Whether you’re the head of a small fashion boutique in New York or a huge retail conglomerate in Vancouver, a data leak is probably your worst nightmare. Criminals hacking into your system and threatening to delete your data unless you pay a ransom is equally daunting. Let’s not even get started with disloyal employees who abuse your trust.
It’s crucial to have reliable business software that helps reduce security risks, and you should definitely choose a software partner that actively manages these risks. Erply has put emphasis on security from day one. We’ve hired a data security specialist to make sure nothing slips by.
We hope to show you that we’re not just a software provider targeted at retail companies but a reliable partner that will help you securely build your business.
Erply’s security policy stands on three pillars:
- Internal rules and procedures;
- Requirements for our partners;
- Requirements for the network and hardware.
I Internal Procedures
Selecting Employees: Everybody Needs to Understand Their Responsibility to the Customer.
Erply doesn’t select employees solely based on professional skills but also looks at a potential candidate’s general mindset. We expect our employees to understand the gravity of the responsibility they have to customers when working at Erply.
We employ all legal means to do background research on our employees, conduct in-depth interviews and provide basic training where we cover topics like data confidentiality and secure data processing. All employees are required to get to know the basics of the company’s security policy and sign a document confirming that they will strive to adhere to the policy. Further training will be provided in the course of work. Erply also supports employee interests and initiatives (taking part in professional conferences, etc.).
Employees regularly undergo refresher courses in security during their career at Erply. The aim is to be aware of the newest security risks and best solutions concerning data protection and IT security.
New employees do not have access to confidential information. Employees will be granted gradually more access when they have worked at the company for a certain amount of time (different for different positions) and have proven their diligence and commitment.
Erply’s work culture encourages employees to make possible security threats known and collaborate as a team to solve problems.
The Security of the Product Starts from Secure Development Processes
The security of business software starts from the development process. Only the employees working on the development have access to Erply’s software code. The head of the development team assigns access rights. Each developer can access only the part of the code they’re working on. Employees can’t access the company’s network using personal devices (e.g. tablet or smartphone).
Only reliable hardware at the company’s offices is used for programming. The company’s management can access data from outside the office, just in case, but only when additional security measures are implemented (VPN connection, special access to the intranet, etc.).
The code is tested and reviewed manually. New functions and other changes in design go through the development team’s security review process. The code is also checked using special analysis software.
All data is stored in a secure cloud server. Erply’s software solution doesn’t grant the customer access to any data before successful authorization. If data needs to be loaded onto the customer’s devices in special circumstances, the data mediated by Erply is never loaded onto the customer’s device in a format that enables unauthorized use.
Erply’s security measures stay with the times and are updated automatically, which means that the customer never has to worry about downloading updates. We post announcements on security updates to Erply’s website.
Erply’s Employees’ Access to Customer Data
A number of rules and control measures regulate how Erply’s employees can access the customers’ data.
- Customer support may require access to a customer’s data in certain scenarios, e.g. to analyze customer requests. This is why the DPA (Data Protection Addendum) the customer and Erply sign stipulates the responsibility of the parties, data processing methods and the company’s guarantee to the customer.
- Only employees whose work requires it have access to the data of a customer’s customers. Even then, Erply’s employees can only access the customer’s account if the customer contacts Erply in writing.
- If the contractual relationship between Erply and a customer comes to an end, we will discuss the customer’s preferences and either transfer the customer’s customers’ data to the customer or delete it. Erply offers the option of deleting all data after a service contract with Erply is terminated. This includes data at Erply and any backup copies. Customers can also request to extract their data from Erply while the contract is valid and can do so using an API request. Since Erply manages the backup copies of the customer’s data, data can be restored if necessary.
We Encourage the Customer to Think of Security
Each customer gets an API key. Once authenticated, the key grants the customer access to their company and customers’ data. We direct the customer’s attention to the first line of defense – basic security requirements like keeping passwords secret (see also “Security Measures We Encourage Our Customers to Use”) – during the introduction phase.
II Top-Level Data Processing
Right to Data
Erply enables the customer’s authorized user to manage other users and their customers’ data. Erply believes that all data the customer enters using Erply’s services belongs to the customer and, thus, we haven’t set any limitations on data management, whether it be customer, employee or user data.
The Customer’s Data Is Stored in Their Region
Erply’s software uses the cloud servers of reliable service providers (see also “Selecting Third Parties”). Cloud technology enables introducing software updates operatively and without disturbing our customers; it also guarantees significantly greater security compared to software that is downloaded to the customer’s servers.
