Your data security is our top priority
At AskERP, security is not an afterthought—it is fundamental to our platform design and operations. We understand that your data is critical to your business, and we take extensive measures to protect it at every level. Our comprehensive security framework combines technical controls, operational procedures, and industry best practices to ensure your information remains confidential, integral, and available.
We maintain a continuous security posture with regular audits, penetration testing, and threat assessments. Our dedicated security team monitors threats 24/7, responds to incidents within minutes, and maintains compliance with international standards and regulations.
Cloud Hosting on AWS: We host AskERP on Amazon Web Services, a world-class cloud infrastructure provider. AWS provides enterprise-grade security, global data centre redundancy, and compliance certifications across multiple frameworks. This ensures your data benefits from AWS's extensive security investments and infrastructure hardening.
Multi-Region Redundancy: Our platform is deployed across multiple AWS regions to ensure high availability and disaster recovery. If one region experiences an outage, traffic automatically routes to backup regions, ensuring continuous service. Your data is replicated across geographically dispersed data centres to prevent single points of failure.
DDoS Protection: AWS Shield Standard provides automatic protection against distributed denial-of-service (DDoS) attacks. For enhanced protection, we employ AWS Shield Advanced and WAF rules to detect and mitigate sophisticated attacks in real-time.
Firewall & Network Security: Our infrastructure is protected by multiple layers of firewalls, security groups, and network access control lists. Inbound traffic is restricted to necessary ports and protocols, while outbound traffic is monitored and logged. We employ both perimeter and internal segmentation to isolate critical systems.
Encryption at Rest: All data stored in our databases, storage systems, and backups is encrypted using industry-standard 256-bit AES-256 encryption. Encryption keys are managed through AWS Key Management Service (KMS), with strict access controls and automatic key rotation policies.
Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption, the latest and most secure version of the Transport Layer Security protocol. This applies to all communications, including API calls, web traffic, and file uploads. Weak cipher suites are disabled.
Encrypted Backups: Daily backup snapshots are encrypted and stored in secure AWS S3 buckets with versioning enabled. Backup encryption uses the same AES-256 standard as production data. Access to backups is restricted to authorised personnel only, and backup integrity is verified regularly.
End-to-End Security: Sensitive operations use certificate pinning to prevent man-in-the-middle attacks. HTTP Strict Transport Security (HSTS) headers enforce encrypted connections, and Perfect Forward Secrecy ensures that even if long-term keys are compromised, past sessions remain secure.
Role-Based Access Control (RBAC): AskERP implements granular role-based access control, allowing administrators to define specific permissions for different user roles. Users can only access data and features relevant to their role. Access is automatically revoked when users change roles or leave the organisation.
Single Sign-On (SSO) & SAML: We support enterprise SSO integration via SAML 2.0, allowing your organisation to manage authentication centrally. This ensures stronger passwords, easier credential management, and faster offboarding of former employees.
Two-Factor Authentication (2FA): Users can enable two-factor authentication using authenticator apps (TOTP) or SMS. 2FA is recommended for all users and mandatory for administrative accounts. This adds an extra layer of protection even if passwords are compromised.
Comprehensive Audit Logs: All user actions, data access, and system changes are logged with timestamps and user identifiers. These logs are immutable and retained for compliance purposes. Administrators can review audit trails to investigate suspicious activity and maintain accountability.
Session Management: User sessions are managed securely with timeout policies, preventing unauthorised access from abandoned devices. Session tokens are invalidated upon logout, and concurrent session limits can be configured.
SOC 2 Type II: We maintain SOC 2 Type II compliance, demonstrating that our controls are designed, implemented, and operating effectively to meet industry standards. Regular independent audits verify our security, availability, processing integrity, confidentiality, and privacy controls.
ISO 27001: Our information security management system is certified to ISO 27001, the international standard for information security. This certification covers our policies, procedures, and technical controls across the entire organisation.
GDPR Compliance: AskERP is fully compliant with the General Data Protection Regulation (GDPR). We have data processing agreements in place, respect user rights, enable lawful data transfers, and maintain breach notification procedures. Our privacy controls and consent mechanisms meet GDPR requirements.
