— Odoo.City—
Backups / Disaster Recovery
- We keep 14 full backups of Odoo city server 1 months
- Database backups are the responsibility of the user, you can go to Settings>Backup/Restore.
- You can also download manual backups of your live data at any time using the control panel.
- You can contact our Helpdesk to restore any of those backups on your live database (or on the side).
Database Security
- Customer data is stored in a dedicated database - no sharing of data between clients.
- Data access control rules implement complete isolation between customer databases running on the same cluster, no access is possible from one database to another.
Password Security
- Customer passwords are protected with industry-standard PBKDF2+SHA512 encryption (salted + stretched for thousands of rounds).
- Odoo staff does not have access to your password, and cannot retrieve it for you, the only option if you lose it is to reset it.
- Login credentials are always transmitted securely over HTTPS.
- Password policies: as of Odoo 12 database administrators have a built-in setting for enforcing a minimum user password length. For older versions it is possible to achieve the same effect through customization. Other password policies like required character classes are not supported by default because they have been proven counter-productive - see e.g. [Shay et al. 2016]).
Staff Access
- Odoo helpdesk staff may sign into your account to access settings related to your support issue. For this they use their own special staff credentials, not your password (which they have no way to know).
- This special staff access improves efficiency and security: they can immediately reproduce the problem you are seeing, you never need to share your password, and we can audit and control staff actions separately!
- Our Helpdesk staff strives to respect your privacy as much as possible, and only access files and settings needed to diagnose and resolve your issue.
System Security
- All Odoo Cloud servers are running hardened Linux distributions with up-to-date security patches.
- Installations are ad-hoc and minimal to limit the number of services that could contain vulnerabilities (no PHP/MySQL stack for example).
- Only a few trusted Odoo engineers have clearance to remotely manage the servers - and access is only possible using an encrypted personal SSH keypair, from a computer with full-disk encryption.
Physical Security
Odoo Cloud servers are hosted in trusted data centers in various regions of the world (e.g. OVH, Google Cloud), and they must all exceed our physical security criterions:
- Restricted perimeter, physically accessed by authorized data center employees only.
- Physical access control with security badges or biometrical security.
- Security cameras monitoring the data center locations 24/7.
- Security personnel on site 24/7.
Credit Card Safety
- We never store credit card information on our own systems.
- Your credit card information is always transmitted securely directly between you and our PCI-Compliant payment acquirers (see the list on our Privacy Policy page).
Data Encryption
Customer data is always transferred and stored in encrypted form (encryption in transit and at rest).
- All data communications to client instances are protected with state-of-the-art 256-bit SSL encryption (HTTPS).
- All internal data communications between our servers are also protected with state-of-the-art encryption (SSH).
- Our servers are kept under a strict security watch, and always patched against the latest SSL vulnerabilities, enjoying Grade A SSL ratings at all times.
- All our SSL certificates use robust 2048-bit modulus with full SHA-2 certificates chains.
- All customer data (database content and stored files) is encrypted at rest, both in production and in backups (AES-128 or AES-256)
Network defense
- All data center providers used by Odoo Cloud have very large network capacities, and have designed their infrastructure to withstand the largest Distributed Denial of Service (DDoS) attacks. Their automatic and manual mitigation systems can detect and divert attack traffic at the edge of their multi-continental networks, before it gets the chance to disrupt service availability.
- Firewalls and intrusion prevention systems on Odoo Cloud servers help detect and block threats such as brute-force password attacks.
- As of Odoo 12.0, customer database administrators even have the option to configure the rate limiting and cooldown duration for repeated login attempts.
— Odoo (the software) —
Software Security
Odoo is open source, so the whole codebase is continuously under examination by Odoo users and contributors worldwide. Community bug reports are therefore one important source of feedback regarding security. We encourage developers to audit the code and report security issues.
The Odoo R&D processes have code review steps that include security aspects, for new and contributed pieces of code.
Secure by design
Odoo is designed in a way that prevents introducing most common security vulnerabilities:
- SQL injections are prevented by the use of a higher-level API that does not require manual SQL queries.
- XSS attacks are prevented by the use of a high-level templating system that automatically escapes injected data.
- The framework prevents RPC access to private methods, making it harder to introduce exploitable vulnerabilities.
Independent Security Audits
Odoo is regularly audited by independent companies that are hired by our customers and prospects to perform audits and penetration tests. The Odoo Security Team receives the results and takes appropriate corrective measures whenever it is necessary.
We can't however disclose any of those results, because they are confidential and belong to the commissioners. Please don't ask ;-)
Odoo also has a very active community of independent security researchers, who continuously monitor the source code and work with us to improve and harden the security of Odoo.