Terms and Conditions
PART I. General Terms of Sale
These General Terms of Sale govern the sale of products and services by WANTECH Innovation Technology Limited. and its affiliates (collectively, "WANTECH.") to the client. Additional terms may apply for services provided by WANTECH (for example, the Subscription Agreement). If these additional terms are inconsistent with the General Terms of Sale, the additional terms will prevail over these General Terms of Sale.
Please read these terms carefully before placing an order with WANTECH. By accepting an order with WANTECH, the client marks his acceptance with these terms.
The client explicitly waives its own standard terms and conditions, even if these were drawn up after these standard terms and conditions of sale. In order to be valid, any derogation must be expressly agreed to in advance in writing.
Our invoices are payable within 7 working days, unless another payment timeframe is indicated on either the invoice or the order. In the event of non-payment by the due date, WANTECH reserves the right to request a fixed interest payment amounting to 15% of the sum remaining due. WANTECH will be authorised to suspend any provision of services without prior warning in the event of late payment.
Certain countries apply withholding at source on the amount of invoices, in accordance with their internal legislation. Any withholding at source will be paid by the client to the tax authorities. Under no circumstances can WANTECH become involved in costs related to a country's legislation. The amount of the invoice will therefore be due to WANTECH in its entirety and does not include any costs relating to the legislation of the country in which the client is located.
WANTECH undertakes to do its best to supply services in due time in accordance with the agreed timeframes. However, none of its obligations can be considered as being an obligation to achieve results. WANTECH cannot, under any circumstances, be required by the client to appear as a third party in the context of any claim for damages filed against the client by an end consumer.
In order for it to be admissible, WANTECH must be notified of any claim by means of a letter sent by recorded delivery to its registered office within 8 days of the delivery of the goods or the provision of the services.
To the maximum extent permitted by law, the aggregate liability of each party together with its affiliates arising will not exceed 50% of the total amount paid by the Customer under these terms during the 12 months immediately preceding the date of the event giving rise to such claim. Multiple claims shall not enlarge this limitation.
WANTECH reserves the right to modify these terms at
any time without prior notice. The client will be subject to the terms in force
at the time of acceptation of those terms.
All our contractual relations will be governed exclusively by Hong Kong law.
PART II. W+ ERP Subscription Agreement
By subscribing to the Wplus ERP (or hereforth known as W+ ERP) services (the "Services") provided by WANTECH and its affiliates (collectively, "WANTECH") in relation with W+ ERP lite or W+ ERP, (the "Software"), hosted on W+ERP's Cloud platforms (the "Cloud Platform") or on-premises ("Self-Hosting" *not permitted or applicable for W+ERP lite subscription services), you (the "Customer") are agreeing to be bound by the following terms and conditions (the "Agreement").
1 Term of the Agreement
The duration of this Agreement (the “Term”) shall be specified in writing on conclusion of this Agreement, beginning on the date of conclusion. It is automatically renewed for an equal Term, unless either party provides a written notice of termination minimum 30 days before the end of the Term to the other party.
2 Definitions
User
Any active user account with access to the Software in creation and/or edition mode. Deactivated user accounts and accounts used by external people (or systems) who only have limited access to the Software through the portal facilities (known as "portal Users") are not counted as Users.
App
An "App" is a specialized group of features available for installation in the Software, and listed in the public Pricing section of wpluserp website.
Bug
Is considered a Bug any failure of the Software that results in a complete stop, error traceback or security breach, and is not directly caused by a defective installation or configuration. Non-compliance with specifications or requirements will be considered as Bugs at the discretion of WANTECH (typically, when the Software does not produce the results or performance it was designed to produce, or when a country-specific feature does not meet legal accounting requirements anymore).
3 Access to the Software
The Customer can use the Software hosted on the Cloud Platform, or choose the Self-Hosting option. The Cloud Platform is hosted and fully managed by WANTECH, and accessed remotely by the Customer. With the Self-Hosting option, the Customer instead hosts the Software on computer systems of their choice, that are not under the control of WANTECH.
For the duration of this Agreement, WANTECH gives the Customer a non-exclusive, non-transferable license to use the W+ERP software, under the terms set forth in 9 Appendix A:W+ ERP Subscription license.
WANTECH commits not to disclose individual or named figures to third parties without the consent of the Customer, and to deal with all collected data in compliance with its official Privacy Policy.
Upon expiration or termination of this Agreement, this license is revoked immediately and the Customer agrees to stop using the W+ERP software and the Cloud Platform.