Erply strives to use data centers that are located in the same region as our customers. This avoids having to transfer data across continents; unless this is something that a global customer specifically requires. As a result, Erply’s customers in the EU can rest assured that everything is GDPR compliant.
Large corporations can conclude a three-way contract with Erply and the server service provider for more control over data management in different geographical regions.
Data protection is an integral part of Erply’s security policy. Erply adheres to the EU’s General Data Protection Regulation (GDPR) that entered into force on 25 May 2018. On one hand, the regulation strives to give people more security in the era of smartphones, social media and online banking, guaranteeing that their data is not collected and used without their knowledge; on the other, companies now have a clearer legal framework for processing data.
The implementation of GDPR was a great opportunity for Erply to re-evaluate its data collection and storage policy and bring it into conformity with GDPR. Our rule is to collect as little data as possible. If we need to process personal data, we will ask for consent from each individual person.
Erply has also hired a data protection officer (DPO), who will happily answer our customers’ data protection related questions at email@example.com.
Erply’s services support the newest recommended security cyphers and protocols that encrypt all data transfer. All customer data is encrypted using the latest SSL encryption. This means that data theft is impossible during transfer between the customer and Erply. We keep a close eye on the development of encryption tools and once a new solution has proven its worth in practice, it will be adopted at Erply.
Erply monitors all connections and uses supplementary security measures to detect malicious behavior; we have implemented procedures for preventing and blocking such behavior.
Account data can only be accessed using secure protocols like HTTPS and SSH. Data is stored securely behind firewalls and is under constant surveillance. All software is regularly updated to guarantee high-level security.
Incident Management and Response
Erply will immediately inform its customers of security incidents, e.g. of unauthorized access to a customer’s data. Erply has implemented and follows incident management policies, guidelines, and procedures.
The customer’s data is stored in various data centers managed by the web hosting service provider, and the backup and restoration procedures we’ve tested in practice allow us to restore data in the event of large-scale accidents. Erply has thoroughly tested the backup copies and can confirm that the processes and tools work as expected.
We monitor data transfer server loads and optimize traffic to avoid extensive service disruptions and react as quickly as possible. System administrators are informed immediately when a failure is detected.
Last But Not Least: Availability
Erply understands that retailers work around the clock. That’s why Erply strives to make its services reliably available 24/7, 365 days of the year. Erply’s systems have excellent fault tolerance and we’re prepared for faults in individual servers and entire server centers alike. The company’s operations team checks the measures for reacting to catastrophes and works around the clock to quickly respond to unexpected circumstances.
III Firewalls and Hardware
Erply has strict rules regarding hardware. Every device with a hard drive and server support is updated according to an approved plan. We expect that a plane’s parts are replaced before anything breaks. Erply follows the same principle.
In addition to keeping a log, Erply has implemented safe server access to all products. Firewalls have been set up according to industry best practice and all irrelevant ports are blocked.
IV Selecting Third Parties
Erply may involve and use authorized third parties to process personal data as part of providing our services; these third parties will be granted access to the customers’ data. All authorized data processors go through a rigorous selection process and are evaluated based on a number of criteria, e.g. security features and measures, SLA (Service Level Agreement) terms and conditions, reliability and availability of services, etc. Once a partner is selected, Erply will conclude a contract with them to guarantee our customers with the required data protection.
Depending on how Erply grows and develops, the third party authorized to process personal data may change. We will inform our customers when a new authorized processor comes on board.
Authorized Infrastructure Processors
Erply may include the following authorized processors to host customer data or in relation to the infrastructure required for providing our services:
|Amazon Web Services||Cloud service provider||USA|
|LiquidWeb||Cloud service provider||USA|
|Hetzner||Cloud service provider||USA|
Other Authorized Processors
Erply may work with the following authorized processors in providing other services:
|Email, hosting and analysis service provider||USA|
|Mailchimp||Email service provider||USA|
|Slack||Customer support and sales communications service provider||USA|
|Chatlio||Sales communications service provider||USA|
|JIRA||Customer support service provider||Australia|
|Teamviewer||Customer support service provider||Germany|
|GoToAssist||Customer support service provider||USA|
The Certificates of Authorized Processors
What are the data protection and cybersecurity requirements that Erply’s authorized processors must meet? Below is a list of the data and data center security related certificates that one of Erply’s authorized processors, Liquid Web, has and adheres to.
SOC 3 Report
In addition the SOC 2 SSAE 16 report, the company also ordered the SOC 3 report to cover IT risks in critical areas, incl. security and availability.
EU-US and Swiss-US Privacy Shield Framework
Liquid Web meets the EU-US and Swiss-US Privacy Shield Framework designed by the US Department of Commerce. The framework covers the collection, use, and storage of personal data in the EU, Switzerland and the US.
