Security Architecture

Security architecture for enterprise ERP data

When your ERP holds your entire procurement history, the connector security model matters. Here is exactly how Greenopsiq handles your data.

Security Model

Read-only, zero-persistence model

Read-only OAuth tokens only

Greenopsiq never writes to your ERP. OAuth scopes are explicitly limited to read operations on the data types you authorize. Tokens are stored in hardware security module (HSM) encrypted vaults.

No raw data storage

We process transactions in-memory to produce classified emission records. Raw GL line items are not persisted in Greenopsiq systems — only the classified output and your report.

Customer-controlled encryption keys

Report outputs are encrypted at rest using keys you control. We use AES-256-GCM. Professional and Enterprise tiers support BYOK via AWS KMS.

SOC 2 controls in progress

We are building with SOC 2 Type I controls in place and are targeting SOC 2 Type II attestation. Current controls list available to Enterprise customers under NDA.

Abstract representation of enterprise data security architecture with encrypted connections

Data Architecture

Data flow — what moves where

Processing Pipeline

Your ERP
SAP · Oracle · NetSuite
Read-only OAuth Pull
GL · PO · Expense records
In-Memory Processing
Classification engine
ESRS Report Output
Encrypted at rest — your keys
What is NOT stored
  • Raw GL transaction data
  • Employee PII from expense reports
  • Supplier pricing or contract data
  • Unclassified transaction records
Where data resides

Classified emission records and ESRS reports: AWS us-east-1, encrypted at rest (AES-256-GCM). Processing compute: ephemeral containers, no disk persistence. OAuth tokens: HSM-backed vault, isolated per customer.

Access Controls

Access controls and audit logging

Every API call to your ERP is logged with timestamp, OAuth token fingerprint, and data scope. Logs are available in your Greenopsiq dashboard for 13 months. SSO via SAML 2.0 / OIDC supported on Professional and Enterprise plans.

We do not offer managed access where a Greenopsiq team member holds your ERP credentials or operates the connector on your behalf. Access is always provisioned by your IT administrator under your organization's OAuth policy. You can revoke the connection at any time from both your ERP's identity management console and your Greenopsiq dashboard.

13-month audit logs
Per-call ERP access history
SAML 2.0 / OIDC SSO
Professional & Enterprise
Token fingerprint tracking
Full OAuth token lineage

Security questions? Talk directly to engineering.

Enterprise customers can request the full security controls list and conduct a technical security review before signing.

Request Access