Should the Customer breach the terms of this section, the Customer agrees to pay WANTECH an extra fee equal to 300% of the applicable list price for the actual number of Users and installed Apps.
4 Services
4.1 Bug Fixing Service
For the duration of this Agreement, WANTECH commits to making all reasonable efforts to remedy any Bug of the Software submitted by the Customer through the appropriate channel (typically, WANTECH 's service desk email address or website form).
The Customer understands that Bugs caused by a modification or extension that is not part of the official Software will not be covered by this service.
As soon as the Bug is fixed an appropriate remedy will be communicated to the Customer.
WANTECH commits to fixing the Bug in the Software Versions the Customer subscribes to but not any other versions.
Both parties acknowledge that as specified in the license of the Software and in the 7.3 Limitation of Liability section of this Agreement, WANTECH cannot be held liable for Bugs in the Software.
4.2 Security Updates Service
Cloud Platform
WANTECH commits to apply the security remedies for any security Bug discovered in a version of the Software hosted on the Cloud Platform, on all systems under its control, as soon as the remedy is available, without requiring any manual action of the Customer.
4.3 Cloud Hosting Services
-
For the duration of this Agreement, when the Customer chooses to use the Cloud Platform, WANTECH commits to providing at least the following services:
-
SSL (HTTPS) Encryption of communication
Fully automated, verified backups
-
4.4 Support Services
Scope
For the duration of this Agreement, the Customer may open an unlimited number of support tickets free of charge, exclusively for questions regarding Bugs (see 4.1 Bug Fixing Service) or guidance with respect to the use of the standard features of the Software and Services (functionalities, intended use, configuration, troubleshooting).
Other assistance requests, such as questions related to development, customizations, installation for Self-Hosting, or services requiring to access the Customer's database, may be covered through the purchase of a separate maintenance services.
Availability
Tickets can be submitted online athttps://www.wpluserp.com/help subject to opening hours.
5 Charges and Fees
5.1 Standard charges
The standard charges for the W+ ERP subscription and the Services are based on the number of Users, the installed Apps, the Software version used by the Customer, and specified in writing at the conclusion of the Agreement.
When during the Term, the Customer has more Users or more installed Apps than specified at the time of conclusion of this Agreement, the Customer agrees to pay an extra fee equivalent to the applicable list price (at the beginning of the Term) for the additional Users or Apps, for the remainder of the Term.
5.2 Charges for Upgrade Services of customized modules
The additional charge for the Upgrade Service for customized modules will be based on the level of customization required, based on man days.
5.3 Taxes
All fees and charges are exclusive of all applicable federal, provincial, state, local or other governmental taxes, fees or charges (collectively, "Taxes"). The Customer is responsible for paying all Taxes associated with purchases made by the Customer under this Agreement, except when WANTECH is legally obliged to pay or collect Taxes for which the Customer is responsible.
6 Conditions of Services
6.1 Customer Obligations
The Customer agrees to:
- pay WANTECH any applicable charges for the Services of the present Agreement, in accordance with the payment conditions specified in the corresponding invoice ;
- immediately notify WANTECH when their actual number of Users or their installed Apps exceed the numbers specified at the conclusion of the Agreement, and in this event, pay the applicable additional fee as described in section 5.1 Standard charges;
- take all measures necessary to guarantee the unmodified execution of the part of the Software that verifies the validity of the W+ERP usage, as described in 3 Access to the Software;
- appoint 1 dedicated Customer contact person for the entire duration of the Agreement;
When the Customer chooses to use the Cloud Platform, the Customer further agrees to:
- take all reasonable measures to keep their user accounts secure, including by choosing a strong password and not sharing it with anyone else;
- make a reasonable use of the Hosting Services, to the exclusion of any illegal or abusive activities, and strictly observe the rules outlined in the Acceptable Use Policy.
When the Customer chooses the Self-Hosting option, the Customer further agrees to:
- take all reasonable measures to protect Customer’s files and databases and to ensure Customer’s data is safe and secure, acknowledging that WANTECH cannot be held liable for any data loss;
- grant WANTECH the necessary access to verify the validity of the Odoo Enterprise Edition usage upon request (e.g. if the automatic validation is found to be inoperant for the Customer);
6.2 Publicity
Except where notified otherwise in writing, each party grants the other a non-transferable, non-exclusive, royalty free, worldwide license to reproduce and display the other party’s name, logos and trademarks, solely for the purpose of referring to the other party as a customer or supplier, on websites, press releases and other marketing materials.
