ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
👇 See these references for more info (links in title row below)
2
QApplies toQuestionsAnswerPrivacy PolicySecurity PageCloud SLAGDPR GuideOE Contract
3
Q1Odoo Clouds (SaaS+SH)What is the applicable / governing law?Belgian LawFALSEFALSEFALSEFALSEFALSE
4
Q2(Generic)Is there a Security Team / Incident Response TeamYes, the Odoo Security Team acts as both a PSIRT (Product Security Incident Response Team) and CSIRT (Computer Security Incident Response Team)TRUETRUEFALSEFALSEFALSE
5
Q2.1(Generic)Who is accountable / responsible for the Security and what is their level in the organization?The CTO is accountable for information security at Odoo, in close collaboration with Security Team (acting as CSIRT and PSIRT) and the Platform Team (in charge of internal and external IT infrastructure, as well as technical and organizational security measures)FALSEFALSEFALSEFALSEFALSE
6
Q3(Generic)Is there an security incident / data breach incident management in placeYes, incidents are reported to security@odoo.com and the team follows a specific incident response process.
This process is not disclosed in details publicly.

The process for handling computer incidents / data breaches (CSIRT) is roughly as follows:
- reports are received via security@odoo.com, in encrypted form when very sensitive
- for data breaches, staff has to complete a detailed data breach reporting form
- incident analysis is conducted by Security Team
- for data breaches, a specific 9-step 72h data breach handling procedure begins (including classification, planning, investigation, mitigation, notification to data subjects and data protection authorities if required)
- incident is recorded in the incident management system (for data breaches, also in the GDPR Data Breach Register)
- incident is handled by the incident response team, with communication with reporter and stakeholders
- necessary remediation actions are planned then carried out, including updates to organizational and technical security measures if required		FALSETRUEFALSEFALSETRUE
7
Q4(Generic)Is there an Identity and Access Management process in place?Yes, role-based access control with "principle of least privilege" and provisioning/deprovisioning of personal credentials. Employees use their own credentials for all access, and those are revoked as soon as the employee contract is terminated. No shared credentials are used for access to customer data.FALSETRUEFALSEFALSEFALSE
8
Q5(Generic)Are all access rights reviewed at regular intervals to ensure users have been provided with access to the services that they have been specifically authorized to use?Yes, the Odoo IT admins and security team periodically review (typically every quarter) employee accesses and the employee ACL matrix to make sure that every employee has the access they need, and that the global access control matrix is still accurate.FALSEFALSEFALSEFALSEFALSE
9
Q6(Generic)Is there a policy to prohibit users from sharing passwords?Yes, this is explicitly forbidden by the internal security policy.FALSEFALSEFALSEFALSEFALSE
10
Q7(Generic)Do customer assets or assets that contain customer data have a designated or accountable owner within the company?
No, the customer remains the sole owner of their data. Odoo is only a Data Processor and the Odoo staff will only process the data according to the direct instructions of the customer.
If the customer request the services of an Odoo Consultant, that consultant could be considered the designated “single point of contact” for the customer data processing operations.		FALSEFALSEFALSEFALSETRUE
11
Q8(Generic)Is there a risk management / governance process in place?No formal team (as of Q3 2019), but the risk management related to our data processing activities is under the responsibility of the Security TeamFALSEFALSEFALSEFALSEFALSE
12
Q9(Generic)Do you allow audits of your facilities, processes, staff?Yes, as long as the request is reasonable, as required by the GDPR, and under NDA. It's mentioned in the DPA that is in our OE contract.FALSEFALSEFALSEFALSEFALSE
13
Q10Odoo Clouds (SaaS+SH)Is customer data segmented and separated from other clients?
Yes, Odoo implements customer data segmentation as a core feature of the product and platform. Each customer data operation is processed in a separate process that does not share customer operational data with other customer processed.
Data is stored at rest in a different database for each customer, with each customer being granted exclusive access to their database.		FALSEFALSEFALSEFALSEFALSE
14
Q11Odoo Clouds (SaaS+SH)Please give the list of sub-contractors, roles and locations, as well as the guarantees of securirty/complianceSee the "Third-party service providers" section in our Privacy PolicyTRUEFALSEFALSEFALSEFALSE
15
Q12(Generic)Do you have a Data Protection Officer (DPO)We have a data protection responsible and a data protection team.
However we don't have a registered Data Protection Officer (as of 2023)
(Based on our company profile, our core processing activities, the number and type of customers, our legal advisors concluded that we are not required to have one, per GDPR Article 37)		FALSEFALSEFALSEFALSEFALSE
16
Q13(Generic)What is your GDPR Role (Data Processor / Data Controller)- For the contents of the database on Odoo.com (CRM, Customers, Suppliers, Employees, etc.), Odoo is Data Controller.
- For the contents of customer databases on Odoo Clouds and via the Upgrade platform, Odoo is Data Processor.		FALSEFALSEFALSETRUETRUE
17
Q14Odoo Clouds (SaaS+SH)Please sign this Data Processing Agreement in order to comply with GDPRSorry this is not going to happen. We supply a Data Processing Agreement to our Odoo Enterprise customers in the Data Protection section of our Odoo Enterprise Agreement. This DPA has been approved by our lawyers (and the legal department of many customers) and is sufficient for GDPR compliance.FALSEFALSEFALSETRUETRUE
18
Q15(Generic)Do you have a process to handle Data Subject RequestsYes, please see our Privacy Policy, or contact privacy@odoo.comTRUEFALSEFALSEFALSEFALSE
19
Q16Odoo Clouds (SaaS+SH)Can you enforce that non-production / staging / test environment has no production data.On Odoo SaaS: no, duplicate databases contain the same data as the production. Customers can create free trials to test features.
On Odoo.SH: staging databases contains the same data as the production, but test databases are available with demo data
Everyone can test Odoo features on the Odoo Runbot at https://runbot.odoo.com		FALSEFALSEFALSEFALSEFALSE
20
Q17Odoo Clouds (SaaS+SH)Do you sysadmin / IT admin have full access to customer dataYes, system admins have full access to customer data, as required to run the platform, but they have to pass a strict selection process and have to commit to the highest standard of ethics and security practices. There are only a handful of persons with these credentials.FALSEFALSEFALSEFALSEFALSE
21
Q18Odoo Clouds (SaaS+SH)Can your staff access customer dataYes, system admins, helpdesk staff and consultants may access customer data using a special access that requires their personal credentials and is fully logged. They only do that in order to answer a request from a customer or to guarantee the security of the platforms.FALSEFALSEFALSEFALSEFALSE
22
Q19(Generic)Maximum delay for retaining personal data after termination of contract.For personal data where Odoo SA is a controller (data in the Odoo.com database), under belgian law we have to keep accounting records for 7 years.
For other personal data we will delete the operational data immediately upon request. Then, as explained in Privacy Policy, our maximum delay for data destruction in read-only secure backups is 1 year: https://www.odoo.com/privacy