Indian IT Act Compliance: As a platform serving Indian enterprises, we comply with the Information Technology Act, 2000 and its rules. We maintain data localisation where required, implement appropriate technical and organisational measures, and follow responsible disclosure practices.
Additional Compliance: We are committed to maintaining compliance with relevant regulatory frameworks in all jurisdictions where we operate. Our compliance posture is regularly reviewed and updated to reflect evolving regulatory requirements.
Automated Daily Backups: We perform automatic encrypted backups of all customer data every 24 hours. Backups are stored in multiple AWS regions for geographic redundancy. This ensures rapid recovery in case of accidental deletion, corruption, or disaster.
30-Day Retention Policy: Backup snapshots are retained for at least 30 days, allowing recovery of data deleted up to 30 days ago. Older backups are retained longer for compliance purposes where legally required.
Recovery Point Objective (RPO) < 1 Hour: Our backup frequency ensures that data loss in case of emergency is minimal, typically less than one hour of data. This RPO is suitable for most business-critical applications.
Recovery Time Objective (RTO) < 4 Hours: We can restore the entire platform from a backup within 4 hours of initiating recovery. For partial recovery (specific databases or users), restoration is typically much faster.
Regular Recovery Testing: We regularly test backup and recovery procedures to ensure effectiveness. These tests are documented and reviewed to identify and address any gaps.
OWASP Top 10 Protection: Our development practices follow OWASP (Open Web Application Security Project) guidelines to protect against the top 10 application security risks, including injection attacks, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialisation, using components with known vulnerabilities, and insufficient logging.
SQL Injection Prevention: All database queries use parameterised statements and prepared statements. User input is never directly concatenated into SQL queries, eliminating SQL injection vulnerabilities.
Cross-Site Scripting (XSS) Protection: User-generated content is sanitised and escaped before rendering. Content Security Policy (CSP) headers restrict the execution of inline scripts. We use template engines that auto-escape content by default.
CSRF Token Protection: All state-changing operations require valid Cross-Site Request Forgery (CSRF) tokens. These tokens are unique per session and validated on every request, preventing unauthorised actions from external websites.
Regular Penetration Testing: We conduct annual third-party penetration testing to identify vulnerabilities before attackers can exploit them. Results are reviewed, and findings are remediated promptly. Continuous automated security scanning complements manual testing.
Security Headers: Our servers emit security headers including X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME sniffing), and Referrer-Policy. These headers instruct browsers to apply additional security measures.
Privacy Policy: Our detailed Privacy Policy outlines how we collect, use, store, and protect your personal data. We recommend reviewing it to understand your rights and our obligations.
Data Processing Agreements: For customers requiring GDPR or other contractual commitments, we provide comprehensive Data Processing Agreements (DPA) that clarify the roles of controller and processor, define lawful processing bases, and specify security obligations.
Minimal Data Collection: We collect only the data necessary to provide AskERP and improve our service. Users can control what data they share, and we provide tools to export and delete personal data on request.
Third-Party Vetting: All third-party services we integrate with are vetted for security and privacy compliance. Vendors must meet our security standards and sign data processing agreements before integration.
24/7 Security Monitoring: Our Security Operations Centre (SOC) monitors the platform 24/7 for suspicious activity, anomalies, and potential breaches. Automated detection systems alert our team to potential threats in real-time.
Incident Response Team: A dedicated incident response team is on-call to address security incidents. We follow a documented incident response plan covering detection, containment, eradication, and recovery.
Critical Issue Response Time < 1 Hour: For critical security issues affecting data confidentiality or availability, our team initiates response within 1 hour of detection. We prioritise containing threats and minimising impact.
Breach Notification: In the event of a confirmed data breach, we notify affected customers within 72 hours as required by GDPR and other regulations. Notifications include details of the breach, data affected, measures taken, and customer actions recommended.
Post-Incident Review: After any security incident, we conduct a thorough post-incident review to identify root causes and implement corrective actions to prevent recurrence.
If you have questions about our security practices, wish to report a vulnerability, or need to discuss compliance requirements, please contact our security team:
Email: security@askerp.com
Response Time: We aim to acknowledge all security enquiries within 24 hours.
Responsible Disclosure: We welcome responsible security disclosures. Please do not publicly disclose vulnerabilities before giving us time to address them.