6.3 Confidentiality
Definition of "Confidential Information":
All information disclosed by a party (the "Disclosing Party") to the other party (the "Receiving Party"), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. In particular any information related to the business, affairs, products, developments, trade secrets, know-how, personnel, customers and suppliers of either party should be regarded as confidential.
For all Confidential Information received during the Term of this Agreement, the Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own similar Confidential Information, but not less than reasonable care.
The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure, to the extent permitted by law.
6.4 Data Protection
Processing of Personal Data
The parties acknowledge that the Customer's database may contain Personal Data, for which the Customer is the Controller. This data will be processed by WANTECH when the Customer instructs so, by using any of the Services that require a database (e.g. the Cloud Hosting Services or the Database Upgrade Service), or if the Customer transfers their database or a part of their database to WANTECH for any reason pertaining to this Agreement.
WANTECH commits to:
- only process the Personal Data when and as instructed by the Customer, and for the purpose of performing one of the Services under this Agreement, unless required by law to do so, in which case WANTECH will provide prior notice to the Customer, unless the law forbids it ;
- ensure that all persons within WANTECH authorised to process the Personal Data have committed themselves to confidentiality ;
- implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure ;
- forward promptly to the Customer any Data Protection request that was submitted to WANTECH with regard to the Customer's database ;
- notify the Customer promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data ;
- permanently delete all copies of the Customer's database in possession of WANTECH, or return such data, at the Customer’s choice, upon termination of this Agreement, subject to the delays specified in WANTECH 's Privacy Policy;
With regard to points (d) , the Customer agrees to provide WANTECH with accurate contact information at all times, as necessary to notify the Customer's Data Protection responsible.
6.5 Termination
In the event that either Party fails to fulfil any of its obligations arising herein, and if such breach has not been remedied within 30 calendar days from the written notice of such breach, this Agreement may be terminated immediately by the non-breaching Party.
Further, WANTECH may terminate the Agreement immediately in the event the Customer fails to pay the applicable fees for the Services within the due date specified on the corresponding invoice.
Surviving Provisions:
The sections "6.3 Confidentiality”, “7.2 Disclaimers”, “7.3 Limitation of Liability”, and “8 General Provisions” will survive any termination or expiration of this Agreement.
7 Warranties, Disclaimers, Liability
7.1 Warranties
For the duration of this Agreement, WANTECH commits to using commercially reasonable efforts to execute the Services in accordance with the generally accepted industry standards provided that:
the Customer’s computing systems are in good operational order and, for Self-Hosting, that the Software is installed in a suitable operating environment;the Customer provides adequate troubleshooting information and, for Self-Hosting, any access that:
- the Customer’s computing systems are in good operational order and, for Self-Hosting, that the Software is installed in a suitable operating environment;
- the Customer provides adequate troubleshooting information and, for Self-Hosting, any access that WANTECH may need to identify, reproduce and address problems;
- all amounts due to WANTECH have been paid.
7.2 Disclaimers
Except as expressly provided herein, neither party makes any warranty of any kind, whether express, implied, statutory or otherwise, and each party specifically disclaims all implied warranties, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement, to the maximum extent permitted by applicable law.
WANTECH does not warrant that the Software complies with any local or international law or regulations.
7.3 Limitation of Liability
To the maximum extent permitted by law, the aggregate liability of each party together with its affiliates arising out of or related to this Agreement will not exceed 50% of the total amount paid by the Customer under this Agreement during the 12 months immediately preceding the date of the event giving rise to such claim. Multiple claims shall not enlarge this limitation.
In no event will either party or its affiliates be liable for any indirect, special, exemplary, incidental or consequential damages of any kind, including but not limited to loss of revenue, profits, savings, loss of business or other financial loss, costs of standstill or delay, lost or corrupted data, arising out of or in connection with this Agreement regardless of the form of action, whether in contract, tort (including strict negligence) or any other legal or equitable theory, even if a party or its affiliates have been advised of the possibility of such damages, or if a party or its affiliates' remedy otherwise fails of its essential purpose.
7.4 Force Majeure
Neither party shall be liable to the other party for the delay in any performance or failure to render any performance under this Agreement when such failure or delay is caused by governmental regulations, fire, strike, war, flood, accident, epidemic, embargo, appropriation of plant or product in whole or in part by any government or public authority, or any other cause or causes, whether of like or different nature, beyond the reasonable control of such party as long as such cause or causes exist.