For personal data where Odoo SA is only a processor (e.g customer databases on SaaS / Odoo.SH), we don't choose the delay. Customer data is kept in our immutable backups for up to 1 year.
TRUEFALSEFALSEFALSEFALSE
23
Q20(Generic)Periodoc inventories for hardwareYes, our IT department maintains an inventory of all hardware owned by the companyFALSEFALSEFALSEFALSEFALSE
24
Q21(Generic)Do you monitor against unauthorized connection points / Do you secure your office networks / Do you use VPN?We apply a zero trust security model for our networks, as described in the "Google BeyondCorp" approach.
All staff access is secure from end to end using strong authentication and state-of-the-art encryption, which enables our staff to work from anywhere without VPN, including from untrusted networks. We consider our local networks in our premises to be just as insecure as any random internet access point.		FALSETRUEFALSEFALSEFALSE
25
Q22(Generic)Do computers that may contain customer data (including email messages) use full disk encryption where allowed by local law?Yes, all computers use full-disk encryption of equivalent storage techniques ensuring that unencrypted data is never physically stored on non-volatile media that could be lost or stolen.FALSEFALSEFALSEFALSEFALSE
26
Q23Odoo Clouds (SaaS+SH)Are Odoo servers certified for HDS (in france: Hébergement des Données de Santé)Our data center hosts in France (OVH and Google) are certified for HDS as can be seen here: https://esante.gouv.fr/labels-certifications/hds/liste-des-herbergeurs-certifies
However Odoo SA would be engaged in the process as a third-party in charge of the administration of the system, and Odoo SA is NOT certified for HDS.
So we can only recommend that customers who need HDS certification use a self-hosting solution or look for an Odoo Partner that has the HDS certification.		FALSEFALSEFALSEFALSEFALSE
27
Q24Odoo Clouds (SaaS+SH)Any proof of the security and certifications of OVH and Google Cloud?See this page for Google: https://support.google.com/googlecloud/answer/6056694
For OVH we cannot share more info as it requires NDA signatures. Customers can directly contact OVH on www.ovh.com to request this info.
FALSEFALSEFALSEFALSEFALSE
28
Q25Odoo Clouds (SaaS+SH)Are system backups of customer data performed?Yes:
- Each customer database is replicated in real-time on redundant storage located in the same data center, so a failover can happen quickly in case of hardware failure, with no data loss
- In addition, minimum 14 full backups are archived for each customer, for minimum 3 months of history: 1/day for 7 days, 1/week for 4 weeks, 1/month for 3-12 months depending on space. See simulation of backup dates here: https://docs.google.com/spreadsheets/d/e/2PACX-1vSJpyyyQ7kr5WSutkrDE3ybgpYySogseN7x2Og6fIbpPYABHe0q8xq0y0xh7P-QSHkX3RTTVqKMIExy/pubhtml?gid=0&single=true
- The backups replicated on at least 3 different machines in different data centers in Europe and Canada (it is not possible to choose or restrict the regions where backups are replicated)		FALSETRUETRUEFALSEFALSE
29
Q25.aOdoo SHPlease describe your process for performing data backups, verification, restoration, and destruction.(For Odoo.SH specifically)
Data Backups
- Production data is replicated in real-time over encrypted filesystems with triple redundancy (as provided by Google Cloud Storage: https://cloud.google.com/security/encryption-at-rest/default-encryption/), to eliminate the risk of data loss.
- Once per 24h a snapshot of each customer database is archived and replicated on 3 different data centers on 2 continents (Europe and Canada), for disaster recovery purposes. It is not possible to choose or restrict the regions where backups are replicated, for security reasons.
- 14+ full backups are archived for each customer database, with minimum 3 months of history: 1/day for 7 days, 1/week for 4 weeks, 1/month for 3 to 12 months: See simulation of backup dates here: https://docs.google.com/spreadsheets/d/e/2PACX-1vSJpyyyQ7kr5WSutkrDE3ybgpYySogseN7x2Og6fIbpPYABHe0q8xq0y0xh7P-QSHkX3RTTVqKMIExy/pubhtml?gid=0&single=true
- On Odoo.SH 30 additional daily snapshots are kept locally for immediate restoration by the customer (in the control panel)
- Customers are free to grab a full backup of their data at any time from the control panel and archive it themselves
Verification & Restoration
All backups servers are monitored in real time and we have specific monitoring rules to ensure that all 14 backups are available for each customer, and that the backups are indeed complete and in working order. Thoses monitoring rules are regularly tested by generating error conditions.
Customers can contact the helpdesk to restore any available backups, if the self-restore option is not enough.
Destruction
Backups are stored on read-only storage with automatic daily, weekly and monthly rotations, and cannot be destroyed earlier than their intended scheduled restriction, for prevention of accidental or malicious data loss. When customers request that their data be destroyed we delete the data from all production services, and we let the data get evicted naturally from our backup servers.
Data on backup servers is never processed except for the explicit purpose of preserving the backups, or upon explicit request from the customer.		TRUEFALSETRUEFALSEFALSE
30
Q26Odoo Clouds (SaaS+SH)Do you have a vulnerability and patch management program that meets or exceeds industry best practices?
Yes, under the direct supervision of the security team, who oversees Product and Platform security, as well as Computer equipment security.FALSEFALSEFALSEFALSEFALSE
31
Q27(Generic)Is there a documented incident response planYes, we have documented incident response plans for the incident response team (security) for both product security incidents and computer security incidents.FALSEFALSEFALSEFALSEFALSE
32
Q28(Generic)Does the Incident Response Plan identify management responsibilities in the event of an incident?Yes, the responsibilities are defined at each step of our incident response plan.FALSEFALSEFALSEFALSEFALSE
33
Q29Odoo Clouds (SaaS+SH)Do you have a disaster recovery plan (or DRP) for customer services?
Do you exercise this plan regularly?
Can you provide the latest report?		Yes, our disaster recovery plan is based on the triple, multi-continental replication of customer backups. It is exercised daily as we monitor in real time the execution of our backup strategies and we test daily the restoration of our customer backups. See also Q30 for RPO/RTO.

