Compliance

We are committed to security and compliance of the software we develop, and all of our work with our customers & their data

Greenstep is ISO27001 certified, and compliant with GDPR, NIS2, Anti Money Laundering and KYC EU-laws. We are audited by local Financial Management Associations in Finland (Taloushallintoliitto), Sweden (SRF), Norway (Finanstilsynet) and are a member of Estonian Accountants Association (Eesti Raamatupidataje Kogu).

We are also a certified advisor in the Nasdaq Helsinki Stock Exchange and a member of the Finnish Venture Capital Association. On behalf of our clients, we also report to FIN-FSA (Financial Supervisory Authority in Finland) and EVCA (European Venture Capital Association).

Security is at the core of everything we do, and we also work towards better regulation and processes in the accounting field as active members in the Finnish National Emergency Supply Agencys Financial Administration steering group.

Ask about our Security & Compliance

Read more about Compliance and Security at Greenstep

  • ISO27001

    Greenstep became ISO27001 certified in 2023.

    "The ISO27001 certificate is a testament to the quality of the policies, procedures and processes at Greenstep"
    Anne Kulla, Partner & Head of Compliance

    Our policies include:

    • Secure development policy - At Greenstep, all developers follow our Secure Development Guidelines. Our culture values and rewards the detection and mitigation of vulnerabilities. Please contact us if you wish to know more about our Secure Development practices.
    • Code of conduct
    • Information security policy
    • People management policy
    • Secure architecture and engineering policy
    • Business continuity policy
    • Office policy/ Physical security policy
    • Cryptography policy
    • Responsible disclosure policy
    • Access Control Policy
    • Supplier policy
    • Testing policy
    • Endpoint device policy
    • Backup policy
    • Privacy policy
    • Information retention policy
    • Password policy
    • Logging policy
    • Information classification policy
    • Secure development policy
    • Insurance policy
    • Penetration testing policy

    The compliance to these policies is followed through our controls which adhere to the ISO27001.2002 framework and are audited yearly.

  • NIS2 (Network and Information Security)

    Greenstep compliance with the NIS2 Directive

    The NIS2 Directive (Directive (EU) 2022/2555)) (the “NIS2”) aims to achieve a high common level of cybersecurity across the European Union. It is to data security what the General Data Protection Regulation (GDPR) is to personal data and data protection. The NIS2 will be transposed into local legislation in October 2024.

    From the point of view of companies, the most important new national regulation enacted on the basis of the NIS2 is Cybersecurity Act. The new legislation, for example, sets a registration obligation for certain companies, preferably by January 1, 2025, as well as obligation of cybersecurity-related risk management and incident reporting. In the event of non-compliance of risk management or reporting, the competent authority may impose an administrative fine in accordance with the NIS2 and the related applicable legislation. In addition, a sector-specific supervising authority may carry out ex ante and ex post supervision of the company's operations based on company classification as an important or essential entity.

    The extent of the applicability is quite wide. For example, in Finland, Cybersecurity Act is estimated to apply to 2,500 to 5,000 entities. Of these organisations only about 10 to 20 % fall under the obligation of the previous NIS1 Directive (Directive (EU) 2016/1148).

    Scope: essential and digital services of certain company size

    Overall, the scope of the NIS2 is large including several sectors. The primary target of this regulation is operators linked to emergency supply, such as electricity, energy and water. However, this EU law also extends the requirements to other industries such as the pharmaceutical industry, financial institutions and software suppliers, but to some extent also to, for example, accounting firms.

    As a general rule, the NIS2 applies to providers of digital services. A software company that develops and produces a cloud service is clearly in the scope of the NIS2. If an accounting firm offers its clients self-developed software as a cloud service, it is also naturally within the scope of the NIS2, just like any other software firm. In addition, if an accounting firm offers its clients accounting or payroll software or other software produced and maintained by a software company, it is covered by the NIS2, if it takes care of, for example, access rights management, offers access control to the software through the identification of its own website, or otherwise manages the use of a cloud service. In the field of cloud services, there will be a nominated authority who can carry out supervision of the company´s operations.

    The NIS2 imposes specific size limits that determine its applicability to companies. These limits are categorised into two main classifications: important entities and essential entities:

    • A company is classified as an important entity if it meets at least one of the following criteria: the company employs at least 50 employees, or both the annual turnover and the balance sheet total exceed EUR 10 million.
    • A company is classified as an essential entity if it exceeds the ceiling for medium-sized enterprises, specifically: more than 250 employees or a turnover of EUR 50 million and a balance sheet of more than EUR 43 million. The regulations governing essential entities are more stringent compared to those for important entities. In addition, these are subject to ex ante supervision.

