Security policy

We at ERPLY take the security of your retail data very seriously. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security.

We place strict controls over our employees access to the data you and your users make available via the ERPLY services, as more specifically defined in your agreement with ERPLY covering the use of the ERPLY services (“Data protection“), and are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. The operation of the ERPLY services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the ERPLY services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so and only by your permission. We have technical controls and policies in place to ensure that any access to Customer Data is always logged. All of our employees and contract personnel are bound to our policies regarding Customer Data and we treat these issues as matters of the highest importance within our company.

ERPLY employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive security policy covering the security, availability, and confidentiality of the ERPLY services.

Customer data for all accounts are accessed via secure protocols such as HTTPS and SSH. Additionally, all passwords are encrypted on our servers and databases. We run a dedicated environment behind firewalls with constant monitoring. All software is updated regularly to ensure the latest security patches.

For more information check out our infrastructure sub-processors.

In addition to the work we do at the infrastructure level, we provide retailers of the ERPLY services with additional tools already available in the standard plan to enable their own users to protect and restrict user access to their Customer Data. If that is not enough for you, ERPLY can provide additional and customized software components upon Customer´s request to suit their retail needs.

Detailed access logs are available both to users and administrators of ERPLY retailer and is provided in standard solution. We log every user access time, the IP address of the connection and domain to provide the best overview of accessing done by the retailer users while using ERPLY services.

The administrators of the ERPLY retailer stores can review access logs for the whole retail chain. All access attempts are also logged as successful or unsuccessful to provide better insight on the logging situations. In addition, operations undertaken by the users in ERPLY services are also being logged.

All login operations to ERPLY services are only possible via our implemented and tested for security methods. The user access to ERPLY services can be managed and configured only by the administrators of the ERPLY retail chain. This means that even if the retailer has leaked any login credentials, they can not be used out of the provided privileges of the compromised user or even to log into other services without having rights to do so. Upon successful login the user is provided with authorization token which allows to access the specific ERPLY service. The token will be valid only temporarily and after certain time of inactivity the user must re-login to acquire new and valid authorization token.

ERPLY has made tools available for the ERPLY retailer which will allow the privileged user to manage other users and the data of the retailer´s customer. ERPLY believes that every piece of data you insert into ERPLY services belongs to you and hence no restrictions are set to data management whether it is customers data, employees or users.

ERPLY provides the retailer with option to get their all data destroyed after they have ended their subscription at ERPLY. This includes data in ERPLY services and all the backups created by us. The Customer is provided with several tools to export their data out from ERPLY during the active subscription and access to data is also provided over the ERPLY Inventory API. ERPLY also manages backups on the behalf of the customer and in case of data incident by either party, the data can always be restored.

The ERPLY services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. All the Customer Data is encrypted at rest – we encrypt the data between all our services with latest SSL encryption making it impossible to steal any information while the data is in transit between the Customer and ERPLY. We monitor the changing cryptographic landscape closely and work promptly to upgrade the services to respond to new security weaknesses as they are discovered and implement best practices as they evolve.

All the connections are being monitored by the ERPLY personnel in the background. ERPLY also has extra security measures in place to detect the possible malicious activities over the network and specific guidelines have been worked out to tackle such obstacles before they emerge.

We understand that being a retailer is 24/7 job and you as a retailer rely on the ERPLY services to work. We’re committed to making ERPLY a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centers. Our operations team tests disaster-recovery measures regularly and staffs an around-the-clock on-call team to quickly resolve unexpected incidents.

Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. To avoid a major disaster from happening and to provide best response time of the ERPLY services, all the traffic is directed through the load balancing and is accordingly optimized, avoiding possible response delays and server crashes. The Operations team is alerted in case of a failure with our services. Backups are fully tested to confirm that our processes and tools work as expected.

In addition to monitoring and logging, we have implemented secure server access across our products. Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with AWS Security Groups.

We perform vulnerability scans on our hosts and remediate any findings that present a risk to the security of our services. We enforce production-specific security measures like screens lockouts, training our personnel on security and its measures, usage of the secure hardware for production, making high-risk tasks and systems only available from VPN connection or only on our premise, engaging with secure workplace access methods and many more.

In the event of a security breach, ERPLY will promptly notify you of any unauthorized access to your Customer Data. ERPLY has incident management policies, guidelines and procedures in place to handle such events.

New features, functionality, and design changes go through a security review process by our development team. In addition, our code is audited with automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production. The products we provide are designed to be secure, hence no data is provided by our services before authorization has been successfully concluded. Depending on the selected solution, the data fetched from our services will never remain on the user´s device in form which it could be used without the required authorization beforehand. ERPLY carries out additional security checks from time to time to detect any additional missed security leaks in our products.

All our 3rd party processors are selected via thorough decision making process where we evaluate the suitability of the external service provider in multiple criterions such as security features and measures, SLA conditions, service performance and availability and many more to assess the suitability and if the 3rd party is capable of of being up to the recommended industry standards. In addition, we only host servers with Customer data in the same region as the Customer.

As our business grows and evolves, the functionality and security measures we provide may also change. Please check back frequently for updates.