Security

We follow a defense-in-depth model and a secure software development lifecycle (SSDLC) covering threat modeling, code review, dependency scanning, and pre-release security testing. Security ownership is assigned at the leadership level.

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Key management is performed by our cloud provider’s managed KMS with regular rotation.

Internal access follows least-privilege principles and is reviewed quarterly. MFA is enforced on all administrative access. SSO and SAML are available to Enterprise customers for end-user authentication.

The Services run on hardened, cloud-native infrastructure with logical tenant isolation. Regional hosting options are available to Enterprise customers with data-residency requirements.

Every privileged action and customer-impacting change is recorded in an immutable audit trail. Audit logs are exportable for Enterprise customers and integrate with common SIEM platforms.

We scan dependencies continuously, patch on a defined cadence based on severity, and engage qualified third parties for periodic penetration tests. We operate a responsible disclosure program; see Section 10.

• Designed and operated against SOC 2 Type II controls; audit in progress.
• GDPR-ready, with SCCs and a DPA available for execution.
• FedRAMP roadmap and authorization plans available on request for federal customers.

Backups are automated and tested. Recovery Point Objective (RPO) and Recovery Time Objective (RTO) targets are documented and shared with customers under NDA.

We maintain a documented incident response plan with defined roles, communication channels, and customer notification commitments per our Terms and applicable contracts.

We welcome reports from the security research community. Please email security@erpops.ai. A PGP key is available on request. Good-faith research conducted under our disclosure guidelines is covered by a no-litigation safe harbor.