Skip over navigation

Application and Data Security You Can Trust

data security in orocommerce
Let's Talk

Oro applications are built from the ground up to support sizeable B2B enterprises and complex, multi-level organizational hierarchies with thousands of employees and millions of website customers. Oro incorporates multiple levels of enhanced security measures, so your applications and data are protected and you maintain compliance with privacy regulations.

orocommerce security

Application Security Features

Enjoy unparalleled control and customizable access by user as well as support for complex hierarchies. Take advantage of the latest in encryption and customize your login protocols.

Access Control

Oro products use Access Control Lists (ACLs) to establish rules that grant or deny access to different data types, including sensitive data. Every user in an Oro application has a role, and every role has a set of permissions configured to perform or restrict actions to entities and system capabilities. Limit data access and control permissions on a level as granular as a personal basis. Control what actions a user is permitted, whether it is just to view the latest sales report or entirely modify a customer’s order or authorize a payment. Restrict sales to work with leads and opportunities, while marketing has access to manage marketing lists and campaigns, and administrators access all systems globally. Maintain complete control over access to data and records directly from the UI without the need for developer assistance.

Layered Configuration

Unlike B2C sellers, B2B structures and processes are generally quite complex. A single enterprise may offer both goods and services through multiple sub-organizations, with each having dedicated websites for different regions or countries. Oro applications were built to tame the complexity of B2B enterprises.

Set up and configure any Oro application from the application configuration UI to specifically conform to your needs. Apply configuration at global, organization, website, and user levels.

Use Global settings to affect the entire application. Tailor Organization settings to configure options specifically for each organization and configure each website to conform to the features needed at each level of the enterprise. The user-level configuration provides employees the ability to adapt certain application settings to their personal preferences.

Global enterprises with multiple websites in various countries can set up the appropriate currencies and languages for each site. They can then add different local warehouses, manage inventory options, control the products displayed and even how they are arranged on each website.


To prevent security breaches, Oro encrypts original data to keep it secure. We constantly review new technologies to support the latest and most robust encryption solutions.

  • Database column encryption allows us to choose what pieces of data to encrypt instead of encrypting the entire database file.
  • User passwords are stored as irreversible hashes not open or encrypted text.
  • HTTPS forced redirect ensures the security of the link between the browser and the webserver.
  • Safe architecture of the online payment process and out-of-the-box integrations with payment gateways keeps transactions secure.

Password and Session

Oro products incorporate the best password practices to help prevent unsafe passwords and motivate users to create strong credentials. Admins can customize password and login restrictions for application users to:

  • Configure the desired password length and complexity
  • Enforce password change policy and password history
  • Limit the number of login attempts
  • Lock accounts after several failed logins to prevent brute force attacks.

In addition, we support multi-factor authentication to strengthen application security with the additional authentication factor.

OAuth, LDAP, and Google SSO

Oro applications also support IDPs that store and manage digital identities to let company users connect to the application securely, which is particularly important for efficiency and performance in large-scale companies. Oro applications support IDP services such as LDAP, Google SSO, and OAuth 2.0 credentials authorization.

Audit logs

Oro products support data audit functionality to track changes made to records in Oro applications.

View and track directly from the UI:

  • Who changed a record
  • When the change occurred
  • What changed

Easily create data audit reports and track all login attempts to simplify security-related investigations.

Application Security Processes

Data security is critical for any eCommerce company. B2B eCommerce applications frequently store customer personal data, credit card numbers, and support online payments. Oro adheres to the latest data and eCommerce security processes to prevent potential security threats, and constantly refines and improves security to remain on the cutting edge of safeguards, procedures, and policies to safeguard your customer data.

Secure Development

Oro utilizes standardized security best practices to maintain a secure development lifecycle. During development, Oro:

  • Employs OWASP’s Top 10 list and best practices to produce the most secure code and shield from emerging security threats.
  • Utilizes regular penetration testing to simulate potential attacks to ensure that cyber controls remain effective.
  • Scans for vulnerability code and performs automated penetration tests as part of the CI pipeline.
Secure Development


Information security should always be a leading factor in selecting a software vendor. Oro applications comply with the highest standards for security and help you meet local data privacy regulations.

Independently Verified Secure

Oro submitted to an independent evaluation of internal controls policies and achieved SOC2 Type 2 compliance in security and availability in 2021. This certification confirms process application security and maturity, confirms our system is protected against unauthorized access, and is available and used for operation as committed.

PCI DSS Compliant

OroCommerce is PCI DSS compliant and is reassessed every year. This means that every resource we use, our servers, network, software, and configuration, comply with PCI DSS requirements. We securely handle all customer payment information and perform regular penetration tests and independent PCI DSS-approved vulnerability scans.

Compliance orocommerce

Want to learn more about how OroCommerce connects to your business ecosystem? Check out these free resources.

Oro Documentation

Oro believes that high levels of security should be by design and the default for every software product. Read more about Oro standards and practices as a data processor to support compliance with GDPR.

Learn more

Oro Academy

Are you familiar with Service Organization Controls (SOC 2)? Oro fulfills all Security and Availability requirements of the Trust Service Criteria. Learn more about this third-party assessment of an organization’s controls for security, confidentiality, and availability.

Learn More

Hosting Oro On-premise

If your eCommerce business takes credit cards as a form of payment, you must comply with PCI DSS standards for data security. Whether you deploy in the OroCloud or on-premise, you must know your responsibilities. Read this informative article to better understand your responsibilities and how Oro helps you stay in compliance.

Read the article
Back to top