    Applicability to Greenstep

    As regards Greenstep group of companies, based on the above, the parent company Greenstep Oy (Finland) is regarded as an essential entity under the NIS2 and is subject to ex ante supervision. In contrast, for example, Renance - Automated Financial Services Oy (Bezala) is not in the scope of the NIS2 due to the size limitation. Similarly, the NIS2 does not apply to our operations in Estonia or the Netherlands. Additionally, it is important to note that Norway and the United Kingdom are currently partly outside the scope of the NIS2.

    In case of Greenstep Oy, the services specifically within the scope of the NIS2 include accounting and payroll.

    Compliance team shall continue to monitor the development of the NIS2-related regulation at the country-level to make sure that there are no compliance gaps. Even if not all individual companies within the Greenstep Group fall under the specific NIS2 definitions, they adhere to the Group's comprehensive information and cybersecurity practices. These practices are structured according to the management model outlined in the ISO 27001:2022 standard and are designed to support the implementation of the NIS2 regulations.

    Three-stage reporting of significant cybersecurity incidents

    The NIS2 includes a three-stage reporting obligation of significant cybersecurity incidents. First, an incident is to be reported without undue delay and in any event within 24 hours (early warning) to the competent authority. That early warning should be followed by an incident notification. The entities concerned should submit an incident notification without undue delay and in any event within 72 hours of becoming aware of the significant incident. A final report should be submitted not later than one month after the incident notification.

    Greenstep already complies with general incident reporting requirements on the basis of the GDPR, customer agreements, and the ISO27001 standard. However, the NIS2-specific procedures, e.g. templates, shall be prepared as necessary.

    Legislation

    EU: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555

    Finland: https://www.eduskunta.fi/FI/vaski/HallituksenEsitys/Sivut/HE_57+2024.aspx

    Sweden: Nya regler om cybersäkerhet - Regeringen.se

    Estonia: Implementation of the NIS Directive in Estonia | Shaping Europe’s digital future (europa.eu)

    Norway: the NIS2 Directive is not included in the EEA Agreement

    The Netherlands: Cyberbeveiligingswet (NIS2-richtlijn) | Wet beveiliging netwerk- en informatiesystemen (Wbni) | Rijksinspectie Digitale Infrastructuur (RDI)

    The UK: Introduction to the Cyber Assessment Framework - NCSC.GOV.UK

  • Handling of Peronal data (GDPR) and Privacy Policy

    Greenstep is GDPR compliant

    In addition to GDPR, there are local laws that we need to follow, which in some cases go above GDPR. For Example, an employee of our customer does not have the right to be forgotten immediately in some countries when it comes to payroll, as the local payroll and accounting laws dictate how long the material should be saved.

    Privacy Policy

    You can read our privacy policy here: Privacy policy (greenstep.com)

  • Financial Management Association memberships

    Greenstep is authorized in Finland

    As a member of the Financial Management Association of Finland, we are audited yearly on our accounting processes as an organization and as individuals. We have over 40 authorized personnel within both accounting and payroll.

    Greenstep is authorized in Sweden

    We are audited members of the Swedish Association of Accounting and Payroll consultants. Multiple people of our staff are Authorized Accountants who must follow the Swedish standard of accountancy, called Rex. Individuals must undergo regular quality checks made by SRF-konsulterna every six years. The Authorization is a stamp of approval from SRF and warrants the accountants high level of competence and experience.

    Greenstep has right to conduct accounting in Norway

    Finanstilsynet has granted Greenstep the right to conduct accounting in Norway.

    Greenstep is a supporting member of the association of accountants in Estonia

  • KYC - Know Your Customer

    Know Your Customer (KYC) is an essential process for Greenstep as an accounting firm to verify the identity of their clients and comply with anti-money laundering (AML) regulations

    Greenstep follows the Anti-Money Laundering Directive (2015/849; "AML Directive") which constitutes the main legal instrument. The AML Directive has been codified into Member States’ legislation and is followed in each Greenstep country. In Finland, Åland, Sweden, Norway and Estonia Greenstep have been registered as a service provider under KYC as an accounting firm. The EU law concerns many fields, but in Greenstep’s case accounting offices are responsible and liable to prevent money laundering and terrorist financing.

    For Greenstep, the scope of the KYC requirements extends to all our customers. There are different levels of due diligence, and it depends on the risk factors identified during onboarding and continuous monitoring.

    Only in very rare cases we can disregard the requirement of KYC. Often, even in cases such as a listed company, we will complete the KYC, but with the information we are able to gather from public sources.


