Terms and Conditions

PART I. General Terms of Sale

These General Terms of Sale govern the sale of products and services by WANTECH Innovation Technology Limited. and its affiliates (collectively, "WANTECH.") to the client. Additional terms may apply for services provided by WANTECH (for example, the Subscription Agreement). If these additional terms are inconsistent with the General Terms of Sale, the additional terms will prevail over these General Terms of Sale.

Please read these terms carefully before placing an order with WANTECH. By accepting an order with WANTECH, the client marks his acceptance with these terms.

The client explicitly waives its own standard terms and conditions, even if these were drawn up after these standard terms and conditions of sale. In order to be valid, any derogation must be expressly agreed to in advance in writing.

Our invoices are payable within 7  working days, unless another payment timeframe is indicated on either the invoice or the order. In the event of non-payment by the due date, WANTECH reserves the right to request a fixed interest payment amounting to 15% of the sum remaining due. WANTECH will be authorised to suspend any provision of services without prior warning in the event of late payment.

Certain countries apply withholding at source on the amount of invoices, in accordance with their internal legislation. Any withholding at source will be paid by the client to the tax authorities. Under no circumstances can WANTECH become involved in costs related to a country's legislation. The amount of the invoice will therefore be due to WANTECH in its entirety and does not include any costs relating to the legislation of the country in which the client is located.

WANTECH undertakes to do its best to supply services in due time in accordance with the agreed timeframes. However, none of its obligations can be considered as being an obligation to achieve results. WANTECH cannot, under any circumstances, be required by the client to appear as a third party in the context of any claim for damages filed against the client by an end consumer.

In order for it to be admissible, WANTECH must be notified of any claim by means of a letter sent by recorded delivery to its registered office within 8 days of the delivery of the goods or the provision of the services.

To the maximum extent permitted by law, the aggregate liability of each party together with its affiliates arising will not exceed 50% of the total amount paid by the Customer under these terms during the 12 months immediately preceding the date of the event giving rise to such claim. Multiple claims shall not enlarge this limitation.

WANTECH  reserves the right to modify these terms at any time without prior notice. The client will be subject to the terms in force at the time of acceptation of those terms.

All our contractual relations will be governed exclusively by Hong Kong law. 

PART II. W+ ERP Subscription Agreement

By subscribing to the Wplus ERP (or hereforth known as W+ ERP) services (the "Services") provided by WANTECH and its affiliates (collectively, "WANTECH") in relation with W+ ERP lite or W+ ERP, (the "Software"), hosted on W+ERP's Cloud platforms (the "Cloud Platform") or on-premises ("Self-Hosting" *not permitted or applicable for W+ERP lite subscription services), you (the "Customer") are agreeing to be bound by the following terms and conditions (the "Agreement").

1 Term of the Agreement

The duration of this Agreement (the “Term”) shall be specified in writing on conclusion of this Agreement, beginning on the date of conclusion. It is automatically renewed for an equal Term, unless either party provides a written notice of termination minimum 30 days before the end of the Term to the other party.

2 Definitions

User

Any active user account with access to the Software in creation and/or edition mode. Deactivated user accounts and accounts used by external people (or systems) who only have limited access to the Software through the portal facilities (known as "portal Users") are not counted as Users.

App

An "App" is a specialized group of features available for installation in the Software, and listed in the public Pricing section of wpluserp website.

Bug

Is considered a Bug any failure of the Software that results in a complete stop, error traceback or security breach, and is not directly caused by a defective installation or configuration. Non-compliance with specifications or requirements will be considered as Bugs at the discretion of WANTECH (typically, when the Software does not produce the results or performance it was designed to produce, or when a country-specific feature does not meet legal accounting requirements anymore).

3 Access to the Software

The Customer can use the Software hosted on the Cloud Platform, or choose the Self-Hosting option. The Cloud Platform is hosted and fully managed by WANTECH, and accessed remotely by the Customer. With the Self-Hosting option, the Customer instead hosts the Software on computer systems of their choice, that are not under the control of WANTECH.

For the duration of this Agreement, WANTECH gives the Customer a non-exclusive, non-transferable license to use the W+ERP software, under the terms set forth in 9 Appendix A:W+ ERP Subscription license.

WANTECH commits not to disclose individual or named figures to third parties without the consent of the Customer, and to deal with all collected data in compliance with its official Privacy Policy.