We conduct a full disaster recovery exercise at least annually on dedicated production systems, with real customer data (but without causing impact to actual customer production databases). Reports for those exercises are not shared.		FALSEFALSETRUEFALSEFALSE
34
Q30Odoo Clouds (SaaS+SH)What are the recovery point objective (RPO) and recovery time objective (RTO) of your disaster recovery plan?For a permanent disaster that only impacts a single host, our recovery plan has the following metrics:
- RPO (Recovery Point Objective) = 5 minutes, i.e. can lose maximum 5 minutes of work
- RTO (Recovery Time Objective) = 30 minutes, i.e the service will be back online after maximum 30 minutes (Standby promotion time + DNS propagation time included)
For a permanent disaster that impacts an entire data center, our recovery plan has the following metrics:
- RPO (Recovery Point Objective) = 24h, i.e. you can lose maximum 24h of work if the data cannot be recovered and we need to restore the last daily backup
- RTO (Recovery Time Objective) = 24h, i.e. the service will be restored from the backup within 24 hours in a different data center

See also Q29		FALSEFALSEFALSEFALSEFALSE
35
Q31Odoo Clouds (SaaS+SH)Do you have a business continuity plan (BCP)

Can you provide the latest report?		Yes, and it is robust because 100% of our key resources and activities are online, and hosted in distributed and replicated secure data centers. We have backups strategies that are monitored in real time, and we test the recovery of our backups daily.
In case of disaster to a data center our core IT team is trained to perform emergency recovery of all online systems based on our backups, and they can work remotely from any location, thanks to our zero-trust network policy (see DRP question Q29 & Q30) for more details. If the disaster impacts our main facilities, all personnel can resume activities from any other location with an internet connection, including from their home if necessary.

We do not provide test reports for this.		FALSEFALSEFALSEFALSEFALSE
36
Q32(Generic)What does your corporate / internal security policy cover?The corporate Information Security Policy covers the following:
- confidentiality rules
- password/credentials management and requirements
- provisioning/deprovisioning of personal credentials
- roled-based access control policy (""principle of least privilege"")
- procedures and rules for access to customer data for authorized support and consultant staff
- auditing and logging of staff operations
- equipment security (mandatory full-disk encryption, lock screen timeout, antimalware, etc.)
- backup policies for staff laptops
- clean desk rules
- zero-trust network rules
- incident/data breach report procedures		FALSEFALSEFALSEFALSEFALSE
37
Q33Odoo Clouds (SaaS+SH)Do you have certifications such as ISO 27001, ISO 9001, SOC2, OWASP Top 10, etc.We maintain annual SOC1 and SOC2 Type I & II external audit reports. The reports are available under NDA for customers.

Note about release frequency: Odoo's SOC2 reports are released on a yearly schedule. Type 2 reports encompass a specific period of time during which the auditors assessed the compliance, so the reports are issued at the end of the assessment period. In general we expect the updated reports to be released in Q3, and to cover the period from April 1 of previous year to March 31 of current year.


We also provide a complete Cloud Security Alliance CAIQv3 questionnaire, the link is on our Security Policy page at odoo.com/security

We do not have ISO 27001 or any other certifications besides the above at this time.

However we follow all best practices of the industry as described in our Security Policy, and we only process customer data in secure data centers hosted by well-known providers that meet our strict security requirements, and offer all industry-standard certifications and guarantees, including ISO27001 (See also Q24 and our Privacy Policy for a list of their certifications). In addition to our SOC2 and CAIQ, see our Security Policy at odoo.com/security for more info about our technical and organizational security measures, and our Privacy Policy at odoo.com/privacy for more info about our hosting service providers and their certifications.

We do of course take into account the OWASP Top web vulnerabilities in the design of our software and platform, and it is an important concern during all code reviews (more info on this in the Security Policy too)


(For Odoo Staff: you can find the Odoo Sign Template to send to the customer for the SOC2 NDA in the Sign menu, search for the "NDA" and "SOC" tags. They get the download link after signing)		TRUETRUEFALSEFALSEFALSE
38
Q33.A(Generic)Can you provide a copy of your most recent SOC1 / SOC2 report related to the design and operating effectiveness of your controls?Yes, the SOC1 and SOC2 reports are available under NDA (see also Q33).

(For Odoo Staff: you can find the Odoo Sign Template to send to the customer for the SOC2 NDA in the Sign menu, search for the "NDA" and "SOC" tags. IMPORTANT: They get the download link at the last step when signing.)		TRUETRUEFALSEFALSEFALSE
39
Q34(Generic)Please describe your process for reporting potential security vulnerabilities / data breaches.Potential security vulnerabilities have to be reported to the Security team at security@odoo.com, acting as both a PSIRT and CSIRT. It can be for the product, platform, or the organization. In case of suspected data breach, users are asked to fill in the "Data Breach Report Form" with all relevant details (reporter info, description of events, time and date, category of data, data subjects, quantity of data and data subjects, steps taken, etc.)FALSEFALSEFALSEFALSEFALSE
40
Q35(Generic)Please describe your process for handling a security incident / event / data breachPotential security vulnerabilities have to be reported to the Security team at security@odoo.com, acting as both a PSIRT and CSIRT. It can be for the product, platform, or the organization. In case of suspected data breach, users are asked to fill in the "Data Breach Report Form" with all relevant details (reporter info, description of events, time and date, category of data, data subjects, quantity of data and data subjects, steps taken, etc.)FALSETRUEFALSEFALSEFALSE
41
Q36(Generic)Please describe your process for screening employees and contractors.

Are there any certifications required for security or R&D positions?		As part of our recruitment process, Human Resources officers will verify that an individual is fit for working at Odoo based on their education, past employment experiences, personality, skills, work permit, etc. They will also be subject to a series of assessments and interviews with future colleagues and managers, as appropriate for the position.
Extensive background checks including health, finances or criminal records are not common and generally forbidden by law, because they are not genuinely relevant to the nature and working conditions of the jobs offered.