    Guidance from authorities:

  • Products & Data Processors by Category

    Accounting Softwares:

    ProductCountryDescriptionMore Info
    NetSuiteGlobalLeading Global ERP with excellent accounting features.NetSuite Application and Operational Security | NetSuite
    NetvisorFinlandNetvisor is a market leading SaaS online accounting system in Finland, which provides services for accounting, sales and purchase ledgers and payroll. Netvisor services can be utilized through web browser and mobile app.Visma Trust Centre - Netvisor
    ProcountorFinland, Sweden, NorwayProcountor is a market leading SaaS online accounting system in Finland, Sweden and Norway.Tietosuojaseloste - Procountor
    Merit Accounting & PayrollEstoniaMerit provides accounting & payroll software designed for micro and small businesses in Estonia.Visma Trust Centre - Merit Accounting
    TripletexNorwayTripletex is a SaaS ERP system with many modules such as invoicing, project, logistics and payroll.Visma Trust Centre - Tripletex



    Payroll Softwares

    ProductCountryDescriptionMore Info
    MepcoGlobal / FinlandLeading Payroll software in Finland with global HR features.Mepo Privacy Policy
    HogiaSwedenLeading Payroll software in SwedenHogia Säkerhet



  • Whistleblowing

    Greenstep promotes responsible business methods and fosters an ethical way of acting. We take all illegal, unethical or any acts that go against our guidelines seriously. We encourage you to bring these to our attention every time there is a suspicion of misconduct.

    It is crucial that the employees, associates and other stakeholders of Greenstep inform us of their concerns and suspicions regarding misconduct not in line with the organization's guidelines. Therefore, primarily we encourage you to contact a supervisor in our organization. However, if this is not an option, you can report a concern via the reporting channel.

    You do not need to have firm evidence of misconduct; however, reports should be submitted honestly and in good faith. Deliberate reporting of false information is strictly forbidden.

    Avoid revealing personal information, especially delicate information, while submitting a report. If the message contains any information prohibited by law, we might not be allowed to process it.

    You may leave your name and contact information during reporting, but we provide you with this opportunity to express your concern through this confidential channel anonymously. In addition, the service removes all metadata automatically in case there are any attachments added to the report.

    Lexia Asianajotoimisto Oy is responsible for the service package as well as for the lawful processing of reports.

    After sending the report, you will receive a unique token on the screen that enables you to continue communicating anonymously with us in the future. Save this in a secure manner. When needed, we might submit follow-up questions via the reporting channel and inform you how the investigation is proceeding.

    All reports are investigated confidentially and in accordance with specified procedures. Possible resulting steps are taken only after the investigation has been concluded. The information from the report or the investigation can only be accessed by the people who need it to complete the investigation.

    You create an incident from here https://app.easywhistle.com/report/greenstep/about

Our Internal tools are compliant, developed with security as a top priority, and rigorously tested

Netsuite nav

NetSuite

Project creation, task management, time tracking (External & Internal), project invoicing, Self-billing, HR features. Financial & Consolidated reporting, Parent Company Financials, Subsidiary Financials, Master Data Management, Sales Invoicing & Purchase Data Management. We develop our own tools and processes on top of NetSuite.

Bibook nav

BI Book

Review Power BI dashboards for Management reporting, KPIs, APMs, Budgeting, Forecasting and People Analytics.

Bezala nav

Bezala

Expense reporting compliant to the local legislation of 20+ countries.

Palkanlaskenta Greenstep Hub

Secure Communication through Greenstep Hub

The GS HUB is a platform for secure client communication, file sharing and automation built from the ground up by Greenstep. Key Security features:

  • SSO is enforced for all users
  • Administrator access is strictly controlled and fully logged
  • All cloud service providers are ISO27001 certified
  • Data is continuously backed up
  • Data is always within the EU and according to GDPR demands.


Other Noteworthy Compliance & Security Efforts and Achievements

Greenstep Actively participates in Oracles On-Line Presence Security program

Oracle has fixed 112 vulnerabilities reported through their On-Line Presence Security program so far this year. 14 of those were reported by Greensteps team members, making us by far the greatest contributor, reporting 12,5% of the total vulnerabilities in 2023. On top of that we also found 3 vulnerabilities last year.

Greenstep is an active member of the National Emergency Supply Agency in Finland

In addition to assuring our own safety, we also work actively towards improving the safety of our entire business field, including that of our competitors. We are an active member in the Finnish National Emergency Supply Agency (Huoltovarmuuskeskus), ensuring that payroll and accounting services will be provided even in uncertain times. Payroll and accounting are regarded as critical processes that must survive any uncertain times. We help ensure that people and business get paid no matter what.

Over 4000 automation tests

Multiple of our development teams have a test-driven-development approach, meaning that tests are written before the development work is started. This has resulted in us having over 4000 automation tests, ensuring that the software we develop works even after new features are tested & released.

Questions about security & Compliance at Greenstep?

Our Compliance and Security teams will more than gladly answer your questions. Start by reaching out to Anne Kulla on the right side.

Levi group photo text media

Choose Greenstep as your partner

At Greenstep, your business will be in secure and compliant hands. We work according to our shared values. Our values include the desire of delighting the customer, the will to renew and develop, the enthusiasm to produce and to achieve success together, and honesty and appreciation of other people.

Read more about Greenstep as a company