DIB's access control policy documents the requirements for the following access control functions: (1) adding new users; (2) modifying users; and/or (3) removing an existing user's access.

DIB conducts access reviews at least annually for the in-scope system components to help ensure that access is restricted appropriately. Required changes are tracked to completion.

Azure Privileged Identity Management (PIM) and Role-Based Access Control (RBAC) are used to ensure that access to infrastructure is granted strictly according to the principle of least privilege, with permissions assigned based on individual roles and responsibilities and regularly reviewed for compliance.

DIB has measures to protect against Denial of Service (DoS) attacks.

DIB completes termination checklists to ensure that access is revoked for terminated employees.

The company restricts privileged access to encryption keys to authorized users with a business need.

The company restricts privileged access to the firewall to authorized users with a business need.

DIB restricts privileged access to the production application, databases and network to authorized users with a business need.

DIB strives for 99.9% uptime on a monthly basis and notes all incidents which impact availability on our public status page (status.dib.no)

DIB requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

All employee contracts include a confidentiality clause. Additionally, a confidentiality policy is outlined in the Employee Handbook.

DIB performs background checks on all new employees in accordance with local laws.

All employees undergo mandatory security awareness training on an annual basis. Certain higher risk roles go through additional training specific for their role and its associated risks, annually.

DIB requires passwords for in-scope system components to be configured according to the company's policy.

All corporate devices are encrypted to protect data in case of loss or theft. They can be remotely wiped to prevent data leakage if a device is compromised or lost.

DIB maintains a formal inventory of production system assets.

The company requires visitors to sign-in, and be escorted by an authorized employee when accessing office facilities.

All communications between users and DIB’s web applications and APIs are encrypted using HTTPS with TLS 1.2 protocols

Data is encrypted at rest using an industry-standard AES-256 encryption algorithm.

We engage independent cybersecurity consultants to conduct comprehensive penetration tests on our application and infrastructure every second year, or following significant product updates or changes aligned with OWASP or similar security frameworks. A remediation plan is developed and changes are implemented to remediate vulnerabilities.

DIB enforces a password complexity standard and credentials are stored using a PBKDF2 function. Users are locked out after five failed login attempts to prevent brute-force attacks. Password reset is handled securely via email verification links, valid only until a new password is set. Domain allowlisting is available to restrict sign-ups to approved email domains.

Logins are supported through Microsoft Entra ID. The customer has the option to only allow this login method for enhanced security and customer-controlled MFA.

DIB performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

Customers are encouraged to use SSO (Microsoft Entra) with MFA and avoid person or business sensitive information for enhanced security.

Customers can easily export and delete their data in compliance with GDPR and other data protection regulations.

DIB has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

Access to customer data is limited to authorized employees who require it for their job. Any exceptional access to customer data happens with the consent of customers and has to be reviewed by the manager of the employee's engineering team thereafter, supplying a business need.

DIB services and data are hosted in Microsoft Azure facilities in Norway East & West and Dublin, Ireland

DIB maintains a privacy policy in addition to our license agreement. We also have additional Product Terms detailling, for example, the specifics of our AI features.

The company's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed.

DIB has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.

DIB and Karnov Group maintain cybersecurity insurance to mitigate the financial impact of business disruptions.

DIB and Karnov Group have Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes, and maintenance of information systems and related technology requirements.

DIB has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

DIB communicates system changes to authorized internal users. The company also notifies customers of critical system changes that may affect their processing.