Our development processes from start to release are encircled by multiple levels of security where we first adapt process according to the ISO27001 standard and after that include the requirements for software development that ensure high quality. We comply with national laws and regulations so that we can meet most specifications from our customers. Security is a constant part of our life cycle and our development method: Continuous Delivery.

• We conduct a minimum of 6 penetration tests per year, performed by an external specialist
• The IT portfolio is revised annually by an external auditor where all minimum requirements are met
• Our baseline is OWASP
• Our minimum Security Requirements that all developers follow are:
  - Passwords are never stored as text but are always “hashed and salted” server side.
  - Communication is always via an encrypted connection.
• Security breach: The Mercell incident response team works around the clock to mitigate the effects of any attack against our cloud services. And security is built into Mercell cloud services from the ground up, starting with the Security Development Lifecycle, a mandatory development process that embeds security requirements into every phase of the development process.

When incidents occur, we have a dedicated Security Incident team that provides the necessary co-ordination, management, feedback, and communication. They also have responsibility for assessing, responding to and learning from information security incidents to make sure that we minimize the risk of them recurring.

Redundancy
A method to increase reliability by allowing two or more units (e.g. network or hardware) to work in parallel with the same information, providing a reflection of each other. If one of them breaks down, the other one takes over.

Penetration test
A controlled way to identify security weaknesses in our systems by contracting professional testers to attack our systems and share their findings with the development teams. This helps our development and operations teams to strengthen our security.

Hashing
A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function) which is designed to also be a one-way function, that is, a function which is infeasible to invert. The only way to recreate the input data from an ideal cryptographic hash function's output is to try a large number of possible inputs to see if they produce a match.

Salting
A method to prevent hacking by adding information before or after the hashed password. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.

Audit
The complete IT portfolio is reviewed at least once a year, by an external audit firm, where all minimum requirements for IT security are reviewed and evaluated in order to improve the overall IT security.

• Provide an appropriate level of details on the vulnerability so that we can reproduce the issue.
• Allow us a reasonable time period to address the issue before publishing any information or details about the vulnerability.
• Target only your own accounts and devices when investigating and testing a vulnerability. Never attempt to access accounts, devices, or data that you don't own or don't have permission to access.
• Do not use phishing or social engineering.