Staff members who are selected to join the Security Team and Platform Team (the teams in charge of organizational and technical security measures, as well as incident response) are subject to a probationary period of several months under the supervision of the Security team leader, before being granted elevated privileges.		FALSETRUEFALSEFALSEFALSE
42
Q37(Generic)How are customers notified of Odoo security vulnerabilities?The Odoo Enterprise Agreement contract (cfr https://www.odoo.com/terms) includes a "Security Updates" provision. All customers who are deploying Odoo in self-hosting mode will receive Security Advisories during the private disclosure period, as described in the Responsible Diclosure Policy at https://www.odoo.com/security-report
Customers can chose a preferred "security contact" email that will receive the advisories.
After the private disclosure period, CVE/Advisories are publicly disclosed (typically via the Announcements mailing-list, available on www.odoo.com/groups). The list of past CVEs is visible at https://www.odoo.com/r/security-issues


Odoo Online (SaaS): users of Odoo's software-as-a-service, there is normally no Security Advisory notification because all Security Patches are immediately applied to all production environments.

Odoo.sh (PaaS): for users of Odoo's platform-as-a-service, there is normally no Security Advisory notification because all Security Patches are immediately applied to all production environments. For users who have chosen to "pin an Odoo revision" manually in the control panel, the system will indicate a red warning next to the pinned revision for up to 3 months (with a list of CVEs), at which point they will be forcefully upgraded.		FALSEFALSEFALSEFALSEFALSE
43
Q38(Generic)Can you provide a copy of your most recent vulnerability scanning and/or penetration testing results?

Can you share VAPT reports? (VAPT=Vulnerability Assessment and Penetration Testing)		No, we do not share any scanning or penetration results.
We have various types of scans, manual and automated. The automated scans are at least run monthly, the manual ones are executed continuously by our security researchers (internal and external ones).
All results are analyzed by the security team and necessary remediation actions are always taken, so the results would be obsolete / irrelevant anyway.

Our customers are free to commission their own independent vulnerability scanning/pentesting, as long as they respect our Acceptable Use Policy on https://www.odoo.com/acceptable-use (mainly: only scan your own data, and throttle all scanners to limit impact to Odoo services)

Note: The list of our past CVE advisories is public at https://www.odoo.com/r/security-issues, and our Responsible Disclosure Policy also includes a hall of fame section showing the activity or third-party security researchers: : https://www.odoo.com/security-report		FALSETRUEFALSEFALSEFALSE
44
Q38.A(Generic)How often is Odoo's security audited ?There are various pentesting/audits/assessment going on all the time, internal and external ones, executed periodically or as one-shot:
- internal pentesting and assessments by the Odoo Security team: continuous effort that yields individual findings/incidents that are handled by our reponse team
- external periodic assessements: monthly scans by Qualys, including PCI compliance
- external periodic audits: annual SOC2 Type 1 and Type 2 audits by external firm BDO (reports available under NDA, cfr related question Q33)
- external security bug bounty program: continuous pentesting by third-party researchers, with findings handled by our response team (the public part is visible on odoo.com/security-report)
- in addition, we have external audits/pentesting commissionned by customers/partners, who often send us the reports for analysis

Combining all the channels mentioned above, there are external audits of Odoo ongoing every month on average, and external pentesting ongoing every week.		FALSETRUEFALSEFALSEFALSE
45
Q39Odoo SHHow is customer data stored and protected (Odoo.SH)Customer data is exclusively hosted and processed within data centers with state-of-the-art security. For Odoo.sh customers, the data centers used are those of Google Cloud. More information about the security of Google Cloud is available here: https://cloud.google.com/security/compliance/offerings/#/regions=Global

Customer databases, business logic and customizations are isolated from each other using a containerization technology implemented at the operating system level. Filesystems are encrypted at rest and triple-replicated, as described in the Google Cloud documentation: https://cloud.google.com/security/encryption-at-rest/default-encryption/

Customers can only access their data through end-to-end HTTPS encryption (encryption in transit), with Grade A certificate chains.

Access to Odoo Cloud customer environment is allowed for Odoo staff following the principle of least privilege. Staff members with customer data access are the Helpdesk staff (for the context of a customer ticket), Consultants (for the context of their mission for the customer) and the core IT staff (for the maintenance of the security and reliability of the platform).
All accesses are logged and auditable, and only permitted after authentication with personal credentials.
Personal credentials and authorizations are immediately revoked upon termination of an employee contract.		TRUETRUEFALSEFALSEFALSE
46
Q40(Generic)What have you done to become compliant with GDPRWe have followed a compliance roadmap with the help of our legal advisors. This steps such as: decision on necessity to appoint a DPO, creation and verification of a detailed data protection registry, update and verification of privacy framework (internal and public privacy policies, third-party and employment contracts, ...), update and evaluation of privacy notices, consent and withdrawal mechanisms, creation and verification of data transfer registry, update and review of data breach procedure, update and review of all organizational and technical measures (incl. data protection agreements), information and training plans for staff, communication with customers.TRUEFALSEFALSETRUETRUE
47
Q41Odoo SHDo multiple tenants occupy your data facility? If so, please describe how tenants are separated. (Odoo SH)Yes. Google Cloud has a variety of isolation and sandboxing techniques for protecting a service from other services running on the same machine. These techniques include normal Linux user separation, language and kernel-based sandboxes, and hardware virtualization. In general, they use more layers of isolation for riskier workloads; for example, when running complex file format converters on user-supplied data or when running user supplied code for products like Google App Engine or Google Compute Engine. As an extra security boundary, Google Cloud enables very sensitive services, such as the cluster orchestration service and some key management services, to run exclusively on dedicated machines.

For more information regarding Google's Security Design please refer to https://cloud.google.com/security/infrastructure/design/		FALSEFALSEFALSEFALSEFALSE
48
Q42(Generic)Please describe your process for incorporating security in your software development lifecycle.We use complementary approaches:

1) Our application framework is designed to be secure and help developers write secure code. For examples, protections against the top OWASP vulnerabilities are built into the system:
- SQL injections: Odoo relies on an object-relational-mapping (ORM) framework that abstracts query building and prevents SQL injections by default. Developers do not normally craft SQL queries manually, they are generated by the ORM, and parameters are always properly escaped.
- XSS: The Odoo framework escapes all expressions rendered into views and pages by default, preventing XSS. Developers have to specially mark expressions as "safe" for raw inclusion into rendered pages.
- CSRF: The Odoo website engine includes a built-in CSRF protection mechanism. It prevents any HTTP controller to receive a POST request without the corresponding security token. This is the recommended technique for CSRF prevention. This security token is only known and present when the user genuinely accessed the relevant website form, and an attacker cannot forge a request without it.
- Malicious File Execution: Odoo does not expose functions to perform remote file inclusion. However it allows privileged users to customize features by adding custom expressions that will be evaluated by the system. These expressions are always evaluated by a sandboxed and sanitized environment that only allows access to permitted functions.
- Insecure Direct Object References: Odoo access control is not implemented at the user interface level, so there is no risk in exposing references to internal objects in URLs. Attackers cannot circumvent the access control layer by manipulation those references, because every request still has to go through the data access validation layer.
- Insecure RPC: The framework prevents RPC access to private methods, making it harder to introduce exploitable vulnerabilities
- Insecure Cryptography Storage: Odoo uses industry-standard secure hashing for user passwords (by default PKFDB2 + SHA-512, with key stretching) to protect stored passwords. It is also possible to use external authentication systems such as OAuth 2.0 or LDAP, in order to avoid storing user passwords locally at all.
- Insecure Communications: Odoo Cloud runs on HTTPS by default. For on-premise installations, it is recommended to run Odoo behind a web server implementing the encryption and proxying request to Odoo, for example Apache, Lighttpd or nginx.
- etc..

2) All developers are trained to recognize and avoid web application security problems. All code reviewers are in charge of specifically including a security audit in every change request they review. The Odoo Security team participates and coaches developers and reviewers to catch mistakes as early as possible, and keeps developers updated on security topics and best practices.

3) The Odoo Continuous Integration (CI) systems run static code analysis tests on all changes, and flags known errors, blocking the change at the review phase. For changes that touch sensitive components or include certain sensitive pieces of code, an extra review by the Security team is automatically requested before the change can be approved

4) Odoo is an official CVE Numbering Authority (cfr MITRE CVE Program) and runs a Responsible Disclosure Program (see https://www.odoo.com/security-report. Independent security researchers are encouraged to audit the code and hunt vulnerabilities. This is greatly facilitated by the open source nature of Odoo.
Many researchers and customers perform pentesting manually as well as black-box pentesting with the help of automated tools such as Netsparker, Qualys's security suite, or open source tools such as sqlmap.		TRUETRUEFALSEFALSEFALSE
49
Q43(Generic)Do you support OAuth 2?Yes, OAuth2 is built-in using the auth_oauth module, which is preconfigured for common OAuth2 providers such as Google or Azure.

The procedure is as follows:
- Obtain a valid OAuth client_id for your preferred OAuth provider. The procedure for doing so with Google is explained here: https://www.odoo.com/documentation/user/general/auth/google.html
- As an administrator, navigate to Administration/Settings then scroll to the bottom and click "Activate developer mode"
- Once in developer mode, navigate to Settings/Users & Companies/OAuth providers, and configure the client_id for the chosen provider, and check the "Allowed" box
- If the OAuth provider is not preconfigured, you will need to create a new provider profile, and fill in the required technical data (Auth Scope, Auth Endpoint URL, Data Endpoint URL, Validation Endpoint URL)
- When done, users will now see an option "Login with <OAuth Provider>"

For MS Azure, see this task: https://www.odoo.com/web#id=2854287&model=project.task&view_type=form		FALSEFALSEFALSEFALSEFALSE
50
Q44Odoo Clouds (SaaS+SH)How do you mitigate DDoS and DoS attacks?Large-scale DDoS are handled by the data center providers automatically. More simple DoS attacks are detected by our monitoring systems (e.g. because the latency increases for some services) and mitigated at firewall levels by our core sysadmin team.FALSEFALSEFALSEFALSEFALSE
51
Q45(Generic)Do you support multi-factor / second-factor / two-factor / TFA / MFA authentication?2FA via TOTP is built-in. An additional "2FA by Mail" (auth_totp_mail_enforce) module allows configuring mandatory 2FA for users, by requiring 2FA via email when TOTP is not enabled.
Alternative 2FA solutions can also be implemented by using third-party identity provider, via supported authentication protocols like LDAP or OAuth2 which are built-in.
On Odoo.SH it is also possible to install third-party multi-factor extensions.

See also the documentation, e.g. https://www.odoo.com/documentation/latest/applications/general/auth/azure.html		FALSEFALSEFALSEFALSEFALSE
52
Q46(Generic)What type of controls have been implemented to secure the application?- The software comes with a full-features Role-Based Access Control Layer that protects all data access. Administrators can define granular access control rules (at table, row, and even column level), based on user groups (roles) assigned to the users.
- Users are required to authenticate using personal credentials (or an external auth provider like OAuth2 or LDAP) before they can access non-public data.
- The system produces a log with all security-related and significant events, and webserver-like logs for all access requests.
- Most business documents in the database have a “history discussion” where significant state changes are recorded, as well as any discussion related to the document. It is also possible for users to view the last change date and author for any document.		FALSETRUEFALSEFALSEFALSE
53
Q47Odoo Clouds (SaaS+SH)How do you protect customer data from employees and personnel- Customer data is physically stored and processed in secure data centers to which employees and personnel never have physical access.
- Administration access to the customer data processing systems is strictly limited to the core Odoo infrastructure team, for the exclusive purpose of ensuring the availability, integrity, performance and security of the Odoo platforms, following procedures designed and controlled by the Security Team.
- Regular staff access to customer data is restricted to authorized employees only (members of the consulting and helpdesk teams), after an extra authentication step with personal employee credentials, and subject to tracing and auditing. These traces are available for customers that request them:
- For Odoo SaaS all sensitive operations on a database by the Odoo staff are visible for customers via a menu entry in the "My Databases" control panel
- For Odoo SH this information is only available by contacting our helpdesk, but will be made available in the future (ETA Q1/Q2 2024)
- HR processes for onboarding and offboarding employees enforce immediate provisioning and termination of role-based employee credentials.
- All employees are contractually required to observe strict confidentiality rules for any customer data they are exposed to, and to observe the information security policies at all times.		FALSETRUEFALSEFALSEFALSE
54
Q47aOdoo Clouds (SaaS+SH)How do you protect customer data from access by employees located outside EU?As mentioned in the Privacy Policy, customer data may be accessed by staff members of Odoo subsidiaries in other countries, for specific reasons such as answering customer requests.
All the same technical and organizational measures apply for this access too (see also Q47).
In addition, Odoo uses the EU Standard Contractual Clauses (SCC) to bind Odoo subsidiaries in a way that offers supplementary safeguards on data protection (as foreseen by GDPR article 46), for the limited and temporary data transfers that occur for such access.		TRUETRUEFALSEFALSEFALSE
55
Q48Odoo Clouds (SaaS+SH)Is personal data encrypted according to state-of-the-art technology?All customer data is encrypted at rest and in transit using industry-standard encryption technologies, both for production and for backups environments.
FALSETRUEFALSEFALSEFALSE
56
Q49(Generic)Do you have protection against malware (antivirus) installed on all devices?- For servers: all systems supporting cloud services are minimal, hardened linux systems where installation and execution of software is restricted and requires systematic authorization by Odoo infrastructure engineers. Anti-malware protection is always assumed to be deployed at user endpoints, as there are many ways for these endpoints to receive documents and files.
- For workstations/laptops: All user devices are equipped with appropriate anti-malware solutions depending on the operating system		FALSETRUEFALSEFALSEFALSE
57
Q50Odoo Clouds (SaaS+SH)How long do you keep application and web server logs, and do you anonymize IP addresses?As mentioned in the Privacy Policy, those technical logs are kept for up to 12 months, and only used for purposes of securing our services, as well as troubleshooting or improving the performance of our services.
Customer have limited access to the application/web server logs corresponding to their own usage: on SaaS, only upon request to Odoo Helpdesk, on Odoo.SH in self-service mode in the project admin area.

