Your Data, Protected by Design
Elromco is the system of record for your customer data, jobs, eBOLs, and payments. We treat security as a product feature, not an afterthought.
How We Protect Your Data
Every customer record, eBOL, and signature on Elromco is protected by the same controls we use for our own operations.
Encryption Everywhere
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Customer signatures, eBOLs, payment tokens, and personally identifiable information are never stored or transmitted in plain text.
Granular Access Controls
Role-based permissions for office staff, foremen, and crew members. Multi-tenant architecture means each company's data is isolated — your data never mixes with other Elromco customers.
Hardened Infrastructure
Hosted on AWS with auto-scaling, regional failover, and 24/7 monitoring. Web application firewall, DDoS protection, and rate limiting at the edge. Continuous vulnerability scanning of every code deploy.
Daily Encrypted Backups
Automated daily backups with 30-day retention. Point-in-time recovery for the last 7 days. Backups are encrypted and stored in a separate AWS region for disaster resilience.
Audit Logging
Every change to an order, eBOL, or customer record is logged with user, timestamp, and the before/after values. Full audit trails are available for compliance reviews and dispute resolution.
Data Privacy
We never sell or share your customer data. Your customers' information stays inside your tenant. Elromco staff only access tenant data when explicitly authorized by you for support or troubleshooting.
Operational Security Practices
The day-to-day discipline behind keeping the platform safe.
Incident Response
Documented incident response process with on-call rotation. Critical incidents communicated to affected customers within 24 hours.
Regular Security Reviews
Internal security reviews on a quarterly cadence. Code reviews required for every change. Dependency scanning runs on every build.
Secure Development
Engineers follow secure coding standards including input validation, parameterized queries, output encoding, and least-privilege defaults.
Payment Security
Credit card processing handled by Authorize.Net (PCI-DSS Level 1 certified). Elromco never stores raw card numbers.
Common Security Questions
Where is my data hosted?
Elromco is hosted on Amazon Web Services (AWS) in U.S. data centers, with automated failover across availability zones. Customer data does not leave the United States.
Who can see my company's data?
Only users you authorize within your company. Multi-tenant isolation prevents cross-customer data access. Elromco staff have read access only when explicitly granted by you for support.
What happens if I cancel?
Your data is retained for 90 days after cancellation, then permanently deleted. You can request a full export of your data in CSV at any time before then.
Do you have SOC 2 certification?
We are working toward SOC 2 Type II certification. In the interim, we follow the same controls (access management, change management, encryption, monitoring, incident response) that the SOC 2 framework requires.
How do I report a vulnerability?
Email security@elromco.com with details. We aim to acknowledge reports within 24 hours and provide a status update within 5 business days. We do not currently offer a paid bug bounty.
Found a security issue?
Email security@elromco.com with details. We acknowledge reports within 24 hours and provide a status update within 5 business days.
Questions about how we protect your data?
Talk to our team about your security and compliance requirements.