Upon expiration or termination of this Agreement, this license is revoked immediately and the Customer agrees to stop using the W+ERP software and the Cloud Platform.

Should the Customer breach the terms of this section, the Customer agrees to pay WANTECH an extra fee equal to 300% of the applicable list price for the actual number of Users and installed Apps.

4 Services

4.1 Bug Fixing Service

For the duration of this Agreement, WANTECH commits to making all reasonable efforts to remedy any Bug of the Software submitted by the Customer through the appropriate channel (typically, WANTECH 's service desk email address or website form).

The Customer understands that Bugs caused by a modification or extension that is not part of the official Software will not be covered by this service.

As soon as the Bug is fixed an appropriate remedy will be communicated to the Customer.

WANTECH commits to fixing the Bug in the Software Versions the Customer subscribes to but not any other versions.

Both parties acknowledge that as specified in the license of the Software and in the 7.3 Limitation of Liability section of this Agreement, WANTECH cannot be held liable for Bugs in the Software.

4.2 Security Updates Service

Cloud Platform

WANTECH commits to apply the security remedies for any security Bug discovered in a version of the Software hosted on the Cloud Platform, on all systems under its control, as soon as the remedy is available, without requiring any manual action of the Customer.

4.3 Cloud Hosting Services

  • For the duration of this Agreement, when the Customer chooses to use the Cloud Platform, WANTECH commits to providing at least the following services:

  • SSL (HTTPS) Encryption of communication

    Fully automated, verified backups

  • Disaster Recovery Plan

4.4 Support Services

Scope

For the duration of this Agreement, the Customer may open an unlimited number of support tickets free of charge, exclusively for questions regarding Bugs (see 4.1 Bug Fixing Service) or guidance with respect to the use of the standard features of the Software and Services (functionalities, intended use, configuration, troubleshooting).

Other assistance requests, such as questions related to development, customizations, installation for Self-Hosting, or services requiring to access the Customer's database, may be covered through the purchase of a separate maintenance services.

Availability

Tickets can be submitted online athttps://www.wpluserp.com/help subject to opening hours.

5 Charges and Fees

5.1 Standard charges

The standard charges for the W+ ERP subscription and the Services are based on the number of Users, the installed Apps, the Software version used by the Customer, and specified in writing at the conclusion of the Agreement.

When during the Term, the Customer has more Users or more installed Apps than specified at the time of conclusion of this Agreement, the Customer agrees to pay an extra fee equivalent to the applicable list price (at the beginning of the Term) for the additional Users or Apps, for the remainder of the Term.

5.2 Charges for Upgrade Services of customized modules

The additional charge for the Upgrade Service for customized modules will be based on the level of customization required, based on man days.

5.3 Taxes

All fees and charges are exclusive of all applicable federal, provincial, state, local or other governmental taxes, fees or charges (collectively, "Taxes"). The Customer is responsible for paying all Taxes associated with purchases made by the Customer under this Agreement, except when WANTECH is legally obliged to pay or collect Taxes for which the Customer is responsible.

6 Conditions of Services

6.1 Customer Obligations

The Customer agrees to:

  • pay WANTECH any applicable charges for the Services of the present Agreement, in accordance with the payment conditions specified in the corresponding invoice ;
  • immediately notify WANTECH when their actual number of Users or their installed Apps exceed the numbers specified at the conclusion of the Agreement, and in this event, pay the applicable additional fee as described in section 5.1 Standard charges;
  • take all measures necessary to guarantee the unmodified execution of the part of the Software that verifies the validity of the W+ERP usage, as described in 3 Access to the Software;
  • appoint 1 dedicated Customer contact person for the entire duration of the Agreement;

When the Customer chooses to use the Cloud Platform, the Customer further agrees to:

  • take all reasonable measures to keep their user accounts secure, including by choosing a strong password and not sharing it with anyone else;
  • make a reasonable use of the Hosting Services, to the exclusion of any illegal or abusive activities, and strictly observe the rules outlined in the Acceptable Use Policy.

When the Customer chooses the Self-Hosting option, the Customer further agrees to:

  • take all reasonable measures to protect Customer’s files and databases and to ensure Customer’s data is safe and secure, acknowledging that WANTECH cannot be held liable for any data loss;
  • grant WANTECH the necessary access to verify the validity of the Odoo Enterprise Edition usage upon request (e.g. if the automatic validation is found to be inoperant for the Customer);

6.2 Publicity

Except where notified otherwise in writing, each party grants the other a non-transferable, non-exclusive, royalty free, worldwide license to reproduce and display the other party’s name, logos and trademarks, solely for the purpose of referring to the other party as a customer or supplier, on websites, press releases and other marketing materials.