With regard to IP addresses: Odoo is not a telecommunication provider, and IP addresses alone do not allow us to identify a person. However, it is often the only piece of information that allows us to investigate abusive behavior, so it is a requirement for us to store it without anonymizing it, as an important technical measures (e.g. to satisfy GDPR Article 32 "Security of Processing"). Sometimes an incident is only detected or reported by users several months after it took place.
We do not use this information for statistical or tracking purposes, but exclusively for the legitimate purpose of securing our cloud services.		TRUEFALSEFALSEFALSEFALSE
58
Q51(Generic)What is the password policy for Odoo Staff? Do you enforce minimum length, periodical rotation, required character classes, etc.?Odoo follows recommended best practices from US NIST SP-800-63B <https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver> and EU ENISA, which include a minimum length requirement for passwords, but discourage arbitrary password composition rules and periodical password rotation, which have been demonstrated to be counter-productive for password security in general. Sensitive administrator credentials have longer length requirement and mandarory two-factor authentication.
Cfr the NIST FAQ:
- q-b05 <https://pages.nist.gov/800-63-FAQ/#q-b05>
- q-b06 <https://pages.nist.gov/800-63-FAQ/#q-b06>		FALSETRUEFALSEFALSEFALSE
59
Q52(Generic)What tools are used to perform vulnerability scans / penetration testing / VAPT?Several tools are used, both internal ones and external ones. We don't want to commit to using any specific brand or tool, so we do not want to disclose this.

Our customers are free to commission their own independent vulnerability scanning/pentesting in any case, as long as they respect our Acceptable Use Policy on https://www.odoo.com/acceptable-use (mainly: only scan your own data, and throttle all scanners to limit impact to Odoo services)

See also Q38.		FALSEFALSEFALSEFALSEFALSE
60
Q53Odoo Clouds (SaaS+SH)Do Odoo SaaS and Odoo SH use a Web Application Firewall (WAF)?The Odoo Cloud environment uses a combination of DDOS protection systems, stateful firewalls and intrusion detection and protection system in order to protect its applications.

There is no monolithic WAF, as they can negatively impact applications due to false positives, and can be circumvented by attackers through request obfuscation techniques. WAFs do not eliminate security vulnerabilities and are not considered to represent a significant security improvement against real threats against Odoo software. Odoo controls the technology stack used for its operation, and implements security by writing robust code on top of a robust framework, in combination with code analysis, reviews and pentesting efforts, rather than relying on WAF heuristics for detecting attack patterns. The Odoo cloud security team does implement ad-hoc HTTP routing-level filter rules when it is considered necessary.

Third-party WAF are however supported for customers who still want them, as long as they have a "transparent proxy" mode.
Cloudflare offers such a service for free (paid plans for advanced options), and they have a very broad range of services that go much further than WAF, DDoS protection and access restrictions.

See also Q44		FALSEFALSEFALSEFALSEFALSE
61
Q54(Generic)Do you have an information classification / data labelling scheme in place? Do you have procedures to handle it?Yes. Odoo uses an internal data classification scheme, identifying information classes such as Customer Data (always considered sensitive), Internal Data, Internal Sensitive Data, etc.
Information classification is automatic based on the properties of the information (i.e. the subject and origin of the data).		FALSEFALSEFALSEFALSEFALSE
62
Q55(Generic)Do you have a cybersecurity insurance / Does it cover things like unavailability of the system, breach of personal data or confidential information
data corruption, ransomware (data hijacking), etc.		No, there is a lot of evidence that these insurances are close to worthless in practice. They have tons of exclusionary clauses, and even when they do not reject claims, they cover very little of the true costs of cyber security incidents.
We focus our resources on implementing actual security and minimizing security risks instead of paying very insurance premiums in the hope of transferring the risk to a third-party.
For example, we implement a triple replication of our encrypted backups in at least 2 different continents, with a fourth encrypted copy transferred to a locked frozen storage where it cannot be deleted, even by Odoo Security Engineers. This makes sure that even if all our other technical defenses were to be defeated, and attackers were able to delete or encrypt our production data, there would still be a safe copy from which we can restore customer data.
FALSEFALSEFALSEFALSEFALSE
63
Q56(Generic)Is Odoo compliant with Quebec's "Loi 25" aka "Loi sur le privé" aka "Loi modernisant des dispositions législatives en matière de protection des
renseignements personnels"		In a nutshell, yes, for both Odoo Online and Odoo SH.

However, it's up to each of our clients to check their own compliance with the laws that apply to them. It is not our responsibility, nor that of our providers, to ensure our clients' compliance with their local laws, and we can't offer legal advice to them.