8 General Provisions
8.1 Governing Law
Both parties agree that the laws of Hong Kong will apply, should any dispute arise out of or in connection with this Agreement, without regard to choice or conflict of law principles. To the extent that any lawsuit or court proceeding is permitted hereinabove, both parties agree to submit to the sole jurisdiction of Hong Kong for the purpose of litigating all disputes.
8.2 Severability
In case any one or more of the provisions of this Agreement or any application thereof shall be invalid, illegal or unenforceable in any respect, the validity, legality and enforceability of the remaining provisions of this Agreement and any application thereof shall be in no way thereby affected or impaired. Both parties undertake to replace any invalid, illegal or unenforceable provision of this Agreement by a valid provision having the same effects and objectives.
PART III. Privacy
1. Privacy Policy
How we protect your privacy on wpluserp.com and when you use our services.
WANTECH Innovation Technology Ltd and its affiliates offer many services to
help you run your business, including a platform to host your own Wplus ERP
(hereforth known as W+ERP) database. As part of running those services we
collect data about you and your business. This data is not only essential
to run our services, but also critical for the safety of our services and
all our users.
This policy explains what information is collected, why it is collected,
and how we use it.
Information we collect
Most of the personal data we collect is directly provided by our users when
they register and use our services. Other data is collected by recording
interactions with our services.
Account & Contact Data:
When you register on our website to use or download one of our products, or
to subscribe to one of our services (W+ ERP lite, W+ ERP, etc.), or fill in
one of our contact forms, you voluntarily give us certain information. This
typically includes your name, company name, email address, and
sometimes your phone number, postal address (when an invoice or
delivery is required), business sector, as well as a personal password.
We never record or store credit card information from our customers,
and always rely on trusted third-party PCI-DSS-compliant payment processors
for credit card processing, including for recurring payment processing.
Job Application Data:
When you apply for a job on our website or via an employment agency, we
usually collect your contact information (name, email, phone), and
any information you choose to share with us, in your introduction letter and Curriculum
Vitae. If we decide to
send you a job proposition, we will also ask you to provide extra personal
details, as required to fulfil our legal obligations and personnel
management requirements.
We will not ask you to provide information that is not
necessary for the recruitment process. In particular, we will never collect any
information
about your racial or ethnic
origin, political opinions, religious beliefs, trade union membership or
sexual life.
Browser Data:
When you visit our website and access our online services, we detect and
store your browser language and geolocation, in order to customize
your experience according to your country and preferred language. Our
servers also passively record a summary of the information sent by your
browser, for statistical, security and legal purposes: yourIP address, the time and date of
your
visit, yourbrowser version and platform, and the web page that referred you to
our
website.
Customer Database:
When you subscribe to an W+ERP Cloud service and create your own W+ERP
database (for example by starting a Free Trial), any information or content
you submit or upload into your database is your own, and you control it
fully.
Similarly, when you upload an on-premises database to the W+ ERP website,
you own the data in it.
This data will often include personal information, for example:
your list of employees, your contacts and customers, your messages,
pictures, videos, etc
. We only ever collect this information on your behalf, and you always retain ownership
and
full control on this data.
How we use this information
Account & Contact Data:
We use your contact information in order to provide our services, to answer
your requests, and for billing and account management reasons. We may also
use this information for marketing and communication purposes (our
marketing messages always come with a way for you to opt-out at any time).
We also use this data in aggregated/anonymised form in order to analyse
service trends.
If you have registered to participate in an event published on our website,
we may transfer your name, email address, phone number and company name to our local
organizer and to the sponsors of the
event, for both direct marketing purposes and in order to facilitate the
preparations and booking for the event.
If you have expressed interest in using W+ ERP or otherwise asked to be
contacted by a W+ERP service provider, we may also transfer your name, email address, phone
number
and company name to one
of our official partners in your country or region, for the purpose of
contacting you to offer their local assistance and services.
Job Application Data:
We will only process this information for our recruitment process, in order
to evaluate and follow-up with your application, and in the course of
preparing your contract, if we decide to send you a job proposition. You
may contact us at any time to request the deletion of your information.
Browser Data:
This automatically recorded data is anonymously analyzed in order to
maintain and improve our services. We will only correlate this data with
your personal data when required by law or for security purposes, if you
have violated our Acceptable Use Policy.
Acceptable Use Policy
à Usage of W+ERP Cloud Services is subject to this Acceptable Use Policy (AUP). This AUP is incorporated by reference into, and governed by the W+ERP Subscription Agreement between you (Customer) and Wantech Innovation Technology Limited. Customers who are found to be violating these rules may see their subscriptions suspended without prior notice. The subscription fees will usually not be refunded.
