Request Demo

xTuple Security Policy

Protecting your cloud hosted information is critical; we understand that a lapse in security coverage can put your data, customer information, uptime, and potentially your company’s reputation at risk. When relying on a third party, a certain amount of confidence is needed. You will need to trust vendors to manage and handle your online data securely. We appreciate your trust and want you to know that xTuple is committed to protecting the integrity of your data and doing everything in our power to maintain your security and your trust.

This Security Policy provides a brief introduction to the security policies at xTuple. Our security policies are not limited to this document. Effective security is a continually evolving effort. We routinely audit and manage the security of our services and apply security best practices. This is intended as an overview of key steps taken to protect your data. We are available to answer questions or provide more in-depth information. Please contact us at

Our internal development, operations, and processes have been constructed with security in mind.


1. System security

1.1 Coding standards and development

A well-built environment starts with high coding standards that guard against attempted security breaches and are accompanied by code reviews and tests. We have strict development processes and we follow specified coding standards to ensure the best security practices.

1.2 Application Security

System components undergo tests and source code reviews to assess the security of our application, architecture, and service layers.

1.3 System Configuration

Server and system access are limited to select xTuple staff.


2. Physical Datacenter Security

Our physical infrastructure is hosted and managed on Amazon Web Services (AWS) and IBM Softlayer. We rely on their secure infrastructure to store data across multiple cloud regions and availability zones.

Servers are housed in highly secure datacenters to ensure the utmost in data security and protection. All datacenters hosting our solutions are secured and monitored 24/7. Physical access to datacenter facilities is strictly limited to select cloud staff. They continually manage risk and undergo recurring assessments to ensure compliance with industry standards.

Datacenter policies for handling fire detection, power loss, climate disasters, temperature control, datacenter management, etc. can be found on the datacenters' websites:

AWS Cloud Security —

Softlayer —


3. Customer Data Security

xTuple provides several security capabilities. No one will be able to connect to or view your PostgreSQL server as long as you take care of the connection credentials we provide you. A strong password policy, restricting outside access and using xTuple Client features such as enabling "Use Enhanced Authentication" and password expiration/rotation can thwart many avenues of compromise. Important aspects of data security are under your control and require your participation.

3.1 xTuple employees data access

All employees undergo pre-employment background checks and must agree to company policies including security policies. We provide ongoing security awareness training designed to keep all members of staff informed and vigilant of security risks.

3.1.1 xTuple Onboarding Policy

All new employees at xTuple are required to read and agree to both the security policy and the privacy policy.

3.1.2 xTuple Exit Policy

During the employee exit process at xTuple all access for the ex-employee is removed.

The ex-employee signs an agreement not to discuss any business operations or customer details upon separation.

3.2 Encrypted Data in Transit

SSL Encryption between the xTuple Client and PostgreSQL database is enabled by default. Communications between the client application and server are protected from man-in-the-middle attempts.

3.3 Disaster Recovery / Backup

Whether you're hosted on AWS or IBM SoftLayer, the cloud servers automatically back up your data once per night. 3 days of backup are stored locally on the server and are always accessible to you. 30 days of backups are stored in AWS S3 storage and are available upon request.

3.4 Security capabilities - Customer Best Practices

The following section describes what you can do to protect your account.

3.4.1 Password protection

You are responsible for maintaining the secrecy of your password and account information at all times. We recommend you use a strong passphrase and rotate your password. Password rotation can be configured and enforced through your xTuple Client application.

3.4.2 xTuple Enhanced Authentication
Select "Use Enhanced Authentication" for each of your users that do not require 3rd party data tools access. This is a mechanism that preprocesses typed passwords before logging in, reducing vulnerability to password-guessing and password-harvesting schemes.
If your employees do not require access to your xTuple system from outside the office, we can allow connections only from your specific locations.


4. Privacy Policy

Please also review the xTuple Privacy Policy and our End-User License Agreement and Data Processing Addendum, the latter of which relates to each party’s responsibilities under the General Data Protection Regulation and other similar laws.

If you have any questions related to this Privacy Policy or how we treat information pursuant to this Policy, or you wish to correct, delete or update your information, please contact us in any of the ways listed below.

In the News

CAI Software, LLC Acquires xTuple

Read More →


Grow. Now.
Accelerated implementation gets you up and running in as soon as 90 days.

Learn More →

Demo on Demand

See for yourself. See how it works and flows. Select from a library of brief demos by functionality.

Watch Now →