That being said:
- Quebec's "Loi 25" is very similar to GDPR, and many analysts find that it is less stringent, for example on the valid legal bases for data processing, the protection of data transfers, or the way it treats "commercial prospection" as a special case, among other things. As a result, it means that any organization that is already compliant with GDPR will find that it is most likely compliant with "Loi 25" without additional efforts, including with the sections that have not yet come into effect. This would be true as well for data processors (sous-traitants) that process data on behalf of Quebec-based data controllers - like Odoo when offering services to such customers - and were already processing data for EU-based customers subject to GDPR.
- The Data Processing Agreement that is included in the current Odoo Enterprise Subscription Agreement (section 6.5) should be quite sufficient to cover the requirements of Article 17 and 18.3 of the Loi 25, and no further contractual work seems necessary at this point.
- Our Quebec-based customers are of course warmly advised to talk with a competent legal advisor, and in this process Odoo's GDPR guide may prove to be a useful resource for them: https://www.odoo.com/gdpr
Even if the first sections contains details that are GDPR-specific, the next sections: #3 "How should you prepare ...", #4 "How is Odoo compliant ..." and #5 "How does Odoo help..." contain useful advice and information with regards to personal data processing with Odoo.
- When establishing their own Privacy Policy, and when performing a data processing impact assessment ("évaluation des facteurs relatifs à la vie privée"), our customers should in general mention that they are using Odoo's services, and can link and refer to Odoo's Privacy Policy. It explains everything about the way Odoo processes data, where the data get processed, by whom, for how long, how this processing is protected, etc.

References:
- Loi 25 text: https://www.legisquebec.gouv.qc.ca/fr/document/lc/P-39.1
- Memo by Quebec gov to explain the new organization responsibilities: https://www.cai.gouv.qc.ca/documents/CAI_Guide_obligations_entreprises_vf.pdf		TRUEFALSEFALSETRUETRUE
64
Q57Odoo Clouds (SaaS+SH)Are security event logs being collected and fed into any SIEM tool? Please list the SIEM ToolOdoo implements its own internal SIEM to adapt it to its own internal monitoring needs, to integrate it with the rest of the platform for rapid response to incidents and security events, as well as for compliance reasons.
It is built on a mix of open source and in-house technologies, including Grafana Loki and Prometheus custom probes. The alerting and response rules are continuously improved.		FALSEFALSEFALSEFALSEFALSE
65
Q57aOdoo Clouds (SaaS+SH)Do you have the ability to interconnect with an external SIEM?No, Odoo implements its own internal SIEM to adapt it to its own internal monitoring needs, to integrate it with the rest of the platform for rapid response to incidents and security events, as well as for compliance reasons.
On Odoo SH, customers are free to extract the logs themselves and feed them to an external third-party system, as a custom development.		FALSEFALSEFALSEFALSEFALSE
66
Q58Odoo Clouds (SaaS+SH)Are network device logs relevant to supporting incident investigation protected against modification, deletion and/or inappropriate access and stored on alternate systems (e.g., SIEM, Syslog, Log Management Service)?Yes. Logs are aggregated in real-time on a server aggregating all the logs of our cloud infrastructure. If a malicious user would manage to alter the logs on the server where he is hosted, there would still be a copy on that server aggregating logs.FALSEFALSEFALSEFALSEFALSE
67
Q59(Generic)Do you have a documented set of policies for compliance with Anti-money laundering (AML) laws and regulations, and anti-bribery and corruption (AB&C) regulations in the jurisdictions where you operateWe have an "Odoo Group of Conduct"
At Odoo, we are committed to high standards of personal and professional behavior. Transparency, ethics,
integrity, autonomy and responsibility are core values.
Within our Odoo Group Code of Conduct (the “Code”), we outline the responsibilities all our workers
(“Odooers”) have to each other, our clients, and the public, which guide all of our behaviors and actions.
The Code is intended for use by all our people, including leadership and management teams, to understand
what is expected of them and the responsibility resting on each of them to apply our values, to help them
ensure that the decisions they make take into account their responsibilities and our values.
We expect our people to:
Act with integrity, constantly striving to uphold high standards of ethical practice and professional standards;
Avoid any conflict of interest and never participate in improper practices such as corruption, bribery,
extortion, or embezzlement, in any form;		FALSEFALSEFALSEFALSEFALSE
68
Q60(Generic)Does your organisation provide a confidential method (also known as a whistleblowing
procedure) for employees and contract staff to freely report any perceived issues that
might impact your clients or their customers		From February 15, 2023, every company must set up a channel for reporting violations of European Law.
If an employee witnesses violations in the following areas :
- Public procurement;
- Financial services, products and markets and the prevention of money laundering and terrorist financing;
- Product safety and compliance;
- Transportation safety;
- Environmental protection;
- Radiation protection and nuclear safety;
- Food and feed safety, animal health and welfare;
- Public health;
- Consumer protection;
- Protection of privacy and personal data, and the security of networks and information systems;
- The fight against tax fraud;
- The fight against social fraud
Employees can report them via 2 different channels (one is anonymous, one is confidential but not
anonymous). This is explained in the internal HR FAQ.		FALSEFALSEFALSEFALSEFALSE
69
Q61Odoo Clouds (SaaS+SH)Does the application implements secrets management? Such as API keys, encryption keys, etc.?
If Yes, what type (Vault, AWS Secrets Manager, Azure Key Vault, Windows Registry, text file, etc.)? 		As an enterprise management solution, Odoo does not store many secrets, and those are stored in the customer's dedicated database. On Odoo Cloud (SH/SaaS) the database storage is encrypted at rest using cryptographic keys managed by Odoo.
Some example of secrets used by the Odoo Apps:
- user passwords are hashed/encrypted using industry-standard algorithms before storage in database
- external API keys (when specific integrations are enable) are stored in restricted areas of the application, under system privileges accessible only to user with sufficient access
- no credit card information (PAN) is ever stored in the database to maintain PCI SAQ A compliance - those are always processed by the chosen third-party payment provider

Cryptographic material (including certificates and private keys) for the Odoo Cloud platforms are managed by the Infrastructure team and stored in secure cryptographic vaults, with multi-factor access control, restricted to a few key engineers in the team.		FALSETRUEFALSEFALSEFALSE
70
Q61.bOdoo Clouds (SaaS+SH)How does the application handle encryption of files such as email attachments for incoming and outgoing messages? Are those encrypted? Are they stored in the database? What is the retention policy?Files uploaded into an Odoo Cloud instance are stored either in the database or in the "filestore" filesystem that is attached to it, depending on the configurations and customizations done by the Customer. By default most files and images are stored in the filestore, because it is more efficient.

Both filestore and database are encrypted at rest and in transit with the same encryption level, and are subject to the same access control rules, both for customer-facing access as for Odoo staff-facing access. The filestore can be seen as a part of the database in this regard, even though it is physically stored next to the database, rather than inside the database.

The database and filestore for a given Odoo cloud instance are always managed together, so their backup protection, redundancy as well as their data retention policies are identical (as described in the Odoo Privacy Policy).

The encryption keys used are managed by Odoo and provide an additional security layer on top of the storage encryption already implement by the data center providers used by Odoo (cfr Odoo Privacy Policy for the list). Customers cannot provide their own encryption keys.

