Skip to main content


Security policies

We know that your business is as important to you as ours is to us, and at the very heart of that is information security. This is why customer trust is at the centre of what we do and why security is a top priority.


We are transparent with our security programme to enable you to be feel informed and safe while using our products and services. While our security team continues to expand, everyone at Twinfinity is part of our mission to achieve better security. 

We strive to surpass all customers' security requirements, comply with requirements for all relevant standards and certifications and proudly publish details about how we protect customer data.

Security passwey

Security champions

We have designated security champions within all our product and service teams who assume responsibility for delivering on key security initiatives among their peers on an ongoing basis and keeping communication with our central security team as open as possible. In this way, we keep security front and centre and ensure that security is a key component in all development activities.


Browser security

When you access Twinfinity, your browser displays a secure padlock indicating that Twinfinity is a secure site. This means that all data transmitted between your browser and our servers is encrypted.

 Twinfinity uses strong browser encryption products to protect your data. We use TLS 1.3, X25519 and AES_256_GCM.

Data deletion

Data deletion

Upon termination of a Twinfinity contract the user content will be completely removed from the Twinfinity production system. The customer’s data will remain in encrypted Twinfinity database backups until those backups fall out of the backup retention window and are destroyed in accordance with our data retention policy. 




Data security audits and assessments

Being a wholly owned subsidiary to Sweco AB, Twinfinity is subject to the same stringent policies and security measures as defined by our mother company.

Our information security processes and procedures are being audited yearly. In addition, internal audits are being performed each quarter. But that is just compliance. The all-important security work is an ongoing activity.

Twinfinity periodically uses third-party security firms to perform security assessments. These assessments are performed at a minimum of once a year. Any resulting findings are prioritised and addressed according to internal policies and industry best practices.





Production environment

We maintain separate and distinct production and development environments for Twinfinity.

To access the production environment, authorised and trained SRE and select engineering team members authenticate using unique strong passwords and hardware based 2FA tools to access the production environment and all such accesses are being logged. We monitor and get alerts of any changes to the production system files or configuration or anomalous security events. For authorised personnel, any workstations must be running current and active anti-virus software and be fully updated. All authorised personnel also undergo special training and extra screening before being allowed access.

Two people working with laptop and security




Development, patch and configuration management

All changes to the Twinfinity production system require review prior to deployment to the production environment.

Automated unit tests are run against production code prior to deployment. Production code is also subject to regularly conducted automated vulnerability scans. All changes are verified in a test environment prior to deployment to production. Patches to web client applications are deployed on a rolling basis, potentially several times per week. All system changes are peer reviewed and patches are deployed based on their importance and criticality.

Production servers are running a LTS (Long Term Support) distribution of their operating system to ensure timely updates are available. CVE lists and notifications are actively monitored and any systems can be patched in a timeline relevant to the severity of the issue. 


Development process


The Twinfinity development team follows industry standard agile development practices, based on the scrum methodology. We run tests and builds on an ongoing basis, using continuous integration and continuous delivery (CI/CD) tools and practices as much as possible. Industry leading backlog management systems and source control tools are used for all software development, providing a fine-grained, living audit trail of all product decisions, resulting code changes, and releases to the production environment.


Employee policies


Security awareness and user data access policies are covered during our employee onboarding as appropriate to the role and employees are updated as relevant policies or practices change. Our employees also sign a confidentiality agreement. All development staff undergo continuous and mandatory security training. 

All our employees undergo an extensive interview process before hiring. In addition, our employees with direct access to the production environment undergo an extended background check. Other employees may undergo a check depending on their role. Appropriate NDAs are in place with third parties as appropriate.

Mapping of API



Your data
remains your data

Or platform is divided into two primary components. One, Twinfinity Core, is responsible for breaking down IFC models into data and exposing it via our APIs. The other part, our apps, creates value for our customers through various applications and integrations where the digital building is retrieved from Twinfinity Core and contextualized with operational data from different perspectives (IoT, Sustainability, Business Data, etc.).

This means that our Core platform is responsible for efficiently breaking down models and serving data to clients in an extremely efficient manner with high security. Our customers can choose to build their own applications where models are combined with other data sources to create value for different actors in different contexts. The applications is run in our clients browsers, meaning that Twinfinity AB, will never know anything about the integrated data in an application buildt by a customer.


Further questions?


We work hard to protect your data and to give you the information you need to make an informed decision about Twinfinity security.