Compliance and certification

Our privacy support service offers privacy specialists to run your privacy program development. It will be tailored according to your organization's needs. Privacy support covers scheduled tasks, ad-hoc questions and crisis management. Continuous privacy support offers expertise at hand for everyday privacy issue, robust support at a crisis situation and expertly managed annual privacy program. A nominated privacy specialist will head the service, backed up by a multi-skilled team of cybersecurity, technology, IAM and legal experts. The service typically includes specialist ad-hoc advice for your DPOs, a team ready to assist in data breach cases and development of your privacy management capabilities.

PCI DSS Onsite Assessment is the assessment service for all parties that store, process or transmit cardholder data. We have experience in assessing different organization types such as large retail chains, small cafés, global service providers, payment gateways, airlines and banks. We don’t only assess, but help the customer in achieving and maintaining compliance as well.

The service is designed to be effective and cause minimal disruptions to the organization’s day-to-day operations. The assessment is divided into phases: Scoping, Documentation Review, Technical Tests and Site Visits, Interview and Observation sessions, Reporting and Closeout meeting. Each phase is carefully designed to guarantee a successful assessment with minimal disruptions.

Conducting a DPIA supported by Nixu ensures a reliable, verified process with input from multi-skilled team of technical and legal privacy experts. The process goes beyond the mere identification of risks and includes suitable mitigation measures for your organization. Nixu's method is comprised of use case and process workshops with technical and legal points covered. We draft data flow maps to bring clarity to the processing activities, conduct a full assessment of risk with all expertise areas covered and produce a comprehensive DPIA report. The DPIA results will be methodically reported including a specific description of processing with additional data flow maps, an expert assessment of the necessity and proportionality of processing, a full and compliant assessment of risk to individuals and legal, technical and organizational measures to address the risk. DPIA report will deliver you the proof of compliance required for authorities and organizational partners.

The PCI Software Security Framework (PCI SSF) is intended for vendors who develop payment applications, or applications related to payment functions. The framework consists of the Secure Software Standard and Secure Software Lifecycle Standard. We can help with training, preparations for the validation, remediation of non-conformities, and perform the validation. A successful validation results in the application being on the PCI Security Standards Council as Validated Payment Software. Note: The PCI Software Security Framework replaces the PCI PA-DSS Standard. PA-DSS will be retired in October 2022.

With us you can be innovative. And secure. New Payment Service Directive, PSD2, is forcing banks to evolve rapidly into open banking. It enables a whole new marketplace for new innovative financial service providers. PSD2 as well as GDPR bring challenges in meeting requirements for risk based security management, continuous security monitoring and incident reporting. With our help, you can focus on innovative services and leave the security requirements to us. We help you in building secure digital platforms as well as making sure you are compliant with both PSD2 and GDPR.

Nixu’s Data Protection Officer (DPO) as a Service ensures your organization’s designated DPO has extensive legal, technical and managerial privacy expertise. Your tailored DPO will be accessed through one main contact backed up by a multi-skilled team, guaranteeing availability also during holiday seasons and yearly flu epidemics. The DPO will handle and coordinate expert non-operative GDPR tasks such as contact with authorities, privacy training, DPIA specialist advice, reviews of accountability documentation and managing of data breaches. This specialist service stays up to date with privacy legislation and ensures you have the right items on your organization's privacy steering group.

PCI Preparation service is the initial step to PCI compliance. We train customer’s key personnel to understand PCI and its requirements. We focus on minimizing the customer’s PCI environment so that compliance can be achieved more cost effectively. The most important outcome of the service is a roadmap that contains clear tasks to be performed in order to become compliant. For each task, a cost estimate is provided and responsibilities defined. The roadmap can be further refined to become a project plan.

The next step after the PCI Preparation phase is usually remediation phase. We support this phase, and help ensure that compliance can be maintained also after the assessment.

The national requirements for information security levels constitute a tool which helps different parties meet the requirements of national information security acts. These requirements apply to the Finnish state administration and its service providers.

Nixu has piloted and provided definitions for the Finnish government's information security levels and ICT contingency planning requirements. We have performed information security level audits for the state administration and formulated operational plans for achieving desired security. With regard to the private sector, we have incorporated the information security level requirements into our customers' compliance management systems.

The Collaborator Security Audit Service provides customers possibility to verify that security status of their partners and collaborators does not create unacceptable risks, the contractual requirements for security are followed and that the processes and security governance of collaborators is sound and according to industry best practices. Nixu auditor will identify business critical assets, which are exposed to collaborators, and either verifies that contractually agreed security controls are protecting these assets or that the assets are protected based on industry best practices.