Security & compliance
Your data residency. Your secrets in your vault. Approval workflows your auditors recognise. An audit log that won't be overwritten. ERPHive is designed for the enterprise security posture from day one.
Choose where your data lives at onboarding — EU, UK, US, UAE, APAC. Single-tenant deployments isolate each customer's data plane. Enterprise customers can deploy on-premise or to a sovereign-cloud region with no outbound dependency.
Connections in flow code are logical names; the actual URL and credentials are bound per environment and resolved at runtime. Secrets live in your secret manager of choice — HashiCorp Vault, AWS Secrets Manager, Oracle Vault, or our managed equivalent — never in our application database, never in flow code, never in logs.
Every flow change, deployment, approval, and execution is recorded to an immutable audit log. Append-only at the database layer. Step-level payload capture for debugging is opt-in per flow with field-level redaction rules.
Per-environment approval policies: auto, single-approver, two-approver, Slack-approval, signed-PR-merge. SOX-style separation-of-duties is enforced at the platform layer, not bolted on as process. Designated approvers see the full diff before signing off.
TLS 1.2+ in transit. AES-256 at rest. Per-tenant key isolation on Enterprise plans. Customer-managed encryption keys (BYOK) on request.
Customer data is never used to train models. The AI assistant runs on your isolated workspace; payloads passed to it for debugging are governed by the same redaction rules as audit-log capture. On Enterprise, the AI tier can be disabled entirely.
We publish our compliance posture honestly. Some of these are in flight; we'd rather tell you that than let you find out at procurement.
| Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Targeting Q3 2026 |
| ISO 27001 | In progress | Targeting Q4 2026 |
| GDPR / DPA | Available | Standard DPA on request |
| Sub-processors | Disclosed | Updated quarterly |
| Penetration test | Annual | Last test Q1 2026 |
Architecture diagrams, network topology, sub-processor list, DPA template, penetration-test summary, and SIG / CAIQ responses are available under NDA.