System Architecture

Application Layers

Inventory Pro consists of several integrated components organized into distinct layers:

• Web Tier -- Desktop, Mobile, and REST API applications served by IIS. Each handles a different access pattern: full desktop interface, mobile-optimized warehouse operations, and programmatic API access.
• Business Logic -- .NET libraries that handle grid-based bulk operations (receiving, issuing, cycle counts), PDF and barcode generation, Excel/CSV import and export, and core database access.
• Data Tier -- SQL Server databases and file storage for documents, images, and attachments.
• Integration Services -- Scheduled services and real-time connectors for ERP synchronization, EDI document exchange, e-commerce platforms, and other external systems.

Authentication

Inventory Pro supports multiple authentication methods depending on deployment and client requirements: internal credentials with configurable password policies, Single Sign-On via customer identity providers (Active Directory, Okta, SAML), smart card and CAC authentication, and OAuth 2.0 for API access.

Cloud Hosting

Inventory Pro is hosted in a virtualized Azure environment where the workload is split between application servers and database servers. Each client instance is self-contained with its own isolated database -- client data is never commingled. This isolation improves security and allows for independent recovery in an outage.

Application Servers

Application servers handle web requests and store uploaded files. Data on these servers is backed up regularly and replicated across multiple providers.

Database Servers

Database servers store the majority of your business data. These servers are not accessible from outside the production network*. Databases are backed up continuously, and we can restore to a specific point in time if needed -- for example, after a bad bulk import or an accidental bulk operation.

* Unless required by an integration. In that case, we follow least-privilege practices to lock down the endpoint.

Security

• Encryption in transit -- TLS 1.2+ enforced on all connections, HSTS enabled.
• Encryption at rest -- AES-256 for backups; Azure platform encryption for storage.
• Restricted administration -- Administrative access requires strong authentication and is not exposed to the public internet. Management interfaces are accessible only through secured internal channels.
• Network segregation -- Production and development environments are physically and logically separated. Firewall rules follow least-privilege principles.
• Role-based access control -- Over 290 configurable permissions, warehouse-level restrictions, and per-page security checks within the application.

CISS aligns with NIST Cybersecurity Framework (CSF) 2.0 as our primary security framework, with voluntary alignment toward ISO 27001:2022 and SOC 2 Type II goals. See our Security & Compliance page for application-level controls.

Backup & Recovery

We maintain a multi-tier backup strategy with geographic redundancy:

• Continuous -- Point-in-time recovery with fine-grained granularity for rapid restoration (where supported by deployment).
• Daily -- Full backups to a cloud recovery vault, retained for 30 days.
• Off-platform -- Encrypted daily backups to a separate cloud storage provider with immutable object locking for ransomware protection.
• Air-gapped -- Daily copies transferred to on-premises storage, physically separated from production.

All backup data is encrypted before transmission and at rest. Archival storage retains data for up to 12 months.

Recovery Objectives

Data Ownership

Clients own their data. CISS acts as a custodian on your behalf, not an owner. You can export your data at any time in Excel, CSV, or PDF format through built-in reporting. If you leave, your data goes with you.

We do not sell, rent, or share your data with third parties. Your business data exists solely to run your operations inside Inventory Pro -- it is never used for analytics, advertising, or any purpose outside your account.

For our full data handling practices, see the Privacy & Data Policy.

Self-Hosted Deployment

Inventory Pro can run on your own Windows servers, whether on-premises or in your own cloud environment. Self-hosted clients manage their own infrastructure, backups, and security configuration. We provide installation documentation, recommended configurations, and optional consulting services. See our documentation for requirements and setup.

Third-Party Components

Inventory Pro uses licensed components from third parties, primarily under MIT, Apache 2.0, and BSD licenses. A full list is available in the License file within your installation. Our cloud infrastructure runs on Microsoft Azure, which holds ISO 27001, SOC 1/2/3, HIPAA, FedRAMP, and PCI DSS certifications.