A++ level security
Your data is protected at the same level as banks
On your server
Data never leaves your control. On-premise or private cloud.
eID authentication
ID-card, Smart-ID, Mobile-ID. Estonian national identity.
Encryption
TLS 1.3, AES-256. Data encrypted in transit and at rest.
GDPR compliant
Data processing in Estonian/EU jurisdiction. Audit log, data deletion.
Audit log
Every change is logged. Who, when, what. Full traceability.
No tracking
No Google Analytics, no third-party cookies. Private analytics.
On your server
On-premise installation means the entire system runs on your own infrastructure. Database, files, and backups are physically under your control. This ensures complete data sovereignty — third parties have no technical ability to access your data. Especially well-suited for regulated sectors such as healthcare, finance, and the public sector.
eID authentication
AlfaERP supports all Estonian national electronic identity methods: ID-card, Smart-ID, and Mobile-ID. This is significantly more secure than password-based authentication, as identity verification relies on national infrastructure and crypto-certificates. Also supports digital signing via the DigiDoc4j library.
Encryption
All connections are protected with TLS 1.3 protocol, currently the most secure transport layer standard. Data at rest is encrypted with AES-256 — the same standard used by banks and government institutions. Passwords are stored as bcrypt hashes, making brute-force attacks practically impossible.
GDPR compliant
AlfaERP is built for GDPR compliance from the ground up. Personal data processing takes place only within Estonian and EU jurisdiction. The system supports data subject rights: access, rectification, and deletion requests are automated. A complete audit log records every data processing operation with timestamps and user identification.
Audit log
The audit log tracks every change in the system: who changed what, when, and what the previous value was. This provides full traceability needed for both internal control and external audits. Logs are tamper-proof and retained for a defined period. Filterable and exportable reports make conducting audits fast.
No tracking
AlfaERP contains no third-party tracking scripts. No Google Analytics, Facebook Pixel, or advertising cookies. Web traffic analytics is performed by private Plausible, which is GDPR-compliant and does not track users at an individual level. Your company's data never flows to advertising networks.
Vastavused ja standardid
Andmetöötlus EL jurisdiktsioonis
Elektrooniline identifitseerimine ja usaldusteenused
Automaatne turvatestide komplekt iga deploy eel
Digitaalallkirjastamine Eesti rahvusliku infrastruktuuriga
Tehniline turvalisus
Võrgu turvalisus
- TLS 1.3 kõigis ühendustes
- HTTP Strict Transport Security (HSTS)
- Content Security Policy (CSP)
- Rate limiting kõigis API endpointides
Andmete turvalisus
- AES-256 krüpteerimine puhkeolekus
- Bcrypt paroolide räsimine
- Multi-tenant andmete isolatsioon
- Automaatne andmete varundamine
Rakenduse turvalisus
- OWASP Top 10 kaitse
- SQL injection kaitse (parameetrilised päringud)
- XSS kaitse (Vue 3 automaatne escaping)
- CSRF tokenid kõigis vormides