6.3 Confidentiality

Definition of "Confidential Information":

All information disclosed by a party (the "Disclosing Party") to the other party (the "Receiving Party"), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. In particular any information related to the business, affairs, products, developments, trade secrets, know-how, personnel, customers and suppliers of either party should be regarded as confidential.

For all Confidential Information received during the Term of this Agreement, the Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own similar Confidential Information, but not less than reasonable care.

The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure, to the extent permitted by law.

6.4 Data Protection

Processing of Personal Data

The parties acknowledge that the Customer's database may contain Personal Data, for which the Customer is the Controller. This data will be processed by WANTECH when the Customer instructs so, by using any of the Services that require a database (e.g. the Cloud Hosting Services or the Database Upgrade Service), or if the Customer transfers their database or a part of their database to WANTECH for any reason pertaining to this Agreement.

WANTECH commits to:

  1. only process the Personal Data when and as instructed by the Customer, and for the purpose of performing one of the Services under this Agreement, unless required by law to do so, in which case WANTECH will provide prior notice to the Customer, unless the law forbids it ;
  2. ensure that all persons within WANTECH authorised to process the Personal Data have committed themselves to confidentiality ;
  3. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure ;
  4. forward promptly to the Customer any Data Protection request that was submitted to WANTECH with regard to the Customer's database ;
  5. notify the Customer promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data ;
  6. permanently delete all copies of the Customer's database in possession of WANTECH, or return such data, at the Customer’s choice, upon termination of this Agreement, subject to the delays specified in WANTECH 's Privacy Policy;

With regard to points (d) , the Customer agrees to provide WANTECH with accurate contact information at all times, as necessary to notify the Customer's Data Protection responsible.

6.5 Termination

In the event that either Party fails to fulfil any of its obligations arising herein, and if such breach has not been remedied within 30 calendar days from the written notice of such breach, this Agreement may be terminated immediately by the non-breaching Party.

Further, WANTECH may terminate the Agreement immediately in the event the Customer fails to pay the applicable fees for the Services within the due date specified on the corresponding invoice.

Surviving Provisions:

The sections "6.3 Confidentiality”, “7.2 Disclaimers”, “7.3 Limitation of Liability”, and “8 General Provisions” will survive any termination or expiration of this Agreement.

7 Warranties, Disclaimers, Liability

7.1 Warranties

For the duration of this Agreement, WANTECH commits to using commercially reasonable efforts to execute the Services in accordance with the generally accepted industry standards provided that:

the Customer’s computing systems are in good operational order and, for Self-Hosting, that the Software is installed in a suitable operating environment;

the Customer provides adequate troubleshooting information and, for Self-Hosting, any access that:

  • the Customer’s computing systems are in good operational order and, for Self-Hosting, that the Software is installed in a suitable operating environment;
  • the Customer provides adequate troubleshooting information and, for Self-Hosting, any access that WANTECH may need to identify, reproduce and address problems;
  • all amounts due to WANTECH have been paid.

7.2 Disclaimers

Except as expressly provided herein, neither party makes any warranty of any kind, whether express, implied, statutory or otherwise, and each party specifically disclaims all implied warranties, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement, to the maximum extent permitted by applicable law.

WANTECH does not warrant that the Software complies with any local or international law or regulations.

7.3 Limitation of Liability

To the maximum extent permitted by law, the aggregate liability of each party together with its affiliates arising out of or related to this Agreement will not exceed 50% of the total amount paid by the Customer under this Agreement during the 12 months immediately preceding the date of the event giving rise to such claim. Multiple claims shall not enlarge this limitation.

In no event will either party or its affiliates be liable for any indirect, special, exemplary, incidental or consequential damages of any kind, including but not limited to loss of revenue, profits, savings, loss of business or other financial loss, costs of standstill or delay, lost or corrupted data, arising out of or in connection with this Agreement regardless of the form of action, whether in contract, tort (including strict negligence) or any other legal or equitable theory, even if a party or its affiliates have been advised of the possibility of such damages, or if a party or its affiliates' remedy otherwise fails of its essential purpose.

