Trust & Data Security

Data & Security

ERPKaro is designed to protect operational, account, and support data used across supply-chain workflows. This page summarizes the security controls, data protection approach, backup practices, and customer responsibilities we discuss with business and enterprise customers.

Last updated: May 5, 2026

Cloud hosted

ERPKaro is hosted on AWS by default, with customer-specific or self-managed deployment options considered by request.

Encrypted data

Data is protected in transit using TLS 1.2+ and stored data or backups use AES-256 or equivalent encryption controls.

Business continuity

Backups, operational monitoring, and recovery procedures are maintained to support continuity and incident response.

1. Platform hosting and shared responsibility

ERPKaro is currently hosted on AWS-managed infrastructure. AWS is responsible for protecting the underlying cloud infrastructure, while ERPKaro is responsible for securing the application, configuration, access controls, deployment processes, and customer data handling within the platform.

The standard deployment model is the hosted SaaS platform with logical organization and account separation. Separate deployments or self-managed deployments may be evaluated for customers with specific infrastructure, residency, or contractual requirements.

2. Server management and deployment controls

ERPKaro uses Laravel Forge as part of its server management and deployment workflow. Forge-managed infrastructure helps standardize deployment operations, SSL/TLS configuration, SSH-key based access, firewall configuration through UFW, and automated Ubuntu security updates.

Operational deployment details may vary by environment or customer-specific agreement. Security-sensitive access is restricted to authorized personnel and reviewed as part of operational administration.

3. Data protection and ownership

Customers retain ownership of their business data. ERPKaro processes customer data to provide the service, operate workflows, support users, maintain security, resolve issues, and meet applicable legal or contractual obligations.

Data handled by the platform may include supply-chain operational records, user and account details, uploaded documents, support communications, system logs, and integration-related metadata. Internal access is limited on a need-to-know basis for support, operations, security, or compliance purposes.

4. Access control

Customer access is controlled through user accounts, roles, and permissions. Organizations should assign users only the access required for their responsibilities and remove access promptly when users leave or change roles.

Administrative and support access is restricted to authorized ERPKaro personnel. Access to production systems and customer data is used only for legitimate operational, support, security, or legal needs.

5. Encryption

ERPKaro protects data in transit using TLS 1.2+ for supported application traffic. Stored data and backups are protected using AES-256 or equivalent encryption controls provided through the application, infrastructure, or cloud storage layers.

Customer-specific or self-managed deployments may have additional encryption, key management, or network requirements defined in the implementation scope or customer agreement.

6. Backups and disaster management

ERPKaro maintains regular backups for business continuity and recovery. The default backup retention period is 30 days. Backup frequency and retention can be modified by customer agreement, including retention up to 90 days where contractually required.

Restore procedures are periodically reviewed to support recovery readiness. ERPKaro does not publish fixed RTO or RPO targets on this page; those targets may be discussed separately for customers with specific continuity requirements.

7. Monitoring and incident response

ERPKaro monitors systems for reliability, errors, and unusual operational activity. Monitoring supports faster investigation, service continuity, and issue resolution.

When a relevant security incident is identified, ERPKaro follows a process to investigate, contain, remediate, and communicate with affected customers as appropriate. Specific notification requirements may be defined in customer agreements.

8. AI data use

AI features are customer opt-in. ERPKaro does not use customer data to train ERPKaro models. When AI features are used, relevant prompts or context may be shared with OpenAI or Anthropic to provide the requested feature, subject to provider terms, configuration, and customer agreement.

Read the AI Data Protection page

9. Certifications and security reviews

ERPKaro does not currently publish formal certification claims such as SOC 2, ISO 27001, HIPAA, PCI, or GDPR compliance on this page. Customers may request security information during procurement or vendor review.

10. Customer responsibilities

  • Assign roles and permissions according to user responsibilities.
  • Remove or update access when employees, vendors, or partners leave or change roles.
  • Protect login credentials and report suspected unauthorized access promptly.
  • Review exported reports, shared files, integrations, and downstream data handling.

Security questions and procurement reviews

For security questionnaires, procurement reviews, customer-specific deployment discussions, or data protection questions, contact ERPKaro at erpkaro@gmail.com.

Email security questions