with existing laws.
All customer data is located in Microsoft Azure datacenters within the EU, which provide the highest levels of security and operational reliability. This ensures your data remains within European jurisdiction and protected by EU data protection laws.
A data processing agreement is an obligatory agreement based on GDPR if data processing is carried out by a processor on behalf of another party. If you are a (new) customer looking for our standard data processing agreement, we have included this in our general terms and conditions on our terms and conditions page. When you subscribe for a Free Trial and again when you give the order confirmation you agree to these conditions.
Nmbrs uses services from other companies (called subprocessors in legal terms) such as datacenters, product development systems, and support solutions. Any data sharing is done in compliance with the GDPR and governed by data processing agreements concluded with third parties. You can find a complete list of all our subprocessors at nmbrs.com/subprocessors and you can subscribe to any updates regarding subprocessors.
All client/server communication is done with HTTPS, which guarantees data integrity and prevents data tampering. The Nmbrs certificate uses 2048-bit encryption. The HTTPS transport layer uses standard TLS without fallback to SSLv2/SSLv3, which are disabled for security reasons. You can recognize the SSL-secured status by the lock icon before the website URL.
Two-factor authentication (2FA) provides an optional second authentication level beyond your password. This adds an extra layer of security by requiring a second form of verification when logging in. Two-factor authentication is available as an optional security feature in Nmbrs.
ISAE 3402 is an international standard for reporting on controls at service organizations. Nmbrs has produced an ISAE 3402 Type II report, which provides customers with information to understand the design and implementation of controls relevant to their internal processes and financial statement audits. This assurance report provides independent verification of our operational excellence.
If you need this report for your own internal audit, or the audit of your customer(s), you can request this via compliance@nmbrs.com (In order to request the report, a signed NDA is needed). Please note that you need to have a direct client-supplier subscription with Nmbrs (i.a. have a direct Nmbrs subscription).
We use several tools for application, infrastructure, and user monitoring that alert our operations team to act in critical situations. Our infrastructure is monitored 24/7.
If you identify a vulnerability in our product, our Responsible Disclosure Policy provides instructions to ensure that information about the weakness will be handled confidentially and investigated with high priority. This policy protects both you and our users while we work to resolve any issues. Find out more about this policy at nmbrs.com/responsible-disclosure-policy.
As part of Visma, we maintain a confidential whistleblowing channel where employees, customers, and partners can report suspected misconduct, violations of laws, or ethical concerns. All reports are handled confidentially and investigated thoroughly. The whistleblowing service is managed independently to ensure your anonymity and protection. You can submit a report at visma.com/whistleblowing.
To be online software means that online crime is a risk. Cyber criminals may attempt to obtain sensitive information by accessing individual accounts or using our name and image. We believe shared knowledge is the most powerful weapon against this form of crime. The Dutch government website provides valuable information on identifying phishing emails and protecting yourself online.
We maintain a live status page where you can check the current operational status of all Nmbrs services in real-time. The page displays system performance, any ongoing incidents, scheduled maintenance, and historical uptime data. You can also subscribe to updates to receive notifications about any service disruptions. Visit status.nmbrs.com to check our current status.
Our compliance officer and support team are happy to help with any security-related questions. You can reach out through our standard support channels or compliance@nmbrs.com, and we'll get back to you as soon as possible.