7.4 Force Majeure

Neither party shall be liable to the other party for the delay in any performance or failure to render any performance under this Agreement when such failure or delay is caused by governmental regulations, fire, strike, war, flood, accident, epidemic, embargo, appropriation of plant or product in whole or in part by any government or public authority, or any other cause or causes, whether of like or different nature, beyond the reasonable control of such party as long as such cause or causes exist.

8 General Provisions

8.1 Governing Law

Both parties agree that the laws of Hong Kong will apply, should any dispute arise out of or in connection with this Agreement, without regard to choice or conflict of law principles. To the extent that any lawsuit or court proceeding is permitted hereinabove, both parties agree to submit to the sole jurisdiction of Hong Kong for the purpose of litigating all disputes.

8.2 Severability

In case any one or more of the provisions of this Agreement or any application thereof shall be invalid, illegal or unenforceable in any respect, the validity, legality and enforceability of the remaining provisions of this Agreement and any application thereof shall be in no way thereby affected or impaired. Both parties undertake to replace any invalid, illegal or unenforceable provision of this Agreement by a valid provision having the same effects and objectives.

PART III. Privacy

1. Privacy Policy

How we protect your privacy on wpluserp.com and when you use our services.

WANTECH Innovation Technology Ltd and its affiliates offer many services to help you run your business, including a platform to host your own Wplus ERP (hereforth known as W+ERP) database. As part of running those services we collect data about you and your business. This data is not only essential to run our services, but also critical for the safety of our services and all our users.
This policy explains what information is collected, why it is collected, and how we use it.

Information we collect

Most of the personal data we collect is directly provided by our users when they register and use our services. Other data is collected by recording interactions with our services.

Account & Contact Data: When you register on our website to use or download one of our products, or to subscribe to one of our services (W+ ERP lite, W+ ERP, etc.), or fill in one of our contact forms, you voluntarily give us certain information. This typically includes your name, company name, email address, and sometimes your phone number, postal address (when an invoice or delivery is required), business sector, as well as a personal password.
We never record or store credit card information from our customers, and always rely on trusted third-party PCI-DSS-compliant payment processors for credit card processing, including for recurring payment processing.

Job Application Data: When you apply for a job on our website or via an employment agency, we usually collect your contact information (name, email, phone), and any information you choose to share with us, in your introduction letter and Curriculum Vitae. If we decide to send you a job proposition, we will also ask you to provide extra personal details, as required to fulfil our legal obligations and personnel management requirements.
We will not ask you to provide information that is not necessary for the recruitment process. In particular, we will never collect any information about your racial or ethnic origin, political opinions, religious beliefs, trade union membership or sexual life.

Browser Data: When you visit our website and access our online services, we detect and store your browser language and geolocation, in order to customize your experience according to your country and preferred language. Our servers also passively record a summary of the information sent by your browser, for statistical, security and legal purposes: yourIP address, the time and date of your visit, yourbrowser version and platform, and the web page that referred you to our website.

Customer Database: When you subscribe to an W+ERP Cloud service and create your own W+ERP database (for example by starting a Free Trial), any information or content you submit or upload into your database is your own, and you control it fully.
Similarly, when you upload an on-premises database to the W+ ERP website, you own the data in it.
This data will often include personal information, for example: your list of employees, your contacts and customers, your messages, pictures, videos, etc . We only ever collect this information on your behalf, and you always retain ownership and full control on this data.


How we use this information

Account & Contact Data: We use your contact information in order to provide our services, to answer your requests, and for billing and account management reasons. We may also use this information for marketing and communication purposes (our marketing messages always come with a way for you to opt-out at any time). We also use this data in aggregated/anonymised form in order to analyse service trends.
If you have registered to participate in an event published on our website, we may transfer your name, email address, phone number and company name to our local organizer and to the sponsors of the event, for both direct marketing purposes and in order to facilitate the preparations and booking for the event.
If you have expressed interest in using W+ ERP or otherwise asked to be contacted by a W+ERP service provider, we may also transfer your name, email address, phone number and company name to one of our official partners in your country or region, for the purpose of contacting you to offer their local assistance and services.

Job Application Data: We will only process this information for our recruitment process, in order to evaluate and follow-up with your application, and in the course of preparing your contract, if we decide to send you a job proposition. You may contact us at any time to request the deletion of your information.

Browser Data: This automatically recorded data is anonymously analyzed in order to maintain and improve our services. We will only correlate this data with your personal data when required by law or for security purposes, if you have violated our Acceptable Use Policy.

