Sensitive information requires the highest security

Security & Compliance Program

Vispato has adopted a security and compliance management program that governs our product development procedures and administrative operations.

At the center of this program is the adoption of an extensive control framework, validated by our ISO 27001 certification and ISAE 3402 (Type 1) certification.

Further, we strive to be compliant with Web Content Accessibility Guidelines success criteria (WCAG 2.1 AA) on whistleblower pages to make whistleblowing accessible to people with disabilities.


ISO 27001

ISAE 3402 (Type 1)

ISAE 3402 (Type 1)

ISO 27001 Hosting

ISO 27001 Hosting

WCAG 2.1 (AA)

WCAG 2.1 (AA)

Data Privacy Regulation

Vispato complies with the EU General Data Protection Regulation (GDPR) regarding the collection, use, and retention of personal information. For more details, see Vispato’s Privacy Policy.

Physical Security

Physical Security

Hardware, data center, personnel, access, and availability

Learn More
Application Security

Application Security

Code, Databases, and Configurations

Learn More
Network Security

Network Security

Rules and controls for incoming and outgoing data

Learn More


Encryption, legal requirements, and access to information

Learn More
Access Control

Access Control

Access permissions, passwords, authorization, and encryption

Learn More


Performance, availability, and redundancy

Learn More


Trust, track record, consistency

Learn More


Adherence to global whistleblowing, data security, and data residency laws.

Learn More

Physical Security

What is physical security?

Physical security is the foundation of every cloud environment. In other words: server hardware, data centers, personnel, access, availability, and the ability to react to environmental factors like flooding, overheating, blackouts, etc.

How does Vispato ensure physical security?

The Vispato application is hosted solely in the DATEV eG data center. DATEV is responsible for the physical security of their infrastructure.

What kind of data center are we talking about?

The DATEV data center handles multiple petabytes of data at the highest level of security. It is ISO 27001 certified and meets the highest standards. For more information and certificates, please visit the DATEV website:

Where is the data center located?

By default, our data (and backups) are hosted at the DATEV data center, which is located in Nuremberg, Germany.

However, in order to comply with local data residency laws, we are able to host Vispato in any country that you require – including China and Russia. If this is something you require, please let us know during your demo!

Application Security

What is application security?

This level involves ensuring that every component of the system is secure, for example: application code, databases, configurations, and third-party libraries. It includes potential weak points inside and outside of the application.

How does Vispato ensure application security?

Application security is a team effort. When developing Vispato, security was our top priority. Our team of developers consistently carry out code reviews to ensure that only high-quality secure code makes its way into our product.

We have many manual and automated tests that measure the security of potential weak points like SQL injections, cross-site scripts, session and authentication weaknesses, and much more.

In addition, we carry out regular penetration tests.

Network Security

What is network security?

Network security involves rules and controls to limit or reduce the incoming and outgoing traffic to production systems as well as the traffic within the system. It ensures that the necessary firewall rules exist and prevents attacks like malware, distributed denial of service (DDoS), as well as other potential exploits.

How does Vispato ensure network security?

Vispato monitors the system together with DATEV to detect any potential threats. We implement firewalls within our infrastructure as well as within our application to protect against internal and external threats. Additionally, we have an escalation protocol to quickly handle any problems.

Do you have technology that reduces the risk of DDoS-style attacks?

Vispato works together with DATEV to reduce the risk of DDoS-style attacks. In the event of a DDoS attack, DATEV has protocols and measures available, which reduce the effects of such an attack and ensure the system remains stable.

Data Privacy

What is data privacy?

Data privacy means making sure that your data as well as your employees' data is safe – whether inside the system or during data transmission over the network. This includes not only things like encryption, but also legal requirements like where data is located, who has access to it, and how requests to receive this data are handled.

How does Vispato ensure data privacy?

All traffic between Vispato and the user is SSL-encrypted. All communication with Vispato takes place via APIs which are verified by third party security companies.

Vispato also relies on the strict security guidelines from DATEV as well as their certifications which provide a key element to protecting your sensitive information.

Is the data encrypted?

Communications through Vispato are encrypted and decrypted directly in your web browser using end-to-end encryption. This ensure that only the parties involved (sender and receiver) can read the messages.

Even Vispato GmbH and its employees do not have access to your communications because the data arrives on our servers already encrypted – only you have the key to decrypt the information.

Additionally, information sent to and from Vispato (data in transit) is encrypted using TLS, the industry leader in encryption mechanisms.

Stored data (data at rest) is also encrypted.

Where is the data hosted?

By default, all your data is stored in the DATEV eG data center in Nuremberg where the data never leaves Germany, in accordance with national regulations.

If you are required to host Vispato in a different country due to data residency laws, we are able to accommodate this on request.

Who does the data belong to and who can see it?