Illegal or Harmful Use
You may not use W+ERP services for storing, displaying, distributing or otherwise processing illegal or harmful content. This includes:
- Illegal Activities: promoting gambling-related sites or services, or child pornography.
- Harmful or Fraudulent Activities: Activities harmful to others, promoting fraudulent goods, services, schemes, or promotions (e.g., make-money-fast schemes, ponzi and pyramid schemes, phishing, or pharming), or engaging in other deceptive practices.
- Infringing Content: Content that infringes the intellectual property of others.
- Offensive Content: Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable, including content that constitutes child pornography, relates to bestiality, or depicts non-consensual sex acts.
- Harmful Content: Malicious and malware content, such as viruses, trojan horses, worms, etc.
- Spam Content: Content that is published for "black hat SEO" purposes, using tricks such a link building / link spam, keyword spam, in order to exploit the reputation of Odoo services for promoting third-party content, goods or services.
You may not use W+ERP services for spamming. This includes:
- Unsolicited messages: sending or facilitating the distribution of unsolicited bulk emails and messages, either directly via Odoo Cloud or indirectly via third-party email services. This includes the use of bulk emails lists. Any mass-mailing activity is subject to the applicable legal restrictions, and you must be able to show evidence of consent/opt-in for your bulk email distribution lists.
- Spoofing: sending emails or messages with forged or obfuscated headers, or assuming an identity without the sender's permission
Security Violations
You may not attempt to compromise W+ERP services, to access or modify content that does not belong to you, or to otherwise engage in malicious actions:
- Unauthorized access: accessing or using any W+ERP system or service without permission
- Security research: conducting any security research or audit on W+ERP systems without written permission to do so, including via scanners and automated tools. Please see our Responsible Disclosure page for more information regarding WANTECH security research.
- Eavesdropping: listening to or recording data that does not belong to you without permission
- Other attacks: non-technical attacks such as social engineering, phishing, or physical attacks against anyone or any system
You may not abuse the resources and systems of W+ERP. In particular the following activities are prohibited:
- Network abuse: causing Denial of Service (DoS) by flooding systems with network traffic that slows down the system makes it unreachable, or significantly impacts the quality of service
- Unthrottled RPC/API calls
: sending large numbers of RPC or remote API calls to our systems
without appropriate throttling, with the risk of impacting the quality
of service for other users.
Note: W+ERP provides batch APIs for imports, so there should be no need for this. Throttled calls are typically acceptable at a rate of 1 call/second, with no parallel calls. Exceptions may be authorized on a case-by-case basis – please contact us if you think you need one. - Overloading : voluntarily impacting the performance or availability of systems with abnormal content such as very large data quantities, or very large numbers of elements to process, such as email bombs.
- Crawling: automatically crawling resources in a way that impacts the availability and performance of the systems
- Attacking: using the W+ERP services to attack, crawl or otherwise impact the availability or security of third-party systems
- Abusive registrations: using automated tools to repeatedly register or subscribe to W+ERP services, or registering or subscribing with fake credentials, or under the name of someone else without their permission.
Customer Database:
We only collect and process this data on your behalf, in order to perform
the services you have subscribed to, and based on the instructions you
explicitly gave when you registered or configured your service and your
W+ERP database.
Our Helpdesk staff and engineers may access this information in a limited
and reasonable manner in order to solve any issue with our services, or at
your explicit request for support reasons, or as required by law, or to
ensure the security of our services in case of violation of our Acceptable
Use Policy, in order to keep our services secure.
Accessing, Updating or Deleting Your Personal Information
Account & Contact Data:
You have the right to access and update personal data you have previously
provided to us. You can do so at any time by connecting to your personal
account on wplueserp.com. If you wish to permanently delete your account or
personal information for a legitimate purpose, please contact our Helpdesk
to request so. We will take all reasonable steps to permanently delete your
personal information, except when we are required to keep it for legal
reasons (typically, for administration, billing and tax reporting reasons).
Job Application Data:
You may contact us at any time to request access, updates or deletion of
your application information. The easiest way to do it is to reply to the
last message you exchanged with our Human Resource personnel.
Customer Database:
You can manage any data collected in your databases hosted on wplueserp.com
at any time, using your administration credentials, including modifying or
deleting any personal data stored therein.
At any time you can export a complete backup of your database via our
control panel, in order to transfer it, or to manage your own
backups/archive. You are responsible for processing this data in compliance
with all privacy regulations. You may also request the deletion of your
entire database via your control panel, at any time. When you use the W+ERP
Database Upgrade service, your data is automatically deleted after your
upgrade was successfully completed, and may also be deleted upon request
from you.
