Security & Compliance

Data security — what's actually in the product

Encryption at rest

The following fields are encrypted in the database using Fernet (AES-128-CBC + HMAC-SHA256):

• Tax File Number (TFN)
• BSB
• Bank account number

Ciphertext is stored; plaintext only exists transiently in application memory during read/write. Keys are auto-generated per Odoo instance and stored in ir.config_parameter (accessible only via superuser context).

What this protects against: database dump leaks, backup theft, DBA-level snooping, lost disk scenarios.

What it does not protect against: a compromised Odoo superuser account — the superuser can read the key. That is a RBAC / credential hygiene concern, not an encryption concern.

Transport encryption

All traffic between clients and the Odoo server is TLS (HTTPS) — handled by the reverse proxy in front of Odoo.

Access control

• Tiered RBAC: 3 accounting roles (Bookkeeper, Accountant, Manager), 5 helpdesk roles (L1 → Admin) with specialty overlays (Dispatcher, Field Tech, Account Manager)
• Record rules: 26+ ir.rule records enforce least-privilege — agents see their team's tickets, field techs see only assigned work, account managers see only their clients
• Field-level restrictions: TFN, BSB, account number accessible only to accounting managers

Audit trail

Every change to a ticket, change request, risk, asset, payroll run, invoice, or financial record is recorded on the record's chatter: who, when, old and new values for tracked fields.

This is not a tamper-evident log — it's a standard Odoo audit trail. Sufficient for operational accountability, not court-admissible evidence.

Compliance framework alignment

ISO/IEC 20000 — IT Service Management — aligned

Implemented: Service Level Management (SLA engine with working-hours calculation, auto-escalation), Change Management with CAB approval and rollback plans, Problem Management with RCA and Known Error Database, Continual Improvement Register, CMDB with asset relationships, Incident Management.

Not implemented: formal service catalog model, capacity planning/trending.

ISO/IEC 27001 — Information Security — partially aligned

Implemented: Organisation of information security (RBAC tiers), Asset management (CMDB), Access control (RBAC, record rules, field-level), Cryptography (field-level encryption), Logging (audit trails), Information security incident management, Privacy (encryption of sensitive PII).

Not implemented: Access recertification workflow, enforced password policy, tamper-evident logging, technical vulnerability management.

Certification status: Not ISO 27001 certified. Certification requires external audit of the entire operating organisation, not just software. This module provides the evidence-gathering tooling.

SOC 2 — partially aligned

Implemented: Risk assessment (Risk Register with 5×5 matrix, treatment tracking), Monitoring (SLA tracking, breach detection), Logical access (RBAC, record rules), Data retention (configurable with cron enforcement), System monitoring (audit trails, script execution logs).

Not implemented: Formal availability SLO tracking, backup verification logging, integrity checksums on audit records.

ASD Essential Eight — assessment tool, not implementation

The BBN Helpdesk module includes an Essential Eight Maturity Assessment that automates evidence gathering from Tactical RMM / Atera and scores each of the eight mitigations (0-3).

Honest framing: This module does not enforce the Essential Eight. The eight mitigations must be implemented on the endpoints themselves using your RMM. The module helps you measure your compliance and produces audit-ready reports — it is an audit tool, not a control tool.

ATO compliance — implemented

• TPAR — contractor payment reports with GST tracking, ABN validation, annual export
• STP Phase 2 — disaggregated payroll reporting with YTD tracking
• PAYG Withholding — tax calculation per ATO tax scales with HELP/SFSS deductions
• ABN Validation — ATO check-digit algorithm
• GST / BAS — GST on sales/purchases tracked; BAS wizard

Australian Privacy Act 1988 — supports compliance

• Field-level encryption for sensitive personal information (TFN, bank details)
• Access control with named-user accountability
• Data export (Odoo native — supports subject access requests)
• Data deletion per retention policy

What we do not claim

• "ISO 27001 certified" — we are not. The module provides evidence-gathering tooling.
• "SOC 2 Type II certified" — we are not. Certification is an operational audit.
• "HIPAA compliant" — not tested or designed for US healthcare data. Do not use for PHI.
• "PCI DSS compliant" — do not store card data in this system. Use Stripe / Square / Braintree.
• "Zero-trust architecture" — we follow standard Odoo RBAC with field-level controls. Calling it zero-trust would be marketing nonsense.

Deployment models

On-premise (recommended for regulated industries)

You control the server, database, backups, and encryption keys. No data leaves your network. Supported: self-hosted Linux, Australian-hosted VPS, customer data centre.

SaaS (hosted by BBN Digital)

Hosted in Australia (Sydney region). Daily backups. Under AUD jurisdiction. TLS 1.3. All data encrypted at rest.

Hybrid

Your data in your data centre, updates delivered by us. Available on Enterprise plans.

Responsible disclosure

Found a security issue? Email security@bbndigital.com.au with reproduction steps. We aim to respond within 48 hours.

Please do not publicly disclose before we've had a chance to fix, access data that isn't your own, or run automated scans against production systems without written authorisation.