We are committed to security and compliance of the software we develop, and all of our work with our customers & their data

Greenstep became ISO27001 certified in 2023.

“The ISO27001 certificate is a testament to the quality of the policies, procedures and processes at Greenstep”
Anne Kulla, Partner & Head of Compliance

Our policies include:

• Secure development policy – At Greenstep, all developers follow our Secure Development Guidelines. Our culture values and rewards the detection and mitigation of vulnerabilities. Please contact us if you wish to know more about our Secure Development practices.
• Code of conduct
• Information security policy
• People management policy
• Secure architecture and engineering policy
• Business continuity policy
• Office policy/ Physical security policy
• Cryptography policy
• Responsible disclosure policy
• Access Control Policy
• Supplier policy
• Testing policy
• Endpoint device policy
• Backup policy
• Privacy policy
• Information retention policy
• Password policy
• Logging policy
• Information classification policy
• Secure development policy
• Insurance policy
• Penetration testing policy

The compliance to these policies is followed through our controls which adhere to the ISO27001.2002 framework and are audited yearly.

Greenstep compliance with the NIS2 Directive

The NIS2 Directive (Directive (EU) 2022/2555)) (the “NIS2”) aims to achieve a high common level of cybersecurity across the European Union. It is to data security what the General Data Protection Regulation (GDPR) is to personal data and data protection.

The NIS2 has been transposed into local legislation in 2025 and Greenstep has been registered as an operator under NIS2.

Greenstep is authorized in Finland

As a member of the Financial Management Association of Finland, we are audited yearly on our accounting processes as an organization and as individuals. We have over 40 authorized personnel within both accounting and payroll.

Greenstep is authorized in Sweden

We are audited members of the Swedish Association of Accounting and Payroll consultants. Multiple people of our staff are Authorized Accountants who must follow the Swedish standard of accountancy, called Rex. Individuals must undergo regular quality checks made by SRF-konsulterna every six years. The Authorization is a stamp of approval from SRF and warrants the accountants high level of competence and experience.

Greenstep has right to conduct accounting in Norway

Finanstilsynet has granted Greenstep the right to conduct accounting in Norway.

Greenstep is a supporting member of the association of accountants in Estonia

Know Your Customer (KYC) is an essential process for Greenstep as an accounting firm to verify the identity of their clients and comply with anti-money laundering (AML) regulations

Greenstep follows the Anti-Money Laundering Directive (2015/849; “AML Directive”) which constitutes the main legal instrument. The AML Directive has been codified into Member States’ legislation and is followed in each Greenstep country. In Finland, Åland, Sweden, Norway and Estonia Greenstep have been registered as a service provider under KYC as an accounting firm. The EU law concerns many fields, but in Greenstep’s case accounting offices are responsible and liable to prevent money laundering and terrorist financing.

For Greenstep, the scope of the KYC requirements extends to all our customers. ​There are different levels of due diligence, and it depends on the risk factors identified during onboarding and continuous monitoring. ​

Only in very rare cases we can disregard the requirement of KYC. Often, even in cases such as a listed company, we will complete the KYC, but with the information we are able to gather from public sources.

Guidance from authorities:

• Aluehallintovirasto in Finland Rahanpesulain valvonta – Raha ja omaisuus – Valvonta ja kantelut – Yritys-tai yhteisö – Aluehallintovirasto (avi.fi)
• Rahanpesu – Poliisi
• Ekobrotsmyndigheten in Sweden Penningtvättsbrott | Ekobrottsmyndigheten
• Finanstillsynet in Norway Money laundering and financing of terrorism – Finanstilsynet.no
• Finantsinspektsioon in Estonia Prevention of money laundering in general | FSA (fi.ee)

Greenstep promotes responsible business methods and fosters an ethical way of acting. We take all illegal, unethical or any acts that go against our guidelines seriously. We encourage you to bring these to our attention every time there is a suspicion of misconduct.

It is crucial that the employees, associates and other stakeholders of Greenstep inform us of their concerns and suspicions regarding misconduct not in line with the organization’s guidelines. Therefore, primarily we encourage you to contact a supervisor in our organization. However, if this is not an option, you can report a concern via the reporting channel.

You do not need to have firm evidence of misconduct; however, reports should be submitted honestly and in good faith. Deliberate reporting of false information is strictly forbidden.

Avoid revealing personal information, especially delicate information, while submitting a report. If the message contains any information prohibited by law, we might not be allowed to process it.

You may leave your name and contact information during reporting, but we provide you with this opportunity to express your concern through this confidential channel anonymously. In addition, the service removes all metadata automatically in case there are any attachments added to the report.

Lexia Asianajotoimisto Oy is responsible for the service package as well as for the lawful processing of reports.

After sending the report, you will receive a unique token on the screen that enables you to continue communicating anonymously with us in the future. Save this in a secure manner. When needed, we might submit follow-up questions via the reporting channel and inform you how the investigation is proceeding.

All reports are investigated confidentially and in accordance with specified procedures. Possible resulting steps are taken only after the investigation has been concluded. The information from the report or the investigation can only be accessed by the people who need it to complete the investigation.

You create an incident from here https://app.easywhistle.com/report/greenstep/about