Acceptable Use Policy

à Usage of W+ERP Cloud Services is subject to this Acceptable Use Policy (AUP). This AUP is incorporated by reference into, and governed by the W+ERP Subscription Agreement between you (Customer) and Wantech Innovation Technology Limited. Customers who are found to be violating these rules may see their subscriptions suspended without prior notice. The subscription fees will usually not be refunded.

Illegal or Harmful Use

You may not use W+ERP services for storing, displaying, distributing or otherwise processing illegal or harmful content. This includes:

  • Illegal Activities: promoting gambling-related sites or services, or child pornography.
  • Harmful or Fraudulent Activities: Activities harmful to others, promoting fraudulent goods, services, schemes, or promotions (e.g., make-money-fast schemes, ponzi and pyramid schemes, phishing, or pharming), or engaging in other deceptive practices.
  • Infringing Content: Content that infringes the intellectual property of others.
  • Offensive Content: Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable, including content that constitutes child pornography, relates to bestiality, or depicts non-consensual sex acts.
  • Harmful Content: Malicious and malware content, such as viruses, trojan horses, worms, etc.
  • Spam Content: Content that is published for "black hat SEO" purposes, using tricks such a link building / link spam, keyword spam, in order to exploit the reputation of Odoo services for promoting third-party content, goods or services.

· Email Abuse

You may not use W+ERP services for spamming. This includes:

  • Unsolicited messages: sending or facilitating the distribution of unsolicited bulk emails and messages, either directly via Odoo Cloud or indirectly via third-party email services. This includes the use of bulk emails lists. Any mass-mailing activity is subject to the applicable legal restrictions, and you must be able to show evidence of consent/opt-in for your bulk email distribution lists.
  • Spoofing: sending emails or messages with forged or obfuscated headers, or assuming an identity without the sender's permission

Security Violations

You may not attempt to compromise W+ERP services, to access or modify content that does not belong to you, or to otherwise engage in malicious actions:

  • Unauthorized access: accessing or using any W+ERP system or service without permission
  • Security research: conducting any security research or audit on W+ERP systems without written permission to do so, including via scanners and automated tools. Please see our Responsible Disclosure page for more information regarding WANTECH security research.
  • Eavesdropping: listening to or recording data that does not belong to you without permission
  • Other attacks: non-technical attacks such as social engineering, phishing, or physical attacks against anyone or any system

Network and Services Abuse

You may not abuse the resources and systems of W+ERP. In particular the following activities are prohibited:

  • Network abuse: causing Denial of Service (DoS) by flooding systems with network traffic that slows down the system makes it unreachable, or significantly impacts the quality of service
  • Unthrottled RPC/API calls : sending large numbers of RPC or remote API calls to our systems without appropriate throttling, with the risk of impacting the quality of service for other users.
    Note: W+ERP provides batch APIs for imports, so there should be no need for this. Throttled calls are typically acceptable at a rate of 1 call/second, with no parallel calls. Exceptions may be authorized on a case-by-case basis – please contact us if you think you need one.
  • Overloading : voluntarily impacting the performance or availability of systems with abnormal content such as very large data quantities, or very large numbers of elements to process, such as email bombs.
  • Crawling: automatically crawling resources in a way that impacts the availability and performance of the systems
  • Attacking: using the W+ERP services to attack, crawl or otherwise impact the availability or security of third-party systems
  • Abusive registrations: using automated tools to repeatedly register or subscribe to W+ERP services, or registering or subscribing with fake credentials, or under the name of someone else without their permission.


Customer Database: We only collect and process this data on your behalf, in order to perform the services you have subscribed to, and based on the instructions you explicitly gave when you registered or configured your service and your W+ERP database.
Our Helpdesk staff and engineers may access this information in a limited and reasonable manner in order to solve any issue with our services, or at your explicit request for support reasons, or as required by law, or to ensure the security of our services in case of violation of our Acceptable Use Policy, in order to keep our services secure.

Accessing, Updating or Deleting Your Personal Information

Account & Contact Data: You have the right to access and update personal data you have previously provided to us. You can do so at any time by connecting to your personal account on wplueserp.com. If you wish to permanently delete your account or personal information for a legitimate purpose, please contact our Helpdesk to request so. We will take all reasonable steps to permanently delete your personal information, except when we are required to keep it for legal reasons (typically, for administration, billing and tax reporting reasons).