For the management of encryption keys and material, cfr Q62.		TRUETRUETRUEFALSETRUE
71
Q61.cOdoo Clouds (SaaS+SH)Can customer provide their own encryption keys?In general no, Odoo already uses its own data storage level encryption on top of those of the data center providers, but doesn't allow customer-managed keys.
On Odoo SH Customers can however bring their own code, which could allow them to implement additional encryption if they wish so. This would be at their own risk (such as loss of keys resulting in permanent data loss, where Odoo backups are rendered useless because the data in it is encrypted with customer-controlled keys that were lost, so it cannot be decrypted)		FALSEFALSEFALSEFALSEFALSE
72
Q62Odoo Clouds (SaaS+SH)Is there a certificate lifecycle management policy in place?

Is there a documented procedure in case of compromission of an API key, encryption key or secret?		The Odoo infrastructure team follows the recommendations of EU ENISA, US NIST and French RGS for the management of all cryptographic material used in various aspects of the Odoo services. This includes the issuance of certificates, their storage, renewal, revocation and overall security practices.

The team uses canary tokens and DLP tools to monitor and protect API keys from accidental leaks. In case of suspected compromission, API keys are revoked and rotated immediately and new keys are deployed immediately using automatic deployment procedures.

For encryption keys, variable data encryption keys (DEK) are used whenever possible, and wrapped with key encryption keys (KEK). This makes key updates and rotations easier. Typically only the KEKs would need to be rotated.		FALSEFALSEFALSEFALSEFALSE
73
Q63Odoo Clouds (SaaS+SH)Where are certificate private keys stored, such as HSM, vault, etc.?Certificates for the Odoo Cloud platforms are managed by the Infrastructure team and stored in secure cryptographic vaults, with multi-factor access control, restricted to a few key engineers in the team.FALSETRUEFALSEFALSEFALSE
74
Q64(Generic)Is there a continuous security & privacy awareness program in place at Odoo?
- If so what is the review frequency of security & privacy awareness program 		Yes, Odoo Staff are enrolled into a continuous Privacy and Security awareness training, including interactive contents, quizzes, assessments and personal progress tracking, along with a personal Behavioral Score based on the individual responses to the training as well as the phishing simulations.
Training Material is reviewed by the security team and scoring dashboard are reviewed weekly.		FALSEFALSEFALSEFALSEFALSE
75
Q65(Generic)Does the training plan enable people to acquire the cybersecurity skills linked to their activity? (web development, etc.)Every employee is entitled to 12 days of personal training, via internal and external training programs (self development, management, communication, cybersecurity, etc.)
The Odoo Security team also organizes a specialized internal security training for developers, focusing on a practical exercice session with analysis of common vulnerabilities across all technologies used at Odoo.		FALSEFALSEFALSEFALSEFALSE
76
Q66(Generic)Is the cookie management / cookie bar in Odoo official versions (Community/Enterprise) compliant with cookies laws, GDPR, etc.?

Does it properly delay cookies creation until consent is given by the user?		Cookie regulations distinguish essential vs non-essential cookies. Essential cookies are required for a website/web application to operate so their processing cannot be subjected to user consent.
For GDPR, non-essential cookies are typically supposed to be processed on the legal basis of Consent (Art. 6.1.a), whereas essential cookies will typically be processed on other bases (Art 6.1.b or Art 6.1.f).

As of Odoo 16.0, cookies processed by official Odoo modules are divided up between essential and non-essential ones, and the latter category is indeed delayed until consent is given.
Third-party integration may or may not fully respect this policy, depending on third-party compliance.
For website analytics we also recommend to switch to a cookie-less solution such as Plausible Analytics, which Odoo supports. On Odoo SaaS this is enabled by default.

For non-official app and customizations, this is under the responsibility of the developer/integrator. They can use the framework laid out in Odoo 16.0 to accomplish this:
- in Python, the response.set_cookie() function takes a cookie_type parameter that can be set to required or optional. Optional cookies won't be set unless consent has been given.
- in Javascript, the setCookie function from web.utils.cookies supports a type parameter with the same meaning (required/optional)
For more technical details, see https://github.com/odoo/odoo/pull/95673
TRUEFALSEFALSEFALSEFALSE
77
Q67(Generic)Is the cookie management on www.odoo.com compliant with cookies laws, GDPR, etc ?For www.odoo.com itself, Odoo management prefers to minimize the number of cookies, rather than annoy all visitors with an intrusive cookie wall.

If you visit the homepage without coming from a specific tracking source (e.g. not facebook, instagram, linkedin, etc.), you should only see:
- 3 essential cookies (session_id, lang, tz)
- 1 non-essential cookie (im_livechat_history) which is only used to provide context in case you talk to our staff via the livechat - and which we are trying to remove as well
Our cookies are explained in our Privacy Policy
TRUEFALSEFALSEFALSEFALSE
78
Q68(Generic)Is the cookie management / cookie bar of Odoo compliant with the IAB TCF requirements, or the Google consent management requirements for serving ads in the EEA and UK as of January 2024 (with Google AdSense/AdMob/Ad Manager) ?As of Odoo 17 the answer is no. The Odoo cookie banner does not implement TCF2.2 and therefore does not comply with the Google requirements for serving ads in the EEA/UK.
Customers who wish to use Google AdSense/AdMob/Ad Manager on their Odoo-based website should integrate a separate CMP solution.
Google will automatically enable its own CMP solution on website that do not enable a third-party one.

Please refer to Google's documentation for more information:
- New CMP requirements: https://support.google.com/admanager/answer/13554116
- Automatic Google CMP: https://support.google.com/admanager/answer/14139515
TRUEFALSEFALSEFALSEFALSE
79
Q69Odoo Clouds (SaaS+SH)Are you using Minimal Security Baselines Standards (MBS / MBSS) for the deployment of Odoo systems and servicesYes, all Odoo Cloud system deployments are managed by the Odoo Infrastructure and Odoo Security teams based on standardized system images and configuration sets (MBSS).
Those system images are minimal, hardened images of Linux Debian or Ubuntu LTS server distributions, with a tightly controlled list of installed system packages, and a set of baseline configurations depending on the system purpose.
Odoo uses a deployment mechanism that automatically maintains the state of deployed systems based on this. Each change to the baseline configuration requires approval by core engineers of the Infrastructure and Security teams.
FALSETRUEFALSEFALSEFALSE
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100