Clients have full ownership of their data. Vispato does not access client information or use it for any purposes other than what is legally required or for the maintenance of our applications and for providing services to our clients and end-users. We never sell, share, or use client information for marketing or advertising purposes.

All communication in Vispato is encrypted with a personal key and stored in a database, and is therefore inaccessible to third parties.

There are controls in place to prevent Vispato employees from gaining access to data other than what is provided by the client. Vispato GmbH takes great measures to ensure that users outside the organization have no access to the company and that all data within an account can only be seen or edited by authorized users chosen by the client.

Do you make backups and is there a recovery process?

Yes, the DATEV data center is used for hosting as well as regular backups. This data is fully encrypted. These backups, which include all user data and system protocols, are created daily and available for a limited time to be restored.

Access Control

What are access controls?

Access controls determine who is able to access a system within an organization and which information they can see. Passwords are generally the first line of defense, but once a user gains access to a system, it must be determined which data the user can access.

How does Vispato handle access controls?

Vispato requires password authentication to access the system. Once the user is in the system, they must be given permissions in order to carry out additional operations or access certain information. With permissions, you can decide who has access to what.

Does Vispato govern our security?

No. Your organization is responsible for developing suitable security guidelines for passwords, permissions, and especially for encryption keys when using the security features provided by Vispato.

How do I manage permissions?

We created permissions so that you can decide who has access to the system and determine what they can or do. More information can be found in Vispato user documentation.

What password settings are available?

Vispato prevents the use of weak or commonly used passwords.

Additionally, users can add an extra layer of security to their account with 2-factor authentication (2FA). 2FA can be configured so that users receive a security code via SMS or an authenticator app to log in. What password settings are available?


What is availability?

You want to make sure that your service provider can guarantee that all services are available when you need them. A key component of availability is ensuring redundancies for data as well as for infrastructure so that there exists no single point of failure.

What does availability mean for Vispato?

Our dedicated team makes sure that our platform is ready and available whenever you need it. To offer you stable, high-availability services, we have built our system with redundant components, consistent monitoring, regularly planned integrity checks, and other similar features. We also carry out frequent backups to prevent work loss.


What do we mean by “partnership”?

Does the provider have a strong track record of delivering high-quality stable solutions? Do they ensure that the needs and expectations of their client are met? Will they remain operational in the long-term? Choosing the right service provider is like choosing a business partner – make sure you have earned their trust to meet the needs of your business now and in the future.

Vispato was founded in 2019, but it began as an affiliate company of Auditi GmbH, which has been providing software to over 250 audit firms since 2012. You can learn more about Auditi here:


What is compliance?

Compliance is the act of adhering to all relevant global and local laws.

With regards to whistleblowing solutions, this may include compliance with laws related to whistleblowing, data security, data privacy, and data residency.

How does Vispato handle local data residency laws?

If your company operates in certain countries such as China, it may be required to host data on local servers.

By default, we host Vispato hosted on DATEV servers in Germany. However, we are able to host Vispato in any country that you require – including China and Russia. If this is something you require, please let us know.

Does Vispato help companies to comply with whistleblowing laws?

Vispato is highly configurable and can help companies to comply with the principles of most major whistleblowing laws, including:

  • EU Whistleblower Protection Directive
  • US SOX Act Section 301 on Corporate Responsibility
  • U.K. FCA guidelines
  • German Corporate Governance Code (DGCK)
  • French Loi Sapin II

Most whistleblowing laws have provisions regarding:

The anonymity of whistleblowers – For example, the EU Whistleblower Protection Directive talks of the need for companies to “implement specific internal reporting channels to ensure that the whistleblower’s identity is kept confidential.”

Vispato provides a fully anonymous solution for communicating wrongdoing, with no registration required to report concerns.

The security of whistleblowing data

Vispato includes a host of security measures, including; physical security, application security, network security, access controls, and data privacy.

The ability for employees and stakeholders to report concerns

Vispato can be configured to take anonymous wrongdoing reports from both employees and external stakeholders. In addition, the software is designed to be user-friendly and requires no training which reduces any barriers to making a report.

Does Vispato comply with data privacy laws?

Vispato is fully GDPR compliant and complies with the principles of common data privacy laws, including:

Security – In accordance with Vispato’s data security measures: physical security, application security, network security, access controls, and data privacy.

Confidentiality – Reports submitted are completely anonymous and access controls ensure internal company confidentiality is maintained.

Storage Limitations – Archive permissions within Vispato help to ensure data is only held and removed when approved internally by company users.

Data minimization – Vispato does not hold any identifiable information of whistleblowers and minimizes the amount of data stored and asked for. This ensures data collected during operation is limited to its intended purpose.

Purpose limitation – Vispato has no access to your data as it is encrypted. In addition, Vispato does not use any data for purposes other than to ensure the software operates as described.

Lawfulness, fairness, and transparency – Vispato ensures that users are fully aware of how the data they submit will be used and processed via the company reporting portal.

Select your language

English Deutsch