Job Application Data: You may contact us at any time to request access, updates or deletion of your application information. The easiest way to do it is to reply to the last message you exchanged with our Human Resource personnel.

Customer Database: You can manage any data collected in your databases hosted on wplueserp.com at any time, using your administration credentials, including modifying or deleting any personal data stored therein.
At any time you can export a complete backup of your database via our control panel, in order to transfer it, or to manage your own backups/archive. You are responsible for processing this data in compliance with all privacy regulations. You may also request the deletion of your entire database via your control panel, at any time. When you use the W+ERP Database Upgrade service, your data is automatically deleted after your upgrade was successfully completed, and may also be deleted upon request from you.

Safety Retention Period: we retain a copy of your data in our backups for safety reasons, even after they are destroyed from our live systems. See Data Retention for more details.

Security

We realize how important and sensitive your personal data is, and we take a great number of measures to ensure that this information is securely processed, stored and preserved from data loss and unauthorized access. Our technical, administrative and organizational security measures are described in details in our Security Policy.

Third Party Service Providers

In order to support our operations we rely on several Service Providers. They help us with various services such as payment processing, web audience analysis, cloud hosting, marketing and communication, etc.

Whenever we share data with these Service Providers, we make sure that they use it in compliance with Data Protection legislation, and that the processing they carry out for us is limited to our specific purpose and covered by a specific data processing contract.

Here is a list of the Service Providers we are currently using, why we use them, and what kind of data we share with them:

Service Provider

Purpose

Share Data

Paypal

Payment processing on wpluserp.com

Shared with Paypal : Order details (amount, description, reference), Customer name and email
Only stored by Paypal : credit card info

AliCloud

Infrastructure and hosting, DDOS Protection

Hosted by AliCloud : Production data from wpluserp.com and its affiliate services, including Customer Databases.

Google Analytics

Anonymous website audience analysis

Shared with Google Analytics : Non-personal browser data, anonymized IP, geolocation info, language (no identifiable information)

Google Calendar

Calendar data syncrhonisation

Shared with Google Calendar: Any contact and personal information entered by the user for calender purposes

SendGrid

Email sending services

Shared with SendGrid : Any contact and personal information entered by the user for email sending services

Data Retention

Account & Contact Data : we will only retain such data as long as necessary for the purpose for which it was collected, as laid out in this policy, including any legal retention period, or as long as necessary to carry out a legitimate and reasonable promotion of our products and services.

Job Application Data: If we do not hire you, we may keep the information you provide for up to 2 years in order to contact you again for any new job proposition that may come up, unless you ask us not to do so. If we hire you, your personal information will be stored for the duration of your employment contract with us, and afterwards, during the applicable legal retention period that applies in the country where we employed you.

Browser Data : we will only retain this data for a short period of time, generally 2 months, unless we need to keep it in relation with a legitimate concern related to the security or performance of our services, or as required by law.

Customer Database : we will only retain this data as long as necessary for providing the services you subscribed to. For databases hosted on the W+ERP Cloud, if you cancel the service your database is kept deactivated for 3 weeks (the grace period during which you can change your mind), and then destroyed. For databases uploaded to the W+ERP Database Upgrade website, your database is kept for up to 4 months after the last successful upgrade, and may be deleted earlier upon request.

Safety Retention Period:

As part of our Security Policy, we always try to preserve your data from accidental or malicious deletion. As a result, after we delete any of your personal information (Account & Contact Data) from our database upon request from you, or after you delete any personal information from your database (Customer Database), or if you delete your entire database, it is not immediately deleted from our backup systems, which are secured and inalterable. The personal data could remain stored for up to 12 months in those backups, until they are automatically destroyed.


We commit not to use those backup copies of your deleted data for any purpose except for maintaining the integrity of our backups, unless you or the law require us to do so.

Transfer of Data

Hosting Services

Hosting Locations : Customer databases are hosted in the W+ERP data center closest to where they are based: Hong Kong or Singapore. Customers can request that their data be moved to one of the other data centers.

Backup Locations : We utilize a "Triplicate technology", which automatically stores all of the data copies across different servers and provide 99% data reliability for Elastic Compute Service(Server) instances.

Backups are are replicated in an additional separate server in order to meet our Disaster Recovery objectives, see our Cloud Hosting SLA.



