Moving the ERP to the cloud is today the obvious choice for most SMBs — predictable costs, automatic updates, access from anywhere. But the upside comes with a new responsibility: your business data lives on a server that isn't yours. If the vendor is careless, your company pays the bill.
These are the 6 security questions to ask any cloud ERP vendor before you sign.
1. Where does my data live?
In practical terms: which data centre? Which country? For SMBs operating in Europe, the answer should be "inside the EEA" — because of GDPR. Services whose servers are in the US or Asia require Standard Contractual Clauses and still leave grey areas.
2. What's the backup policy?
Don't accept vague answers. What you want to know:
- Frequency: hourly incremental? Daily? Less than that is too little for transactional data.
- Retention: 30 days? 90? 1 year? Accounting regulations often require 7–10 years.
- Location: are backups in the same data centre as live data? If yes, one physical failure takes both out.
- Restore testing: how often does the vendor actually test they can restore? "We have backups" and "restore works" are different things.
Let's turn this idea into reality
If this article resonates with you, chances are we can help. Tell us about your case in 30 seconds.
3. Who has access to my data?
Inside the vendor, who can see the contents of your database? Ideally:
- Production access limited to a small team with full audit logging (who, when, which queries).
- Sensitive data encrypted at rest — even a rogue DBA can't read it.
- MFA mandatory for any administrative access.
4. How is our user authentication handled?
Passwords stored with bcrypt/argon2, not MD5 or SHA1. MFA optional for end users and mandatory for admins. Session timeouts set sensibly and immediate invalidation when someone is offboarded. If the vendor doesn't talk at this level of detail, that's a signal.
5. What happens if I leave?
Portability clause: at any moment you're entitled to a complete export of your data in a standard format (CSV or SQL). How long after cancellation does the vendor delete your data? 30 days? 90? Good vendors issue a destruction certificate.
6. Is there an incident history and how was it communicated?
No serious vendor says "we've never had any problems". Everyone has. The right question is: when there was an incident, did they tell customers? How quickly? With what detail? If they dodge the topic, walk away.
And the customer side?
Cloud ERP security is a shared responsibility. The vendor protects the infrastructure; you protect the access. Use MFA for users, train the team on phishing, review permissions quarterly, and prepare a contingency plan (vendor emergency contact, checklist if you lose access).
Bottom line
A trustworthy cloud ERP is safer than 90% of the badly-maintained on-premise servers you see in SMBs. But "cloud" isn't shorthand for "secure" — it depends entirely on the vendor's practices. Asking these 6 questions and demanding specific, written answers separates serious partners from brochure sellers.