Skip to main content

Introduction

Security is paramount in deployERP. We implement multiple layers of protection to ensure your Odoo deployments remain secure, compliant, and protected against threats. This guide covers our security architecture and best practices.

Security Architecture

Security Layers

Infrastructure Security

  • Isolated cloud resources
  • Network segmentation
  • Firewall rules
  • DDoS protection

Application Security

  • Role-based access control
  • Session management
  • Input validation
  • Security headers

Data Security

  • Encryption at rest
  • Encryption in transit
  • Secure backups
  • Key management

Compliance

  • GDPR ready
  • SOC 2 Type II
  • ISO 27001 aligned
  • Regular audits

Authentication

Multi-Factor Authentication (2FA)

Enable 2FA for enhanced security:
1

Enable 2FA

Go to Settings → Security → Two-Factor Authentication
2

Choose Method

Select TOTP app or SMS verification
3

Scan QR Code

Use authenticator app to scan code
4

Verify Setup

Enter verification code to confirm

Supported 2FA Methods

MethodSecurity LevelSetup ComplexityRecommended For
TOTP AppHighMediumAll users
SMSMediumLowBasic protection
Hardware KeyVery HighHighAdmin accounts
Backup CodesMediumLowRecovery option

Single Sign-On (SSO)

Integrate with your identity provider:
  • SAML
  • OAuth 2.0
  • LDAP
saml:
  enabled: true
  idp_url: https://idp.company.com
  entity_id: deployerp
  x509_cert: ${SAML_CERT}
  attribute_mapping:
    email: EmailAddress
    name: DisplayName
    groups: Groups

Access Control

Role-Based Access Control (RBAC)

deployERP implements granular permissions:
RolePermissionsUse Case
OwnerFull access to all resourcesAccount owner
AdminManage servers, instances, usersIT administrators
DeveloperDeploy instances, view logsDevelopment team
OperatorStart/stop instances, backupsOperations team
ViewerRead-only accessStakeholders

Permission Matrix

ActionOwnerAdminDeveloperOperatorViewer
Create servers
Delete servers
Create instances
Modify instances
View logs
Manage backups
Billing access

API Key Permissions

Configure granular API key permissions: 
{
  "name": "deployment-key",
  "permissions": [
    "servers:read",
    "instances:create",
    "instances:read",
    "instances:update",
    "backups:create",
    "backups:read"
  ],
  "ip_whitelist": [
    "203.0.113.0/24",
    "198.51.100.0/24"
  ],
  "expires_at": "2024-12-31T23:59:59Z"
}

Network Security

Firewall Configuration

Default firewall rules:
PortProtocolSourcePurpose
22TCPRestrictedSSH (key-based only)
80TCPAnyHTTP (redirects to HTTPS)
443TCPAnyHTTPS
5432TCPInternalPostgreSQL
6379TCPInternalRedis
8069TCPInternalOdoo HTTP

IP Whitelisting

Restrict access by IP address: 
security:
  ip_whitelist:
    enabled: true
    rules:
      - name: "Office Network"
        ips: 
          - 203.0.113.0/24
        services: ["ssh", "admin"]
      - name: "VPN"
        ips:
          - 198.51.100.0/24
        services: ["all"]
    default_action: deny

DDoS Protection

Automatic DDoS mitigation:
  • Rate limiting per IP
  • Connection throttling
  • SYN flood protection
  • Application-layer filtering
  • Geographic blocking (optional)

Data Encryption

Encryption at Rest

All data encrypted using industry standards:
Data TypeEncryption MethodKey Management
DatabaseAES-256-GCMAWS KMS / Azure Key Vault
File storageAES-256-CBCManaged keys
BackupsAES-256-GCMCustomer-managed keys
LogsAES-256-GCMAutomatic rotation

Encryption in Transit

All communications encrypted:
  • TLS 1.3 for web traffic
  • SSH for server access
  • TLS for database connections
  • HTTPS for API calls