Safety Retention Period:
we retain a copy of your data in our backups for safety reasons, even after
they are destroyed from our live systems. See Data Retention for more
details.
Security
We realize how important and sensitive your personal data is, and we take a great number of measures to ensure that this information is securely processed, stored and preserved from data loss and unauthorized access. Our technical, administrative and organizational security measures are described in details in our Security Policy.
Third Party Service Providers
In order to support our operations we rely on several Service Providers.
They help us with various services such as payment processing, web audience
analysis, cloud hosting, marketing and communication, etc.
Whenever we share data with these Service Providers, we make sure that they
use it in compliance with Data Protection legislation, and that the
processing they carry out for us is limited to our specific purpose and
covered by a specific data processing contract.
Here is a list of the Service Providers we are currently using, why we use
them, and what kind of data we share with them:
Service Provider |
Purpose |
Share Data |
Paypal
|
Payment processing on wpluserp.com |
Shared with Paypal
: Order details (amount, description, reference), Customer
name and email
|
AliCloud
|
Infrastructure and hosting, DDOS Protection |
Hosted by AliCloud : Production data from wpluserp.com and its affiliate services, including Customer Databases. |
Google Analytics
|
Anonymous website audience analysis |
Shared with Google Analytics : Non-personal browser data, anonymized IP, geolocation info, language (no identifiable information) |
Google Calendar |
Calendar data syncrhonisation |
Shared with Google Calendar: Any contact and personal information entered by the user for calender purposes |
SendGrid
|
Email sending services |
Shared with SendGrid : Any contact and personal information entered by the user for email sending services |
Data Retention
Account & Contact Data
: we will only retain such data as long as necessary for the purpose for
which it was collected, as laid out in this policy, including any legal
retention period, or as long as necessary to carry out a legitimate and
reasonable promotion of our products and services.
Job Application Data:
If we do not hire you, we may keep the information you provide for up to 2
years in order to contact you again for any new job proposition that may
come up, unless you ask us not to do so. If we hire you, your personal
information will be stored for the duration of your employment contract
with us, and afterwards, during the applicable legal retention period that
applies in the country where we employed you.
Browser Data
: we will only retain this data for a short period of time, generally 2
months, unless we need to keep it in relation with a legitimate concern
related to the security or performance of our services, or as required by
law.
Customer Database
: we will only retain this data as long as necessary for providing the
services you subscribed to. For databases hosted on the W+ERP Cloud, if you
cancel the service your database is kept deactivated for 3 weeks (the grace
period during which you can change your mind), and then destroyed. For
databases uploaded to the W+ERP Database Upgrade website, your database is
kept for up to 4 months after the last successful upgrade, and may be
deleted earlier upon request.
Safety Retention Period:
As part of our Security Policy, we always try to preserve your data from accidental or malicious deletion. As a result, after we delete any of your personal information (Account & Contact Data) from our database upon request from you, or after you delete any personal information from your database (Customer Database), or if you delete your entire database, it is not immediately deleted from our backup systems, which are secured and inalterable. The personal data could remain stored for up to 12 months in those backups, until they are automatically destroyed.
We commit not to use those backup copies of your deleted data for any
purpose except for maintaining the integrity of our backups, unless you or
the law require us to do so.
Transfer of Data
Hosting Services
Hosting Locations
: Customer databases are hosted in the W+ERP data center closest to where
they are based: Hong Kong or Singapore. Customers can request that their
data be moved to one of the other data centers.
Backup Locations : We utilize a "Triplicate technology", which automatically stores all of the data copies across different servers and provide 99% data reliability for Elastic Compute Service(Server) instances.
Backups are are replicated in an additional separate server in order to meet our Disaster Recovery objectives, see our Cloud Hosting SLA.
Third Party Disclosure
Except as explicitly mentioned above, we do not sell, trade, or otherwise transfer your personal data to third parties. We may share or disclose aggregated or de-identified information, for research purposes, or to discuss trends or statistics with third-parties.
Cookie Policy
Cookies
are small bits of information sent by our servers to your computer or
device when you access our services, and unique to you. They are stored in
your browser and later sent back to our servers so that we can provide
contextual content. We use them to support your activities on our website,
for example your session (so you don't have to login again) or your
shopping cart.
Cookies are also used to help us understand your preferences based on
previous or current activity on our website (the pages you have visited),
your language and country, which enables us to provide you with improved
services. We also use cookies to help us compile aggregate data about site
traffic and site interaction so that we can offer better site experiences
and tools in the future.