Third Party Disclosure

Except as explicitly mentioned above, we do not sell, trade, or otherwise transfer your personal data to third parties. We may share or disclose aggregated or de-identified information, for research purposes, or to discuss trends or statistics with third-parties.

Cookie Policy

Cookies are small bits of information sent by our servers to your computer or device when you access our services, and unique to you. They are stored in your browser and later sent back to our servers so that we can provide contextual content. We use them to support your activities on our website, for example your session (so you don't have to login again) or your shopping cart.
Cookies are also used to help us understand your preferences based on previous or current activity on our website (the pages you have visited), your language and country, which enables us to provide you with improved services. We also use cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.


We also use third-party services such as Google Analytics, who set and use their own cookies to identify visitors and provide their own contextual services. For more information regarding those third-party providers and their Cookie Policy, please see the relevant references in the Third-Party Service Providers section.


You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. Each browser is a little different, so look at your browser's Help menu to learn the correct way to modify your cookies, or look at the links below.

Chrome: https://support.google.com/chrome/answer/95647?hl=en

Explorer: https://support.microsoft.com/en-us/products/windows?os=windows-10

Safari: https://support.apple.com/kb/PH21411

Firefox: https://support.mozilla.org/products/firefox/cookies

Opera: http://www.opera.com/help/tutorials/security/cookies/

We do not currently support Do Not Track signals, as there is no industry standard for compliance.

Policy Updates

We may update this Privacy Policy from time to time, in order to clarify it, or to comply with legal obligations. The "Last Updated" mention at the top of the policy indicates the last revision, which is also the effective date of those changes. If you continue to use our services after such a change, you agree to our updated policy.

Contacting Us

If you have are any question regarding this Privacy Policy, or any enquiry about your personal data, please reach out to the W+EPR Helpdesk or contact us via email at support@wpluserp.com or by pos

WANTECH Innovation Technology Limited

Room 1105, 11/F, Century Centre, 44-46 Hung To Road,

Kwun Tong, Kowloon.,

Hong Kong

Part IV. Security

Your security is very important to us! Here is a summary of what we do every day to guarantee that your data is safe with W+ERP and that we apply best security practices on our hosted version, the W+ERP Cloud. Table of contents

W+ERP Cloud

Backups / Disaster Recovery
We keep 1 full backup of each W+EPR database for up to 7 days:
- 1/day for 7/days (for customers with database size less than 3GB)
Disaster recovery: in case of complete disaster, with a data centre entirely down for an extended period, preventing the failover to our local hot-standby (never happened so far, this is the worst-case plan), we have the following objectives:

RPO (Recovery Point Objective) = 24h. This means you can lose max 24h of work if the data cannot be recovered and we need to restore your latest daily backup

RTO (Recovery Time Objective) = 24h for paid subscriptions, 48h for free trials, education offer, freemium users, etc. This is the time to restore the service in a different data center if a disaster occurs and a datacenter is completely down.

How is this accomplished:
We utilize the Detection module to discover that the master node has an exception and instructs the Repair module to fix it. If the Repair module fails to resolve the problem, the Notice module will be informed of this information. The Notice module then forwards the failover request to the SLB or Proxy module, which begins to redirect all traffic to the slave node. At the same time, the Repair module creates a new slave node on another physical server and synchronizes this change back to the Detection module. The Detection module starts to recheck the health status of the instance. ECS Instance failover, it should take about 5-10 mins in same zone. RTO if the data center is completely down, we will begin to redirect all traffic to the slave node in different region. We can restore the daily snapshot (backup) to any server, within 5-10 mins. It may take time to debug and change the client configuration.

Password Security
Customer passwords are protected with industry-standard PBKDF2+SHA512 encryption (salted + stretched for thousands of rounds)

W+ERP staff does not have access to your password, and cannot retrieve it for you, the only option if you lose it is to reset it

Login credentials are always transmitted securely over HTTPS

Staff Access
W+ERP helpdesk staff may sign into your account to access settings related to your support issue. For this they use their own special staff credentials, not your password (which they have no way to know) This special staff access improves efficiency and security: they can immediately reproduce the problem you are seeing, you never need to share your password, and we can audit and control staff actions separately! Our Helpdesk staff strives to respect your privacy as much as possible, and only access files and settings needed to diagnose and resolve your issue

System Security
All W+ERP Cloud servers are running hardened Linux distributions with up-to-date security patches Installations are ad-hoc and minimal to limit the number of services that could contain vulnerabilities (no PHP/MySQL stack for example)

Physical Security
W+ERP Cloud servers are hosted in trusted data centers in various regions of the world (e.g. AliCloud), and they must all exceed our physical security criterions:

Restricted perimeter, physically accessed by authorized data center employees only

Credit Card Safety
We never store credit card information on our own systems. Your credit card information is always transmitted securely directly between you and our PCI-Compliant payment acquirers (see the list on our Privacy Policy page).

