Odoo AI’s 4 pillars of data protection

New legislation like the EU AI Act is rapidly raising compliance standards in an industry that has been largely unregulated so far.

Now more than ever, it’s critical that sensitive business data and internal processes are not freely shared with external services.

Odoo has taken these concerns seriously and developed a data protection-friendly AI. Their approach ensures that companies have full control over their data without foregoing the benefits of AI.

The 4 pillars of Odoo AI security

Odoo’s security framework is built on four distinct pillars that ensure your data remains your own.

1. The "opt-in" philosophy

In Odoo, AI is a choice. You won’t have to search in settings to turn off Odoo AI, as all functions are disabled by default and must be activated individually by an administrator. This ensures:

• Full transparency: You decide exactly which features are active
• Gradual introduction: You can test and approve AI functions one by one rather than pushing them all at once
• Audit-readiness: Because every feature is explicitly enabled, it is much easier to maintain compliance during data protection checks.

2. Minimal data transfer

Odoo follows the principle of data minimisation. When an AI request is made, the system doesn't dump your entire database into the prompt. This adds a layer of security with:

• Targeted selection: Only data actively selected by the user or strictly necessary for the specific use case is transferred
• No mass data access: The AI never receives blanket access to company data
• Traceability: Users retain control and visibility over what information is being processed at any given time.

3. Full sovereignty for on-premise users

For organisations with strict compliance requirements, on-premise installation offers the highest level of control. It works based on:

• Own API key:  You use your company’s own API key to connect to AI providers
• Internal guidelines: The AI model processes data according to your specific internal data protection policies
• No unapproved third-party models: Data never flows to external services that the company hasn't explicitly chosen itself
• Maximum internal control: Your AI, your rules - this is valuable for industries with strict compliance requirements.

4. Local embedding

Perhaps the most technically significant security feature is how Odoo handles its RAG (Retrieval-Augmented Generation) knowledge base. It runs entirely locally, and there is no external database required. 

• Directly in PostgreSQL: Vector embeddings are stored in the existing PostgreSQL Odoo database
• No third-party software: You don’t need Pinecone or external vector database systems
• Data stays in-house: All company knowledge never leaves your own infrastructure
• Easy maintenance: Your Odoo AI is easy to maintain, as with one database in one system, you get full control.

Odoo’s AI architecture is built for EU compliance 

For European companies, compliant AI adoption doesn’t only require technical knowledge but also legal expertise.

The EU AI Act and GDPR are setting the path for data sovereignty. Still, generic SaaS-only AI models used by many ERPs often fail to meet local compliance standards. 

Odoo’s decision to keep the RAG infrastructure local is a strategic response to these European requirements. 

It provides a framework that prioritises three critical concerns

• GDPR compliance and data residency: Because the vector database (the RAG knowledge base) is stored directly in your local PostgreSQL instance via pgvector, sensitive company knowledge never leaves your infrastructure to be indexed by third-party search services
• Protection against unlicensed third parties: By allowing on-premise users to utilise their own API keys, companies can ensure they only interact with AI providers that have signed specific Data Processing Agreements (DPAs) compatible with EU law
• Operational sovereignty: The opt-in philosophy ensures that an organisation’s data protection officer (DPO) has total oversight. 

Odoo AI data protection FAQs

Does Odoo AI have blanket access to my leads and products? 

No. Odoo does not use embeddings for standard models like leads or products. Instead, it uses AI Tools (server actions) to run standard database queries only when requested. This is regular Odoo querying, and not a semantic search across your entire dataset.

Where exactly are my document vectors stored?

Vectors are stored in the ai.embedding model within your own PostgreSQL database. They are never stored on external servers or directly on the source records themselves.

Can I use a self-hosted LLM to keep all data local? 

While you can change the base URL for AI providers, many individual API endpoints are currently hardcoded to match OpenAI and Google's structures. Using a self-hosted LLM is possible but may require customisation to handle Odoo’s specific endpoint requirements.

What data is actually sent to the LLM during a RAG request? 

When a prompt is assembled, Odoo retrieves relevant "chunks" from your indexed sources (Knowledge articles, PDFs, etc.) via a similarity search. These chunks are injected into the system message alongside your specific user prompt and current record context