Security & Compliance
Last updated: April 2026
ERPOps is built for federal agencies, state governments, and enterprise ERP teams. This page summarizes our security program. Full documentation including DPA, BAA, and security questionnaire responses is available to qualified prospects under NDA — contact sales@erpops.ai.
Compliance & certifications
- SOC 2 Type II — designed and operated against SOC 2 controls; audit in progress
- GDPR — Standard Contractual Clauses and Data Processing Addendum available
- HIPAA — Business Associate Agreement available for Enterprise customers
- FISMA / FedRAMP — roadmap documentation available to federal agencies under NDA
Encryption
- All data in transit: TLS 1.2 minimum, TLS 1.3 preferred
- All data at rest: AES-256 via Supabase managed storage
- Connector credentials: stored in Supabase Vault, decrypted only inside Edge Functions during execution, never logged
Tenant isolation (Row Level Security)
Every database table enforces Row Level Security (RLS) policies. A tenant's data is invisible to other tenants at the database layer — not just the application layer. Super Admin access to cross-tenant data is logged in the immutable audit trail.
Authentication & access control
- MFA enforced on all ERPOps internal administrative access
- SSO / SAML 2.0 available for Enterprise tenant users
- Role-based access: Super Admin, Admin, Technical Lead, Functional Lead, Analyst, End User
- Least-privilege: internal access reviewed quarterly
Audit logging
Every action, configuration change, and resolution is recorded in an immutable audit trail with user attribution and timestamp. Audit logs are exportable by Enterprise customers and cover a 90-day rolling window (unlimited for Enterprise).
Sub-processors
- Supabase — database, auth, Edge Functions, Vault (US East)
- Anthropic — AI diagnostic engine (Claude API, zero data retention on API calls)
- Stripe — payment processing
- ZeptoMail — transactional email
- Twilio — SMS alerting
Full sub-processor list with DPA coverage available on request.
Vulnerability disclosure
We welcome responsible disclosure from the security research community. Email security@erpops.ai. Good-faith research is covered by our no-litigation safe harbor. PGP key available on request.
This page is provided as a plain-language summary of our practices. Enterprise customers may request our full Data Processing Addendum (DPA), Master Services Agreement (MSA), and security questionnaire responses by contacting sales@erpops.ai.