Communications
All web connections to client instances are protected with SSL encryption Our servers are kept under a strict security watch, and always patched against the latest SSL vulnerabilities, enjoying SSL ratings at all times.

Network defense
All data center providers used by W+ERP Cloud have very large network capacities, and have designed their infrastructure to withstand the largest Distributed Denial of Service (DDoS) attacks. Their automatic and manual mitigation systems can detect and divert attack traffic at the edge of their multi-continental networks, before it gets the chance to disrupt service availability.
Firewalls and intrusion prevention systems on W+ERP Cloud servers help detect and block threats such as brute-force password attacks.
As of Odoo 12.0, customer database administrators even have the option to configure the rate limiting and cooldown duration for repeated login attempts.

W+ERP
Software Security
W+ERP is open source, so the whole codebase is continuously under examination by W+ERP users and contributors worldwide. Community bug reports are therefore one important source of feedback regarding security. We encourage developers to audit the code and report security issues. The W+ERP R&D processes have code review steps that include security aspects, for new and contributed pieces of code.
Secure by design
W+ERP is designed in a way that prevents introducing most common security vulnerabilities:
SQL injections are prevented by the use of a higher-level API that does not require manual SQL queries XSS attacks are prevented by the use of a high-level templating system that automatically escapes injected data The framework prevents RPC access to private methods, making it harder to introduce exploitable vulnerabilities See also the OWASP Top Vulnerabilities section to see how W+ERP is designed from the ground up to prevent such vulnerabilities from appearing.

OWASP Top Vulnerabilities

Here is where W+ERP stands on the top security issue for web applications, as listed by the Open Web Application Security Project (OWASP):
  • Injection Flaws: Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. W+ERP relies on an object-relational-mapping (ORM) framework that abstracts query building and prevents SQL injections by default. Developers do not normally craft SQL queries manually, they are generated by the ORM, and parameters are always properly escaped.
  • Cross Site Scripting (XSS): XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
    The W+ERP framework escapes all expressions rendered into views and pages by default, preventing XSS. Developers have to specially mark expressions as "safe" for raw inclusion into rendered pages.
  • Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
    The wpluserp website engine includes a built-in CSRF protection mechanism. It prevents any HTTP controller to receive a POST request without the corresponding security token. This is the recommended technique for CSRF prevention. This security token is only known and present when the user genuinely accessed the relevant website form, and an attacker cannot forge a request without it.
  • Malicious File Execution: Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.
    W+ERP does not expose functions to perform remote file inclusion. However it allows privileged users to customize features by adding custom expressions that will be evaluated by the system. These expressions are always evaluated by a sandboxed and sanitized environment that only allows access to permitted functions.
  • Insecure Direct Object Reference: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
    W+ERP access control is not implemented at the user interface level, so there is no risk in exposing references to internal objects in URLs. Attackers cannot circumvent the access control layer by manipulation those references, because every request still has to go through the data access validation layer.
  • Insecure Cryptographic Storage: Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
    W+ERP uses industry-standard secure hashing for user passwords (by default PKFDB2 + SHA-512, with key stretching) to protect stored passwords. It is also possible to use external authentication systems such as OAuth 2.0 or LDAP, in order to avoid storing user passwords locally at all.
  • Insecure Communications: Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.
    W+ERP Cloud runs on HTTPS by default. For on-premise installations, it is recommend to run Odoo behind a web server implementing the encryption and proxying request to W+ERP, for example Apache, Lighttpd or nginx.
  • Failure to Restrict URL Access: Frequently an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly
    W+ERP access control is not implemented at the user interface level, and the security does not rely on hiding special URLs. Attackers cannot circumvent the access control layer by reusing or manipulating any URL, because every request still has to go through the data access validation layer. In rare cases where a URL provides unauthenticated access to sensitive data, such as special URLs customer use to confirm an order, these URLs are digitally signed with unique tokens and only sent via email to the intended recipient.