Security

• All traffic is served over HTTPS (TLS).
• The application runs on a dedicated server with firewall and access controls.
• Database access is restricted to the application server.

• Passwords are hashed using bcrypt with 12 rounds.
• Session management uses NextAuth.js with JWT tokens.
• All protected routes require valid session authentication.
• Admin routes require admin role verification.
• Workspace-scoped access control prevents cross-account data access.

• Uploaded ZIP files are extracted to temporary directories and deleted immediately after analysis.
• Analysis reports are stored as JSON in the database.
• No customer Odoo source code is stored on disk long-term.
• Payment processing is handled entirely by Lemon Squeezy — we never store credit card data.

• API keys are stored in environment variables, never in code or the database.
• All AI API calls use HTTPS.
• You can configure your own AI provider endpoint and API key for full control.

• All API endpoints validate input using Zod schemas.
• File uploads are validated for type (.zip only), size, and content.
• ZIP files are checked for excessive file counts and total uncompressed size before extraction.
• Rate limiting prevents abuse of AI and analysis endpoints.

If you discover a security vulnerability, please report it confidentially via our Contact page. We will respond within 48 hours and address confirmed vulnerabilities promptly. Please include:

• Steps to reproduce the issue
• Expected vs actual behavior
• Affected endpoints or components

Odoo Doctor is a self-hosted application. You are responsible for ensuring your deployment complies with applicable regulations in your jurisdiction. We do not currently hold any third-party compliance certifications (e.g., SOC 2, ISO 27001). For questions about our security practices, visit our Contact page.