We also use third-party services such as Google Analytics, who set and use
their own cookies to identify visitors and provide their own contextual
services. For more information regarding those third-party providers and
their Cookie Policy, please see the relevant references in the Third-Party
Service Providers section.
You can choose to have your computer warn you each time a cookie is being
sent, or you can choose to turn off all cookies. Each browser is a little
different, so look at your browser's Help menu to learn the correct way to
modify your cookies, or look at the links below.
Chrome: https://support.google.com/chrome/answer/95647?hl=en
Explorer: https://support.microsoft.com/en-us/products/windows?os=windows-10
Safari: https://support.apple.com/kb/PH21411
Firefox: https://support.mozilla.org/products/firefox/cookies
Opera: http://www.opera.com/help/tutorials/security/cookies/
We do not currently support Do Not Track signals, as there is no industry standard for compliance.
Policy Updates
We may update this Privacy Policy from time to time, in order to clarify it, or to comply with legal obligations. The "Last Updated" mention at the top of the policy indicates the last revision, which is also the effective date of those changes. If you continue to use our services after such a change, you agree to our updated policy.
Contacting Us
If you have are any question regarding this Privacy Policy, or any enquiry about your personal data, please reach out to the W+EPR Helpdesk or contact us via email at support@wpluserp.com or by pos
WANTECH Innovation Technology Limited
Unit 206, 2/F, Premier Centre, 20 Cheung Shun Street,
Cheung Sha Wan, Kowloon.,
Hong Kong
Part IV. Security
Your security is very important to us! Here is a summary of what we do every day to guarantee that your data is safe with W+ERP and that we apply best security practices on our hosted version, the W+ERP Cloud. Table of contents
W+ERP Cloud
RPO (Recovery Point Objective) = 24h. This means you can lose max 24h of work if the data cannot be recovered and we need to restore your latest daily backup
RTO (Recovery Time Objective) = 24h for paid subscriptions, 48h for free trials, education offer, freemium users, etc. This is the time to restore the service in a different data center if a disaster occurs and a datacenter is completely down.
How is this accomplished:
We utilize the Detection module to discover that the master node has an exception and instructs the
Repair
module to fix it. If the Repair module fails to resolve the problem, the Notice module will be informed
of
this
information. The Notice module then forwards the failover request to the SLB or Proxy module, which
begins
to
redirect all traffic to the slave node. At the same time, the Repair module creates a new slave node on
another
physical server and synchronizes this change back to the Detection module. The Detection module starts
to
recheck the health status of the instance. ECS Instance failover, it should take about 5-10 mins in same
zone.
RTO if the data center is completely down, we will begin to redirect all traffic to the slave node in
different
region. We can restore the daily snapshot (backup) to any server, within 5-10 mins. It may take time to
debug
and change the client configuration.
Password Security
Customer passwords are protected with industry-standard PBKDF2+SHA512 encryption (salted + stretched for
thousands of rounds)
W+ERP staff does not have access to your password, and cannot retrieve it for you, the only option if you lose it is to reset it
Login credentials are always transmitted securely over HTTPS
Staff Access
W+ERP helpdesk staff may sign into your account to access settings related to your support issue. For
this
they use their own special staff credentials, not your password (which they have no way to know)
This special staff access improves efficiency and security: they can immediately reproduce the problem
you
are
seeing, you never need to share your password, and we can audit and control staff actions separately!
Our Helpdesk staff strives to respect your privacy as much as possible, and only access files and
settings
needed to diagnose and resolve your issue
System Security
All W+ERP Cloud servers are running hardened Linux distributions with up-to-date security patches
Installations are ad-hoc and minimal to limit the number of services that could contain vulnerabilities
(no
PHP/MySQL stack for example)
Physical Security
W+ERP Cloud servers are hosted in trusted data centers in various regions of the world (e.g. AliCloud),
and
they must all exceed our physical security criterions:
Restricted perimeter, physically accessed by authorized data center employees only
Credit Card Safety
We never store credit card information on our own systems.
Your credit card information is always transmitted securely directly between you and our PCI-Compliant
payment
acquirers (see the list on our Privacy Policy page).
Communications
All web connections to client instances are protected with SSL encryption
Our servers are kept under a strict security watch, and always patched against the latest SSL
vulnerabilities,
enjoying SSL ratings at all times.
