Security

Built on trust. Earned every day.

Your business data deserves serious protection — and you deserve to know exactly how it works. Here is a straight description of what we do, and what you do, to keep ProdSys secure.

🇪🇺
EU-hosted
Data stays in European data centers — always.
🔒
Encrypted
TLS 1.2+ in transit. AES-256 at rest. Always.
🛡
Hardened
Multi-layered defense at every level.
Recoverable
Daily backups. Tested disaster recovery.

Infrastructure security

The foundation: where ProdSys runs and how that environment is protected.

EU-only data centers
All production infrastructure is located in European Union data centers. Customer data never leaves the EU. Primary and disaster recovery sites are geographically separated within the EU for resilience.
Certified providers
We rely on established European cloud providers whose infrastructure meets industry security standards. Physical security, biometric access controls, and full audit trails are handled by the provider.
Network isolation
Customer environments are logically isolated. Internal services run in private network segments with no direct internet access. All external traffic flows through hardened load balancers and web application firewalls.
DDoS protection
Multi-layered DDoS mitigation at network, transport, and application levels — included by default for every customer.

Application security

How the ProdSys platform itself is designed and built to resist attack.

🔐
Authentication
Strong password requirements, optional MFA for all users. SAML 2.0 single sign-on available on request.
👥
Authorization
Granular role-based access control. Permissions can be scoped to modules, document types, warehouses, departments, or specific records.
📋
Audit logging
Every meaningful action is logged with user, timestamp, and IP address. Logs are tamper-resistant and retained for the contract period.
🔍
Secure development
Code review on every change, automated security scanning in CI/CD, dependency vulnerability checks, regular penetration testing.
🛠
API security
OAuth 2.0 authentication, scoped tokens, rate limiting, request signing. API keys are hashed at rest and revocable instantly.
Patching
Security patches deployed within defined SLAs based on severity. Critical CVEs handled within 24 hours of disclosure.

ProdSys is continuously updated. Customers do not need to manage patches, upgrades, or vulnerability fixes — we handle all of it without service interruption.

Data security

How your data is protected at every stage — storage, transmission, and lifecycle.

Encryption in transit
TLS 1.2 or higher for all connections — between users and ProdSys, between ProdSys services, and to all integrations. Certificate pinning where appropriate. HSTS enforced.
Encryption at rest
AES-256 encryption for all customer data in databases and object storage. Encryption keys are managed via dedicated key management services within the EU, with regular rotation.
Backups
Automated daily backups, encrypted with separate keys, stored in geographically separate EU locations. Backup integrity tested regularly. Recovery procedures rehearsed quarterly.
Data portability
You can export your data at any time in standard formats (CSV, JSON, Excel). At end of contract, full data export is provided before deletion.
Secure deletion
When data is deleted, it is removed from active systems immediately and cryptographically erased from backups within 90 days.

Operational security

How the ProdSys team operates to keep your data safe.

Least-privilege access
Employee access to customer data is strictly limited and granted only when required for support, troubleshooting, or contractual obligations. All access is logged and reviewed.
Background checks & training
All employees with access to production systems undergo background checks and sign confidentiality agreements. Security awareness training is mandatory and refreshed annually.
Device security
All employee devices are managed, encrypted, password-protected, and remotely wipeable. Production access is restricted to managed devices only.
Continuous monitoring
Automated security monitoring of infrastructure and applications. Anomaly detection, intrusion detection, and alerting with on-call coverage for critical incidents.

Incident response

What happens when something goes wrong.

1
Detect
Monitoring systems and security tooling identify potential incidents. Customer-reported issues are triaged immediately.
2
Contain
The team isolates affected systems to prevent further impact. Affected customers are identified.
3
Notify
For incidents involving personal data, we notify affected customers within 72 hours per GDPR Article 33 — with details of what happened, what data is affected, and what we are doing about it.
4
Remediate
We restore service, fix the root cause, and verify that all affected systems are clean.
5
Learn
After resolution, we review what happened and update controls, tooling, or procedures where needed. Material learnings affecting customers are communicated openly.

Report a security concern: post@prodsys.com

Availability & business continuity

Your ERP needs to work. Here is how we keep it running.

99.9%
Uptime target
Service level objective for the ProdSys platform.
Automated
Monitoring
Continuous automated monitoring with on-call coverage for critical alerts.
< 4h
Recovery target
Recovery time objective for major incidents.

Real-time service status is available at status.prodsys.com. Scheduled maintenance is communicated in advance and performed during off-peak hours.

Compliance & certifications

Standards we meet and certifications we hold.

GDPR
Full compliance with EU data protection regulation. Read our GDPR page.
COMPLIANT
ISO 27001 alignment
Our practices are aligned with ISO 27001 controls, even where we are not formally certified.
ALIGNED
Cloud provider certs
Our underlying infrastructure providers maintain industry certifications (SOC 2, ISO 27001).
INHERITED

Cloud infrastructure providers we rely on maintain SOC 2 Type II and ISO 27001 certifications. Provider certificates can be shared on request.

Shared responsibility

Security is a partnership. Here is how the responsibility is split.

PRODSYS HANDLES
  • Infrastructure security & patching
  • Application security & code quality
  • Encryption in transit & at rest
  • Backups & disaster recovery
  • Monitoring & incident response
  • Physical security of data centers
YOU HANDLE
  • Strong passwords & MFA enrollment
  • User access & role management
  • Deactivating users who leave
  • Securing your own devices
  • Protecting API keys you generate
  • Reporting suspicious activity

Responsible disclosure

If you believe you have found a security vulnerability in ProdSys, we want to hear from you. We commit to:

  • Acknowledging your report within 2 business days
  • Providing an initial assessment within 5 business days
  • Keeping you informed throughout the resolution process
  • Crediting you publicly (with your permission) when fixed

Send disclosures to post@prodsys.com. For sensitive reports, use our PGP key (available on request).

Get in touch

Questions about our security posture? Need a security questionnaire filled out? Want a copy of our compliance documentation?

Security inquiries
post@prodsys.com
Vulnerability reports
post@prodsys.com
Architecture

Database per customer

Most cloud ERPs run all customers on a shared database with logical separation. ProdSys takes a different approach: each customer gets a dedicated SQL database.

🗄
Physical data isolation
Your data is in a separate database from every other ProdSys customer — not just separated by a tenant ID in a shared table. No risk of cross-tenant data exposure from a query bug or misconfiguration.
⚖️
Predictable performance
No "noisy neighbour" effect. Another customer running a heavy report doesn't slow yours down. Performance is bounded by your own usage, not someone else's.
📦
Individual backups & recovery
Backups are per customer. Point-in-time recovery for your data doesn't depend on rolling back a shared database. If you ever need a snapshot or full export, it's yours alone.
📋
Simpler GDPR & compliance
Data residency, right-to-export, and right-to-erasure become simpler operational tasks rather than complex queries across a shared store. Each customer's data has clear physical boundaries.
📤
Take your data with you
Your data is yours. If you ever choose to leave ProdSys, we'll provide a full CSV export of your database. Other formats are available on request. No lock-in, no obstacles, no extra fees for getting your data back.
An honest trade-off. Database-per-customer architecture is more expensive to run than the multi-tenant model most SaaS platforms use. We pay that cost because it lets us offer real data isolation, predictable performance, and the same API surface for customer integrations as the product itself uses. For ERP data — finance, payroll, customer records, production know-how — we think it's the right trade.

Want to see our security in detail?

We are happy to walk through our security posture, fill out questionnaires, and share documentation with prospective customers.

Book a demo → Contact us