Skip to main content

Data protection in Accountor’s modern cloud services

Public cloud services in brief

The term ‘public cloud services refers to service models that offer IT services online. In a public cloud service, for example, the organisations own information systems, applications and services are located in the telecommunications network instead of its own devices.

In public cloud, services can be utilized and grown nimbly, without the need to invest in the company’s own physical infrastructure. The services and features are easily available, quick to implement and offer the opportunity to operate in a highly protected IT infrastructure.

In Finland, with its Cloud 1st strategy, the Ministry of Finance also encourages public sector organisations to primarily utilize cloud services in their information systems and services.

How does Accountor ensure compliance with data protection regulations in its public cloud services?

At Accountor, we follow the data protection discussion closely and always act in accordance with official requirements and the best possible practices. Our principle is that the information in Accountor’s systems is always encrypted – regardless of whether there is need to transfer information outside the EU or not. Encrypted data can only be opened with encryption keys managed either by us or by our trusted partner. The public cloud service provider will not be given the keys.

In December 2023, our Financial Management Software business was awarded the ISO27001 certificate. The certificate is proof that we comply with the best international practices and information security standards as determined by an external auditor.

We require our partners and cloud service providers to follow high-level data protection practices. We actively follow international regulations, the operations of different countries, and compliance with regulations and authority requirements, and we update our own operating methods in accordance with them, if necessary.
For example, according to our agreements with Microsoft, the data of the cloud services is located in Europe. For possible exceptional situations, we have prepared by contract with Microsoft using the standard contract clauses of the European Commission, which enable the transfer of personal data in compliance with the level of the EU data protection regulation.

Accountor’s customers can take advantage of the latest technology, scale their organisation’s operations in an agile way, and adopt the latest public cloud improvements and features in the forefront. At the same time, they can be sure that we process their data and the data of their customers in accordance with the best possible practices and the EU data protection regulation.

Data transfer and GDPR - What is it all about?

The EU data protection regulation GDPR (General Data Protection Regulation) sets strict requirements for the processing and protection of personal data. Organisations must process and store personal data in accordance with the GDPR – whether the data is processed in the public cloud or in the company’s own data centre, within or outside the countries of the European Union.

It is understandable that differences in legislation globally sometimes cause concern about how the requirements of the data protection regulation can be taken care of when using public cloud services. For example, the Azure data used by Accountor is located in Europe. However, Microsoft’s parent company falls under the scope of the US legislation, whose level of data protection differs from EU requirements. So, is using the service safe and compliant with GDPR regulations?


Data protection framework and adequacy decision

In the United States, measures were implemented in 2023 with the aim of securing the level required by the EU data protection regulation. For example, mechanisms were introduced to ensure the appropriate processing of personal data, and authorities’ rights to access personal data have been tightened.

With the new mechanisms, the European Commission has decided that the actions of the United States are sufficient in terms of the level of data protection. According to it, companies that are certified for the Data Privacy Framework are able to offer a sufficient level of data protection in accordance with the EU data protection regulation.

Companies covered by the data protection framework, for example Microsoft, are therefore safe partners according to the definitions of the European Commission. We at Accountor choose our partners only from among partners that are defined as safe.