Network defense
All data center providers used by W+ERP Cloud have very large network capacities, and have designed
their
infrastructure to withstand the largest Distributed Denial of Service (DDoS) attacks. Their automatic
and
manual mitigation systems can detect and divert attack traffic at the edge of their multi-continental
networks, before it gets the chance to disrupt service availability.
Firewalls and intrusion prevention systems on W+ERP Cloud servers help detect and block threats such as
brute-force password attacks.
As of Odoo 12.0, customer database administrators even have the option to configure the rate limiting
and
cooldown duration for repeated login attempts.
W+ERP
Software Security
W+ERP is open source, so the whole codebase is continuously under examination by W+ERP users and
contributors
worldwide. Community bug reports are therefore one important source of feedback regarding security. We
encourage developers to audit the code and report security issues.
The W+ERP R&D processes have code review steps that include security aspects, for new
and contributed
pieces
of code.
Secure by design
W+ERP is designed in a way that prevents introducing most common security vulnerabilities:
SQL injections are prevented by the use of a higher-level API that does not require manual SQL queries
XSS attacks are prevented by the use of a high-level templating system that automatically escapes
injected
data
The framework prevents RPC access to private methods, making it harder to introduce exploitable
vulnerabilities
See also the OWASP Top Vulnerabilities section to see how W+ERP is designed from the ground up to
prevent
such
vulnerabilities from appearing.
OWASP Top Vulnerabilities
- Injection Flaws: Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. W+ERP relies on an object-relational-mapping (ORM) framework that abstracts query building and prevents SQL injections by default. Developers do not normally craft SQL queries manually, they are generated by the ORM, and parameters are always properly escaped.
-
Cross Site Scripting (XSS): XSS flaws occur whenever an application takes user supplied data and sends
it to a web browser without first validating or encoding that content. XSS allows attackers to execute
scripts in the victim's browser which can hijack user sessions, deface web sites, possibly introduce
worms, etc.
The W+ERP framework escapes all expressions rendered into views and pages by default, preventing XSS. Developers have to specially mark expressions as "safe" for raw inclusion into rendered pages. -
Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged
HTTP request, including the victim’s session cookie and any other automatically included
authentication information, to a vulnerable web application. This allows the attacker to force the
victim’s browser to generate requests the vulnerable application thinks are legitimate requests from
the victim.
The wpluserp website engine includes a built-in CSRF protection mechanism. It prevents any HTTP controller to receive a POST request without the corresponding security token. This is the recommended technique for CSRF prevention. This security token is only known and present when the user genuinely accessed the relevant website form, and an attacker cannot forge a request without it. -
Malicious File Execution: Code vulnerable to remote file inclusion (RFI) allows attackers to include
hostile code and data, resulting in devastating attacks, such as total server compromise.
W+ERP does not expose functions to perform remote file inclusion. However it allows privileged users to customize features by adding custom expressions that will be evaluated by the system. These expressions are always evaluated by a sandboxed and sanitized environment that only allows access to permitted functions. -
Insecure Direct Object Reference: A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file, directory, database record, or key, as
a URL or form parameter. Attackers can manipulate those references to access other objects without
authorization.
W+ERP access control is not implemented at the user interface level, so there is no risk in exposing references to internal objects in URLs. Attackers cannot circumvent the access control layer by manipulation those references, because every request still has to go through the data access validation layer. -
Insecure Cryptographic Storage: Web applications rarely use cryptographic functions properly to
protect data and credentials. Attackers use weakly protected data to conduct identity theft and other
crimes, such as credit card fraud.
W+ERP uses industry-standard secure hashing for user passwords (by default PKFDB2 + SHA-512, with key stretching) to protect stored passwords. It is also possible to use external authentication systems such as OAuth 2.0 or LDAP, in order to avoid storing user passwords locally at all. -
Insecure Communications: Applications frequently fail to encrypt network traffic when it is necessary
to protect sensitive communications.
W+ERP Cloud runs on HTTPS by default. For on-premise installations, it is recommend to run Odoo behind a web server implementing the encryption and proxying request to W+ERP, for example Apache, Lighttpd or nginx. -
Failure to Restrict URL Access: Frequently an application only protects sensitive functionality by
preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to
access and perform unauthorized operations by accessing those URLs directly
W+ERP access control is not implemented at the user interface level, and the security does not rely on hiding special URLs. Attackers cannot circumvent the access control layer by reusing or manipulating any URL, because every request still has to go through the data access validation layer. In rare cases where a URL provides unauthenticated access to sensitive data, such as special URLs customer use to confirm an order, these URLs are digitally signed with unique tokens and only sent via email to the intended recipient.