An independent audit provider has confirmed that the dedicated and cloud-based solutions managed by the company meet the HIPAA security and privacy rules. The HIPAA or Health Insurance Portability & Accountability Act is a set of rules intended to maintain the security and confidentiality of delicate medical information.
PCI (Payment Card Industry) – AOC
AOC or Attestation of Compliance validates that a company has implemented controls for meeting credit card data processing requirements. PCI conformity helps protect credit card and personal data, and the customer’s identity from malicious use.
General Data Protection Regulation (GDPR)
GDPR replaces the EU’s data protection directive (known as 95/46/EC) and covers privacy issues. The regulation aims to improve data privacy and protect individuals in the EU and the transfer of personal data from the EU to the rest of the world. Liquid Web is GDPR compliant in relation to international data transfer. More particularly, Liquid Web’s activity complies with the EU-US and Swiss-US Privacy Shield Framework.
V Security Measures We Encourage Our Customers to Use
Just like Erply needs to follow security requirements, so do our customers. Managers don’t often suspect that a disloyal employee might have little regard for the company’s security or even abuse blind spots.
Statistics show that it’s always wise to put emphasis on increasing POS security. It’s easier to make the effort than to suffer the consequences of a data breach. The threat often looms closer than most think.
Unlimited Access and Mobile Devices
If you’re training a new employee at a checkout that has access to the entire system, the novice employee can accidentally leak or even erase data.
Mobile devices pose a threat because employees might leave them unsupervised while still logged in. That’s basically an open door to your system. To avoid such situations, Erply has an automatic logout function when the employee has been inactive for a set amount of time.
To accurately check cash transactions, the POS software needs to store all transactions in real time. Erply makes this possible. It’s also important to count the cash in the cash drawer at the start and end of a day to detect discrepancies between the report and the amount of money in the register.
Additional Security Checks
Employees who feel they’re being monitored excessively may feel demotivated. At Erply, security checks are nothing personal, just business – a part of the daily routine.
We’re used to security cameras at checkouts, but Erply proposes an additional security measure – every service clerk must log in to use the software. After a successful login, the user is granted access to a specific Erply service. Access is temporary and if the user becomes inactive, they will need to re-enter their login credentials.
Account administrators can access all logs – both successful and failed – as well as user actions. Each entry bears a timestamp that lets you monitor which employee entered which items and when into the inventory.
Erply also lets you know when a product begins to suddenly run out of stock. That means you should check whether sales really are through the roof or whether the item has become exceedingly popular among shoplifters.
Another simple method for securing data is role-based access. Employees are grouped and each group is granted access only to the data in the POS they need in their everyday work. A chef doesn’t need access to the transaction (not even to view them).
There are a number of ways for grouping rights:
- The company’s finances – access is only granted to those that compile reports or make management decisions on the company level;
- Customer data – access is granted to those that work in customer service or analyze shopping trends;
- Inventory – access is granted to those in charge of ordering, accepting or relocating inventory.
The more devices the employees use – e.g. tablets, scanners, mobile devices that can access the POS – the higher the chance that you’ll encounter malware, viruses, and other problems. This is especially true for companies that allow employees to use personal devices. It’s important to regularly delete old IDs and the passwords of former employees from devices.
Erply’s advantage is that it is compatible with nearly all checkout equipment (scanners, tablets, printers, etc.). This allows Erply’s customers to comfortably adopt innovative and secure technologies and equipment.
Even the most secure technology is not enough if it’s not backed up by the correct line of thought and basic employee habits (not using social media on work devices; not charging a phone by plugging it into the USB port of a computer, etc.).
It’s important to understand that there is no such thing as absolute security. Even the best antivirus software or firewall can’t guarantee complete data security. Having backup copies of the company’s data, using antivirus software with automatic updates, securing the intranet with a firewall and encrypting data carriers is just the ticket to board the train. The next step is regular IT risk audits, pen testing and adhering to the implemented measures. This is why every company should conduct a risk assessment and manage the most crucial risks.
The risk assessment report will become a document that lists potential threats and offers measures to avoid or limit the effects and likelihood of risks. The measures will help avoid, reduce, and sometimes, eliminate risks.
To Sum Up
The aforementioned solutions and tools are already available in Erply’s standard solution to help customers limit the users’ access to data. If these measures aren’t enough, we at Erply are always happy to take our customers’ wishes and needs into account and offer additional and customizable software components.
If you do not have an Erply account yet, create it here or contact our team at firstname.lastname@example.org or by calling +1 917 210 1251.