The PARA Ramp-Odoo integration facilitates secure financial data transfer between Ramp (expenses, bills, transactions) and Odoo ERP systems through an Azure-based backend. This Security Policy outlines the measures in place to protect customer data, ensure compliance with applicable regulations, and maintain operational integrity.
· End-to-End Encryption: All communication between users, PARA Dashboard, Azure Functions, Ramp API, and Odoo ERP occurs overHTTPS (TLS 1.2 or higher).
· Encryption at Rest: Credentials are encryptedbefore storage in Azure SQL Database.
· Minimal Data Retention: Transactional data isnot stored. Only failed records retain metadata (internal ID, timestamp, errordetails) temporarily until resolved.
· Virtual Network Isolation: All Azure resources(Function Apps, SQL Database, Key Vault) are deployed inside a dedicated AzureVirtual Network (VNet).
· Private Endpoints & Service Endpoints: Usedfor internal communication between Azure services.
· IP Whitelisting: Access to backend and SQL isrestricted to approved subnets and whitelisted IPs.
· User Authentication: PARA Dashboard accessrequires Microsoft Authentication (MSAL).
· Role-Based Access Control (RBAC): Applied acrossKey Vault, Functions, and SQL to enforce least-privilege access.
· Managed Identity: System-assigned identities areused for backend authentication instead of shared secrets.
· Token Security: Access tokens are stored only inmemory, refreshed automatically, and invalidated upon logout.
· Ramp API Integration: Outbound API calls useHTTPS with 2FA authentication.
· Odoo API Integration: Connection validated withsecure credentials retrieved only at runtime.
· Credential Lifecycle: Credentials are neverstored client-side. They are encrypted in transit, validated before use, andcleared on logout.
· Non-Sensitive Logging: Logs capture onlymetadata such as internal IDs, timestamps, and error messages. No financial orPII data is logged.
· Error Metadata Retention: Metadata from failedsyncs is automatically purged once the sync succeeds.
· Monitoring & Alerts: Azure ApplicationInsights and logging mechanisms are used to detect anomalies and triggeralerts.
· Data Minimization: The system collects andprocesses only what is necessary to execute integrations.
· Right to Erasure: Metadata and logs tied tocustomer data can be deleted upon request, except where retention is legallyrequired.
· GDPR & CCPA Alignment: Users may requestaccess, correction, or deletion of data, in accordance with applicable laws.
This Security Policy is reviewed regularly and updated to reflect evolvingbest practices, regulatory requirements, and changes in system architecture.
