Information security

Version January 2022

Exact takes information security very seriously, including personal data related security. Exact takes crucial steps to protect information from data breaches, unauthorized access and other disruptive information security threats to business and consumer data.

We have dedicated operational processes to manage information security, dedicated security staff and an internal reporting mechanism to facilitate proper decision making in case of incidents.

Security Governance

We are committed to comply to all relevant legislation, such as the General Data Protection Regulation(GDPR). A key mechanism in managing information security is our Risk and Compliance Committee (RCC), that monitors security processes and discusses security incidents, after being detected and analysed by our information security officers The compliance committee is chaired by our CFO.

We are dedicated to transparency

We don’t pretend to be able to prevent all security incidents. Incidents can and will occur occasionally. When they do, we are dedicated to being transparent about them. We believe this is the best way to maintain the trust of our customers. We obviously work hard to make sure incidents are as rare as they can be. To this end, our processes are audited regularly. You can request the assurance reports via our support channels. Please see our ISO 27001 / ISAE3402 page for more information.

Protection of your personal data

We take substantial efforts to protect the confidentiality of personal data, preferences and other information. To protect this information, we make substantial investments in our server, database, backup and firewall technologies. For more information, please see the Privacy Statement.

We offer a mandatory extra security layer: Two-Factor Authentication. By using this technique, we help prevent abuse through phishing or malware. In this way, we provide maximum support for online safety – which is crucial to us. This means that, in addition to your username and password, you will need to add an extra piece of information that is only available to you as a user. This makes any misuse of your data much more difficult.

Approved by independent experts

For many Exact products and services, like Exact Online and Exact Cloud Services, our development and operational management processes are tested annually by highly qualified independent experts. This results in an independent assurance report (ISAE 3402 type 2) that ensures our customers that our software is reliable and secure. Please see our ISO 27001 / ISAE3402 page for more information.

Also, the safety of Exact products and services, is determined at least annually via a “pentest” – an investigation to identify if software contains security related vulnerabilities. We have processes in place to take necessary actions if findings are reported.

Safest datacentres in the world

Our public cloud based products and services are hosted on Amazon Web Services and/or Microsoft Azure. Both cloud providers are market leaders and known to offer top notch security. Working with our solutions is always through a secure connection. It is encrypted according to industrial standards.

For our Exact products and services we follow strict security guidelines and implementation, but we also demand (and ask for proof of) compliance to these security standards from all suppliers we use in services to our clients.

RPO/RTO Exact Online Premium

In the event of an incident resulting in a data center failure, the RPO (recovery point objective) for Exact Online Premium is 1 hour. The RTO (recovery time objective) depends on the circumstances at related (sub) services and will be determined and communicated (upon request) in case of any incident.

Request information

Exact welcomes questions or comments about this Security Statement. If you have any questions or comments about this Security Statement, or need to receive our compliance report for audit purposes, please enter this form with all relevant details.

Responsible discloses can be reported here

Security is a shared responsibility of vendors and consumers. To help you stay in control, we have prepared the 7 golden rules of Information Security. We advise you to take note of them and check if your organisation complies with them. 

7 golden rules of Information Security

We have set up some tips for our partners, customers and others for keeping them safe below.

1. Handle information carefully

  • Keep your workspace (or meeting room) tidy.
  • Put data carriers in a drawer or cabinet that you can lock or dispose them in the right way (shredder, locked basket).
  • Fully shut down all equipment before leaving the office to prevent losing information.
  • Always take your personal belongings with you.
  • Only share confidential business information or files through secured channels.
  • Be aware with who you share information.
  • Check the content and recipient(s) of the emails before sending them.
  • Prevent others from seeing confidential information on your screen.

2. Use your computer securely

  • Keep your mobile equipment with you.
  • Never leave your equipment unguarded.
  • Lock your computer when you leave your workspace.
  • Use covers, cases and skins to protect your equipment.
  • Your pass, passwords, pincodes and key are only destined for you, so don’t lend them to others.
  • Protect your equipment with a password, pincode or biometrical info and use multi-factor authentication where possible.
  • Ensure your computer and applications are updated at the earliest conveni
  • Protect your email with 2FA / MFA. Password reset requests from many services end up in your email. Access to your email means access to a lot of services.

3. Communicate with caution

  • Communication (and information sharing) can take place in spoken or written form.
  • Be careful about what you share, who you share information with and how you do it.
  • Take into account the nature of your conversation and provide a suitable environment; so don't have a confidential conversation in a public place
  • Only discuss business and/or confidential matters in a separate room or move the meeting to a more convenient location.
  • Always take your personal belongings with you.
  • Only share information when strictly necessary, both inside and outside the organization.

4. Know the risks of email, internet and social media

  • Use e-mail and the internet responsibly.
  • Only use trusted sites to download documents and other files.
  • Be aware of data classification and how to handle data before sending confidential/sensitive information.
  • Check if emails come from trusted email addresses.
  • Handle e-mails and attachments of unknown origin with care.
  • Try to reach the mentioned service and website via internet instead of directly through the link in the email or text.
  • Flag emails with potential threats and notify your IT/Security Department .
  • Do not post sensitive information about the organization or customers on social media.
  • Keep work and private life separate. For example, use one social media channel for private purposes only, and the other for business purposes.

5. Handle mobile devices with care

  • Set a PIN or password on your device, including your voicemail.
  • Lock your device when not in use.
  • Follow organization guidelines when storing and editing information.
  • Always keep mobile devices in sight and never leave them in the car, including in the trunk.
  • Only use secure networks and encrypt information when you're on the go.

6. Keep your work environment safe

  • Notify the reception of visitors.
  • Accompany your visitors and make sure that any visitor passes are visibly worn.
  • Wear your access pass visibly.
  • Watch out for unknown visitors, people walking around alone and/or suspicious people without an access pass. Ask if you can take them to the reception or their contact person.

7. Protect your password

  • Don’t give out passwords by phone – not even to Exact
  • Never give your password to someone else! To nobody, not even to a colleague.
  • Never talk about a password near others.
  • Don’t give hints about the structure of your password (for example ‘my surname’)
  • Don’t share a password, not even to a colleague or family member.
  • Never give your password to colleagues during holiday.
  • If someone asks for a password, refer them to these password tips and tricks.
  • Don’t use the function ‘Remember password’ within applications and browsers – use a password manager instead.
  • Change your password if you are notified that your account or password have possibly been leaked.
  • Change your password regularly.
  • Enable 2FA / MFA were possible. 2FA a specific type of multi-factor authentication (MFA) that strengthens access security by requiring two methods (also referred to as authentication factors) to verify your identity.
EN Select your country