ERP solutions currently play a critical role in managing critical data and business processes, centralizing financial, human resources, logistics information, and more. Unauthorized access to your company's data can have devastating consequences and that is when security in the system you use becomes an essential priority.
Implementing robust security, data protection measures and ensuring your erp software complies with applicable data privacy and security regulations is a priority as well. This is why today we will talk to you about security in Odoo. In this blog, we will explore the practices that protect each area of your company and teach you how to be prepared for any eventuality that may arise.
Odoo in the cloud
Backups/disaster recovery
When it comes to the security and continuity of your company, Odoo takes no risks. The system maintains up to 14 full backups of each instance for up to 3 months, meaning your data is protected over time. These backup copies are distributed on at least 3 different servers, located in different data centers, guaranteeing access to your information in any situation. Plus, you have full control: you can download manual backups at any time using the documentation provided by Odoo.
If you ever face a disaster, its RPO (Recovery Point Objective) saves work every 4 hours, which means that in the worst case, a maximum of 4 hours of work could be lost before the last one is restored. backup. On the other hand, Odoo's RTO (Recovery Time Objective) is remarkable, with a restoration of service from an alternative data center of just 2 hours in the event that a disaster occurs and one of our data centers is out of service .
Database security
In Odoo, each client has their own database, and data is never shared between clients. Additionally, there are rigorous data access control rules, meaning that there is complete isolation between customer databases running on the same cluster. This prevents any possibility of unauthorized access or interaction between databases, ensuring maximum confidentiality and security of your data.
Password security
User passwords are protected with industry-standard encryption such as PBKDF2+SHA512 (salted + and strengthened by thousands of rounds). Furthermore, your password is yours and yours alone, since Odoo staff does not have access to recover it, so if you lose it you must reset it. In addition, Odoo guarantees the secure transmission of credentials over HTTPS.
Starting with version 12.0, your Odoo DBAs can configure rate limits and timeouts for login attempts. It also offers password policies, such as minimum length, to improve security.
Access to staff
Odoo Help Desk staff can log into your account using their own credentials, without needing to know your password. This not only improves troubleshooting efficiency but also ensures your safety. In addition, this practice allows the actions of support staff to be audited and controlled independently, thus maintaining a high level of privacy. You can trust that the system will only access the files and settings necessary to diagnose and resolve your problems, protecting your information as much as possible.
Security system
Odoo clouds use up-to-date security patches. Installations are minimal to reduce potential vulnerabilities and avoid stacks like PHP/MySQL. Only a few engineers are authorized to manage the servers remotely, and access is via a pair of encrypted personal SSH keys from computers with full disk encryption, ensuring maximum protection.
Physical security
Odoo servers are hosted in trusted data processing centers around the world, such as OVH and Google Cloud, that meet rigorous physical security standards. These centers have restricted perimeters, exclusive access for authorized employees through security badges or biometric measures, security cameras that monitor the facilities 24 hours a day, and on-site security personnel available 24 hours a day.
Security in credit card payments
Odoo does not store credit card information in the system. Your information is always transmitted securely and directly, complying with PCI payment methods (see the list on our Privacy Policy page).
Data encryption
Customer information is always transmitted and stored in encrypted form, both in transit and at rest. All communications to our client instances are protected by the most advanced 256-bit SSL encryption (HTTPS). In addition, internal communications between servers also have state-of-the-art encryption (SSH). Odoo maintains strict security surveillance on its servers and applies patches to protect against the latest SSL vulnerabilities, maintaining Grade A SSL ratings at all times. All of their SSL certificates use robust 2048-bit modules with full SHA-2 certificate chains.
Network defense
The network defense is solid and robust. The data center providers used by Odoo are prepared to deal with denial of service (DDOS) attacks. Their mitigation systems, both automatic and manual, can detect and divert attack traffic at the edge of your networks around the world, preventing disruptions to the availability of our services. Additionally, on Odoo Cloud servers, you have firewalls and intrusion prevention systems that detect and block threats such as brute force attacks to crack passwords. In version 12.0 and later, client database administrators have the flexibility to configure the rate limit and cooldown duration for multiple access attempts, providing additional control over the security of their data.
Odoo (the software)
Regarding software security, Odoo has been continuously reviewed by users around the world, allowing proactive identification and collaboration to improve security. Additionally, development processes incorporate specific review steps for security aspects, in both new and contributed code.
Odoo's design focuses on security from the beginning, preventing common vulnerabilities such as SQL injection and XSS attacks by implementing preventative measures such as using a higher-level API and advanced web templating systems. The infrastructure also limits access to private methods, making it difficult to introduce exploitable vulnerabilities.
Odoo security regularly undergoes independent testing and audits by companies hired by clients and prospects, as well as penetration testing. Although the results are confidential, they are used to implement necessary corrections.
Practices to Protect your Data in Odoo
Don't skimp on security! Protect your data and follow these practices.
Now that you are familiar with Odoo security, both in the platform and software, we want to show you some recommendations that will allow you to strengthen the security of your system and guarantee the protection of your data against possible threats.
First of all, it is crucial to keep your systems and applications up to date, including all extensions and modules used. Additionally, you must implement strong and unique password policies for each user, avoiding common and shared passwords. Two-factor authentication (2FA) should also be enabled whenever possible to add an extra layer of security.
On the other hand, it is recommended to train your company's users in detecting phishing emails and the importance of not clicking on links or opening suspicious attachments. Signing out while company machines are not in use is also another important recommendation. Additionally, data should be backed up regularly and stored securely. Finally, staying aware of security updates and patches provided by Odoo and applying them in a timely manner is essential to protect your system and data.
In short, security in Odoo is an unwavering priority. From data encryption to constant code review and independent testing, every aspect is addressed with meticulous attention. However, security is a collaborative effort, and each user plays an essential role in adopting strong security practices. Together, we can keep security in Odoo at the highest level.
Remember that security specifications may vary depending on the Odoo infrastructure you have: Online, On premise, Odoo.SH.
Ready to strengthen your security with Odoo?
Contact us today and find out how
we can help protect your business!
Start writing here...