01Backups
- 4 full backups: 1 full backup every 7 days, 1 database (DB) backup every day.
- DB backups replicated to at least 1 different machine in different data centers.
- Users can also download backups of their live data at any time, upon submitting a request ticket through our website.
- In case of permanent data center disaster, our Disaster Recovery Procedure has the following metrics:
02Database Security
- Customer data is stored in a dedicated database — no sharing of data between clients.
- Data access control rules implement complete isolation between customer databases running on the same cluster; no access is possible from one database to another.
03Password Security
- E-Global / Instant-ERP staff do not have access to your password and cannot retrieve it for you — the only option if you lose it is to reset it.
- Login credentials are always transmitted securely over HTTPS.
04Employee Access
- Instant-ERP support staff may sign into your account to access settings related to your support issue (using special staff authorization, not with your password).
- We do our best to respect your privacy as much as possible — we only access files and settings needed to diagnose and resolve your issue.
05System Security
- All Instant-ERP online servers run hardened Linux distributions with up-to-date security patches.
- Installations are ad-hoc and minimal to limit the number of services that could contain vulnerabilities (no PHP/MySQL stack, for example).
- Only a few Instant-ERP engineers have clearance to remotely manage the servers — and access is only possible using SSH key pairs (password authentication disallowed).
- Firewalls and intrusion counter-measures help prevent unauthorized access.
06Physical Security
The Instant-ERP Online servers are hosted in several data centers worldwide, which must all satisfy our minimum physical security criteria:
- Physical access to the data center area where Instant-ERP servers are located is restricted to data center technicians only.
- Security cameras monitor the data center locations.
07Credit Card Safety
- When you sign up for a paid Instant-ERP Online subscription, we do not store your credit card information.
- Your credit card information is only transmitted securely between you and our PCI-Compliant payment acquirers, including PayPal (even for recurring subscriptions).
08Communications
- All web connections to client instances are protected with state-of-the-art 256-bit SSL encryption.
- All our SSL certificates use a robust 2048-bit modulus.
09Software Security
Instant-ERP is based on Odoo. Odoo is open source, so the whole codebase is continuously under examination by Odoo users and contributors worldwide. Community bug reports are therefore one important source of feedback regarding security. We encourage developers to audit the code and report security issues.
The Odoo R&D processes have code-review steps that include a security check for all new and contributed pieces of code. Many customers have conducted independent code audits and performed penetration tests, and all findings have been taken into consideration.
Designed to prevent common issues
- SQL injections are prevented by the use of a higher-level API that does not require manual SQL queries.
- XSS attacks are prevented by a high-level templating system that automatically escapes all data being rendered.
- The framework prevents RPC access to private methods, making it harder to introduce exploitable vulnerabilities.
10OWASP Top Security Issues
Here is where Odoo stands on the top security issues for web applications, as listed by the Open Web Application Security Project.
Cross-Site Scripting (XSS)
The Odoo framework escapes all expressions rendered into views and pages by default, preventing XSS. Developers have to specially mark expressions as “safe” for raw inclusion into rendered pages.
Injection Flaws
Odoo relies on an object-relational-mapping (ORM) framework that abstracts query building and prevents SQL injections by default. Developers do not normally craft SQL queries manually — they are generated by the ORM, and parameters are always properly escaped.
Malicious File Execution
Odoo does not expose functions to perform remote file inclusion. It allows privileged users to customize features by adding custom expressions, but these are always evaluated by a sandboxed and sanitized environment that only allows access to permitted functions.
Insecure Direct Object Reference
Odoo access control is not implemented at the user-interface level, so there is no risk in exposing references to internal objects in URLs. Every request still has to go through the data access validation layer.
Insecure Cryptographic Storage
Odoo uses industry-standard secure hashing for user passwords (by default PBKDF2 + SHA-512, with key stretching). It is also possible to use external authentication systems such as OAuth 2.0 or LDAP, to avoid storing user passwords locally at all.
Insecure Communications
Odoo Online runs on HTTPS by default. For on-premise installations, it is recommended to run Odoo behind a web server implementing the encryption and proxying requests to Odoo — for example Apache, Lighttpd or nginx.
Failure to Restrict URL Access
Odoo security does not rely on hiding special URLs. Every request still has to go through the data access validation layer. In rare cases where a URL provides unauthenticated access to sensitive data (such as special URLs customers use to confirm an order), these URLs are digitally signed with unique tokens and only sent via email to the intended recipient.
11Reporting Security Vulnerabilities
If you need to report a security vulnerability, please head over to our responsible disclosure page. These reports are treated with high priority: the problem is immediately assessed and solved by the Instant-ERP security team, in collaboration with the reporter, and then disclosed in a responsible manner to our customers and users.