Legal
DPA
Effective: 2026-05-09 · ERP Heritage · ABN 95 691 945 182
This page summarises how ERP Heritage handles personal data on customer projects, the sub-processors we use, and where to get our standard Data Processing Addendum. It is the description, not the contract; the signed DPA is the binding instrument.
Roles
For your customers' personal data inside the Odoo system we deliver, you are the controller and we are the processor. We act on your documented instructions, not on our own initiative.
For the website contact form on www.erpheritage.com.au, we are the controller. That use is governed by our Privacy Policy.
Standard DPA
Customers who require a signed Data Processing Addendum can request our standard DPA template before contracting. It includes Standard Contractual Clauses for cross-border transfers where applicable. Email info@erpheritage.com.au with "DPA request" in the subject and we will send the current version within one business day.
Where customer data lives
For customer Odoo deployments, data location depends on the hosting choice you make at the start of the project:
- Self-hosted on your infrastructure. Data stays on your servers. We hold no copy.
- Odoo Online or Odoo.sh. Data lives in Odoo S.A.'s cloud. Their DPA and security disclosures govern; we route any sub-processor concerns through Odoo S.A.
- ERP Heritage managed hosting. Data lives on infrastructure we operate, region of your choosing where supported (default: Australia).
Sub-processors we use on managed engagements
The list below covers tools we use to deliver our service. Project-specific tools (your payment gateway, your shipping carrier, etc.) are not listed here because they belong to your engagement.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Cloudflare, Inc. | CDN, DNS, bot protection, web analytics | Global edge |
| Resend, Inc. | Transactional email delivery for our internal notifications | United States |
| Odoo S.A. | Source ERP product; their Online / Odoo.sh hosting where you choose it | Per Odoo S.A. policy |
| GitHub, Inc. | Source code repository for project artefacts where the engagement uses Git | United States |
Material additions or removals are notified to active customers ten business days in advance.
Security posture (summary)
- HTTPS enforced site-wide. HSTS preload eligible.
- All customer Odoo access is authenticated and access-logged.
- API keys for integrations are rotated on personnel change and on a published cadence.
- Backups encrypted at rest. Restore tested at least quarterly on managed-hosting engagements.
- Sub-processor due diligence reviewed annually.
Data subject requests passed to us
If a data subject sends a request directly to us about data we process on your behalf, we forward it to you within two business days and do not respond on our own. The request is your decision to honour.
Breach notification
If we become aware of a personal-data breach affecting your customers' data, we notify your project sponsor without undue delay and in any event within 72 hours, with the information required to assess and notify regulators where applicable.
End of engagement
On contract end, we delete or return your data per the project's signed DPA. Backups roll off on the standard schedule (typically 30 days) unless a longer retention is contractually required.
Contact
DPA requests, sub-processor questions, security disclosures: info@erpheritage.com.au.