Security & Compliance
How We Keep Your Odoo Data Safe
What enterprise procurement teams need to evaluate Octura — hosting infrastructure, encryption, access controls, sub-processors, and how we handle the things we can't yet certify.
The four pillars
Our security model rests on four commitments — every engagement is built against these, and every gap (intentional or not) is documented for procurement.
Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest. Customer-managed keys available for Enterprise hosting tiers.
Data residency
Hosting region of your choice — AWS or GCP in the US, Canada, or EU. Your data does not cross borders without written approval.
Least-privilege access
Role-based access in Odoo and in our infrastructure. MFA on every engineer account. Audit logs for every production action.
Honest compliance posture
GDPR-aligned today, SOC 2 Type I in progress, ISO 27001 on roadmap. We tell you what's done versus underway — no certifications by implication.
Control categories
Access & Identity
Who can do what, when, and from where — across Odoo and the hosting layer.
- MFA mandatory on every Octura engineer account
- Role-based access in Odoo (sales, finance, technical) with named groups
- Time-bound break-glass access for production with 24h auto-expiry
- Quarterly access review and removal of dormant accounts
Network & Infrastructure
Hosting hardened to enterprise standards on AWS or GCP.
- Private VPC with separate subnets for app, database, and management
- WAF (Cloudflare or AWS WAF) with rate limiting and bot mitigation
- Optional IP allow-list and site-to-site VPN for production access
- DDoS protection via Cloudflare Magic Transit on Enterprise tiers
Data Protection
Encryption, backups, and lifecycle management for the data that matters.
- AES-256 encryption at rest on managed volumes and database snapshots
- TLS 1.2+ enforced on all customer-facing endpoints
- Encrypted off-site backups retained for 35 days (or per SOW)
- PII data masking in non-production environments by default
Compliance & Audit
Where we stand today on the frameworks procurement teams care about.
- GDPR-aligned data processing agreements available on request
- SOC 2 Type I audit in progress (target completion Q4 2026)
- Quarterly internal access reviews and infrastructure audits
- Penetration testing performed annually by an external firm
Backup & Recovery Targets
Recovery point and recovery time objectives by hosting tier. Tested via quarterly disaster-recovery drills — not paper guarantees.
| Hosting tier | Backup frequency | RPO (data loss window) | RTO (recovery time) |
|---|---|---|---|
| Odoo.sh | Daily incremental | 24 hours | 4–8 hours |
| Octura Cloud | Hourly incremental, daily full | 1 hour | 2–4 hours |
| On-premise | Per SOW | Per SOW | Per SOW |
Backups are encrypted, stored in a separate region, and tested quarterly with full restore drills. Restore procedures are documented per engagement and reviewed in the SOW.
Sub-processors
Vendors we use to deliver the service, what each is responsible for, and where their data sits. We notify customers 30 days before adding any new sub-processor that handles customer data.
| Vendor | Purpose | Region(s) |
|---|---|---|
| AWS | Hosting, storage, networking, encryption keys | Customer-selected: US / Canada / EU |
| Google Cloud | Hosting, storage, networking (alternative to AWS) | Customer-selected: US / Canada / EU |
| Cloudflare | DNS, WAF, DDoS protection, edge caching | Global edge, EU control plane |
| Sentry | Error monitoring (server-side stack traces) | EU (Frankfurt) |
| Odoo S.A. | Odoo S.A. for Odoo.sh hosted deployments only | EU (Belgium) |
Vulnerability Disclosure
Report a suspected security issue affecting Octura, our infrastructure, or any customer deployment we manage. We respond within one business day and triage within three.
Send a description of the issue, reproduction steps, and your contact info. We acknowledge inside 24 hours, triage inside three business days, and disclose any customer-impacting findings within the timelines published in our technical support policy.
security@octurasolutions.comNeed our security questionnaire?
We maintain answers to the common procurement questionnaires (CAIQ, SIG-Lite, custom forms). Email a senior consultant and we'll send the current packet within one business day.
Talk to a senior consultantSecurity FAQ
01Are you SOC 2 certified?
SOC 2 Type I is in progress (target completion Q4 2026). We're aligned with the Trust Services Criteria today — access reviews, vulnerability scanning, encryption — but we won't claim certification until the audit closes. For procurement, we provide the in-progress evidence packet on request.
02Are you GDPR-compliant?
Yes. We sign Data Processing Agreements with EU customers, host EU data in EU regions, and document sub-processors and their locations. Data subject requests (access, rectification, deletion) are honored inside the GDPR statutory windows.
03What happens if a sub-processor has a breach?
We monitor sub-processor security postures continuously. In a confirmed breach scenario affecting customer data, we notify impacted customers within 72 hours, in line with GDPR Article 33 and the technical support policy.
04Can we audit your environment?
Yes. Enterprise customers can run a documented annual security audit against our environment with 30 days' notice. The audit scope and any compensating controls are agreed in writing before fieldwork begins.
05What data do you retain after a contract ends?
Customer data is returned in a documented Odoo backup format inside 30 days of contract end, then deleted from production within 90 days and from backups within 12 months. Retention specifics are written into every SOW.