Security

To protect the privacy and safety of our clients, partners and users, Velixo:

• maintains a high standard of security practices,
• leverages standard Microsoft 365 functionality,
• enforces strict internal product controls, and
• regularly audits its policies and procedures.

This page provides a summary of Velixo’s compliance with industry standards, and Velixo’s various policies and practices (including security) for your convenience. For full transparency, and detailed information about our SOC2 certification and our various audits and policy documents, please visit the Velixo Trust Center at https://trust.velixo.com.

PHYSICAL SECURITY

Velixo is an Excel-based reporting tool that adds a new toolbar to Excel and a set of functions specially designed to work with ERPs such as Sage Intacct, Acumatica, MYOB Advanced or Cegid. We support different modules of these ERPs such as:  General Ledger, Project Data, and Objects. Two different versions of Velixo are available:

• Velixo Classic (Excel for Windows only — supports Acumatica, MYOB Advanced and CEGID XRP Flex)
  • XLL-based Excel add-in, deployed locally through a Windows Installer .msi package. The installation and usage of the add-in does not require administrative access. Centralized deployment via group policy is supported.
  • The MSI package, as well as the main binaries, are signed using an EV code certificate, managed by Microsoft Azure Key Vault. Controls can be put in place by the administrator to ensure only software signed by our EV code certificate is allowed.
  • Velixo Classic directly communicates with your ERP over HTTPS
  • Velixo Classic is a COM-based Excel add-in that interacts with your file system, the Windows Registry (settings storage), and your cloud ERP system. As such, our add-in might sometimes be falsely flagged as malware by your antivirus. If you’re installing Velixo in a corporate environment, we recommend that you let your IT and security team know about this installation so they can verify and allow-list Velixo in advance. To get more information on the installation process, click here.
• Velixo NX (Excel for Windows, Excel for Mac, Excel Online — supports Acumatica, MYOB Advanced, CEGID XRP Flex, Sage Intacct)
  • Velixo NX is fully cloud-based.
  • The installation of our Excel add-in is self-service and delivered through the Office Add-ins Store (Microsoft AppSource). It does not require administrative access. However, a centralized deployment via the Microsoft 365 admin center is supported.
  • A cloud gateway facilitates communication between Excel and your cloud ERP system. Its presence is necessary to work around browser limitations for cross-origin communications (CORS), however, it never stores any ERP data that passes through.
  • For more information on Office add-ins’ privacy and security, please visit this site.
• Velixo does not process, store, host or retain any ERP data – the connection happens directly between Excel and the connected ERP instance in the cloud over a secured HTTPS connection.
• ERPs supported by Velixo have all been audited by third-parties and comply with various security standards, including but not limited to SOC2. Please visit our partners’ respective security page: Acumatica, Sage Intacct.
• The physical security policies provided by the user’s organization would apply.

ERP and User credentials security

• Users connect to their ERP using the same credentials that they use to access the application through a web browser.
• At the most basic level, Velixo is governed by the same access rights as the ERP username used in connection. Access control is guaranteed by controlling access to the screens, objects and records directly in the ERP.
• Velixo does not store or make a copy of the credentials used by users to connect to their ERP in any external service or even in the Excel file.
  • If the Remember me option is used, this information is stored securely on the user’s computer using Microsoft 365’s Office Runtime Storage (for Velixo NX) or Windows Protected Storage with FIPS-compliant encryption algorithms (for Velixo Classic). This storage is completely local and is automatically purged by Microsoft Excel whenever the add-in is uninstalled.
  • Single Sign-on is also supported, with the following ERPs: Acumatica, MYOB Advanced, Cegid XRP Flex.
• Velixo and its employees cannot access any of your ERP data. We do not have or require access to users’ ERP. 
• In full accordance with a user’s organization security policy, it is the responsibility of the user himself to ensure the proper storage, sharing and security of Excel workbooks containing Velixo functions in the same way as any other Microsoft 365 document. Velixo recommends the use of SharePoint, OneDrive and Teams for storage and collaboration. Additionally, Excel workbooks may be password-protected where applicable.

APPLication-level security & Development practices

• Velixo develops and tests to security best-practices. Every line of our codebase is covered by mandatory reviews.
• Automated tests, continuous integration and code signing are performed using Microsoft Azure Pipelines hosted in Canada, and test servers hosted on AWS in Canada.
• Velixo has strong internal password policies, IP access restrictions and multi-factor authentication for supporting services.
• Velixo employees have minimal access rights to the core platforms used to automate the product and we use a secured password vault to control access to secrets and passwords.
•  Velixo undertakes regular internal reviews of its security policies and practices.

Personal data and Third-party sub-processors

• Please visit our privacy policy for more information regarding our policies for personal data.
• In order to conduct our business and offer relevant and efficient functionality for our products and services to customers, partners and prospects, Velixo uses a number of cloud services. Velixo requires its sub-processors to satisfy equivalent obligations as those required by Velixo. The following list only includes the SOC2-compliant third-party services we use that process personal data (links to their security pages are provided for convenience):
  • Acumatica – is used as Velixo’s ERP system for accounting and as a Customer Relationship Management system. It stores contact or company information of our users. Our instance of Acumatica is hosted by us on AWS in the USA.
  • Amazon Web Services (AWS) – is used to host Velixo’s licensing server.
  • Cloudflare – is used for domain management, DDoS mitigation, caching/content delivery and load balancing.
  • Freshdesk – is used for tickets, product documentation and community forums. It centralizes help for customers, and offers prospects a direct communication channel through Chat functionality embedded on our website (and also within Excel/Velixo). It is available at help.velixo.com and is hosted in the USA.
  • Hubspot – is used as a Customer Relationship Management system, to deliver newsletters to our community or targeted Marketing promotions or communications for subscribed users only.
  • Microsoft Azure Application Insights – is used to securely store product usage information in the form of technical telemetry data.
  • WPEngine – hosts the main velixo.com website.

Other sub-processors

Other sub-processors may be used by Velixo employees to store the minimum relevant set of information required to perform specific functions:

• Microsoft 365 (hosted in the USA) – user data shared with us through Support or Professional Services may be discussed or referenced here.
• Basecamp (hosted in the USA) – user data shared with us through Support or Professional Services may be discussed or referenced here.
• 1Password (hosted in the USA) – user data shared with us through Support or Professional Services may be safely stored at the right employee level in vaults here.

Velixo requires its customers to share access to their system only if required, and if applicable only after a web conference. If information about systems or credentials must be shared with Velixo, we recommend our customers to use online one-time secret tools, such as: https://onetimesecret.com/.

REPORTING A VULNERABILITY

Despite our best efforts, our policies and practices, vulnerabilities can still occur. In the event that a vulnerability is discovered, please contact Velixo Support through our chat on https://help.velixo.com immediately; we will then provide a secure channel to discuss the details.