SSL/TLS Configuration

ssl:
  # Minimum TLS version
  min_version: "TLSv1.2"
  
  # Cipher suites
  ciphers:
    - ECDHE-RSA-AES256-GCM-SHA384
    - ECDHE-RSA-AES128-GCM-SHA256
    - ECDHE-RSA-AES256-SHA384
  
  # HSTS
  hsts:
    enabled: true
    max_age: 31536000
    include_subdomains: true
    preload: true

Security Monitoring

Audit Logging

Comprehensive audit trail of all actions:
Event TypeInformation LoggedRetention
AuthenticationLogin attempts, 2FA usage90 days
AuthorizationPermission checks, denials90 days
Resource ChangesCreate, update, delete actions1 year
API AccessAPI key usage, endpoints90 days
Security EventsFailed attempts, blocks1 year

Security Alerts

Real-time security notifications: 
security_alerts:
  - type: failed_login
    threshold: 5
    window: 5m
    action: notify_and_block
    
  - type: privilege_escalation
    action: notify_immediately
    
  - type: unusual_api_activity
    threshold: 1000
    window: 1h
    action: rate_limit
    
  - type: geographic_anomaly
    action: require_2fa

Intrusion Detection

Automated threat detection:
  • Brute force attempts
  • SQL injection attempts
  • XSS attempts
  • Suspicious file uploads
  • Abnormal traffic patterns

Compliance & Certifications

GDPR Compliance

deployERP helps maintain GDPR compliance:

Data Privacy

  • Data minimization
  • Purpose limitation
  • Access controls
  • Audit trails

Data Rights

  • Right to access
  • Right to rectification
  • Right to erasure
  • Data portability

Compliance Features

FeatureDescriptionCompliance
Data ResidencyChoose data locationGDPR, Data sovereignty
EncryptionEnd-to-end encryptionHIPAA, PCI DSS
Audit LogsComplete activity trailSOC 2, ISO 27001
Access ControlsRole-based permissionsAll standards
Data RetentionConfigurable policiesGDPR, Industry specific

Security Best Practices

Account Security

  • Minimum 12 characters
  • Mix of letters, numbers, symbols
  • Unique for each service
  • Use password manager
  • Required for admin accounts
  • Recommended for all users
  • Use TOTP apps over SMS
  • Keep backup codes secure
  • Audit user permissions quarterly
  • Remove inactive accounts
  • Follow least privilege principle
  • Document access changes

Infrastructure Security

Keep Systems Updated

  • Enable automatic security updates
  • Review update logs
  • Test updates in staging
  • Plan maintenance windows

Network Segmentation

  • Isolate production systems
  • Use private networks
  • Implement VPNs
  • Restrict public access

Regular Backups

  • Automated daily backups
  • Test restore procedures
  • Encrypt backup data
  • Store offsite copies

Monitor Continuously

  • Enable security alerts
  • Review logs regularly
  • Investigate anomalies
  • Update security rules

Incident Response

Response Plan

In case of security incident:
1

Detect & Contain

Identify scope and contain threat
2

Assess Impact

Determine affected systems and data
3

Notify

Contact deployERP support immediately
4

Investigate

Collect logs and evidence
5

Remediate

Apply fixes and patches
6

Review

Post-incident analysis and improvements

Emergency Contacts

TypeContactResponse Time
Critical Security[email protected]< 1 hour
Support[email protected]< 4 hours
Abuse Reports[email protected]< 24 hours

Security Tools

Security Scanner

Regular vulnerability scanning: 
# Run security scan
deployerp security scan --instance=production

# Output
Scanning instance: production
[✓] SSL/TLS configuration
[✓] Security headers
[✓] Open ports
[!] Outdated module: sale_custom (update available)
[✓] Database security
[✓] File permissions

Security Score: 94/100

Penetration Testing

Annual third-party penetration testing:
  • Application security testing
  • Infrastructure testing
  • Social engineering assessment
  • Compliance validation