What it does
The Bridge automates secure, bidirectional file exchange between your local folders and the Procuros network:- Outbound: the Bridge watches a local folder your ERP writes into and uploads the files to Procuros.
- Inbound: the Bridge downloads documents from Procuros into a local folder your ERP reads from.
Use cases
Greenfield
No legacy EDI provider in the picture. Files flow directly between your ERP and the Procuros network.
Migration
You are moving off an existing EDI provider. The Bridge sits between your ERP and the legacy provider and decides, per file, whether to route it to Procuros or hand it back to the legacy provider unchanged.
Why teams choose it
- No middleware to build or host. No integration platform, no servers, no custom code.
- Outbound-only networking. The Bridge initiates every connection itself, so there are no inbound firewall ports to open.
- Runs next to your ERP. It works against ordinary local folders on the machine that already runs your system.
- Low-risk, gradual migration. Per-file routing lets you phase a cutover instead of taking a big-bang risk.
- Self-updating. New versions install themselves; there is nothing to patch manually.
How it fits together
Install the Bridge
Install the app on the host that runs your ERP. See the installation page.
Procuros provides your connection
Procuros supplies the SFTP credentials for your account. The connection details are pre-configured for you.
Supported platforms
- Windows (x64) — installed via an MSI; registers a background Windows service.
- Linux (x64) — installed via a
.debor.rpmpackage; registers a systemd service.
The Bridge installs as a machine-wide background service, so installing it requires administrator (Windows) or root (Linux) rights — the same as any service installer. Once installed it runs unattended and keeps itself up to date; there is nothing to launch as a logged-in user.
Technical details
The sections below are intended for infrastructure and security teams reviewing the Bridge for security, reliability, and maintainability.Architecture
The Bridge is a single, self-contained executable — one static binary with no external runtime dependencies — that runs as a background operating-system service. On Windows it installs as a Windows service (ProcurosBridge) that starts automatically at boot; on Linux it installs as a systemd service. Configuration and monitoring happen through a local web UI the service serves on the loopback interface (127.0.0.1); the Bridge holds no open inbound network listener.
It is local-first. Configuration and operational logs are stored on the host in a machine-wide, OS-protected data directory (C:\ProgramData\ProcurosBridge on Windows, /var/lib/procuros-bridge on Linux) — configuration as files, logs in a local SQLite database.
Connectivity and network egress
Every connection the Bridge makes is outbound-initiated — it never opens an inbound port. Outbound destinations:| Destination | Port | Protocol | Purpose |
|---|---|---|---|
sftp.procuros.io | 22 | SFTP over SSH | File transfer to and from Procuros |
connect.procuros.io | 443 | HTTPS | Partner validation and per-file migration routing |
api.axiom.co | 443 | HTTPS | Operational log shipping |
| Procuros update host (Amazon S3) | 443 | HTTPS | Auto-update manifests and signed binaries |
If your network restricts outbound traffic, allow-list the destinations above. No inbound firewall rules are required.
Security
- Transport encryption. File transfer runs over SFTP (SSH). All platform API, telemetry, and update traffic runs over HTTPS, validated against the system root certificate store.
- Credential handling. SFTP credentials are stored locally on the host in the Bridge’s machine-wide, OS-protected data directory. Credentials are never included in telemetry or transmitted to Procuros logging.
- Signed, verified updates. Releases are cryptographically signed (Ed25519). The updater verifies the signature before installing; an unsigned or tampered update is rejected.
- Local-only control surface. The configuration UI and control API are bound to the loopback interface (
127.0.0.1) and reachable only from the host itself — the Bridge never exposes an inbound network port. Installing the service requires administrator/root rights; thereafter it runs unattended under the operating system’s service manager.
Reliability
- Scheduled sync. Files are exchanged on a configurable interval (5, 15, 30, or 60 minutes; default 5).
- Crash recovery. The operating system’s service manager restarts the Bridge automatically if it stops unexpectedly — Windows Service Control Manager recovery on Windows, systemd on Linux.
- Offline resilience. Operations and logs persist locally and retry. If the network or a downstream service is unavailable, the Bridge retries on the next cycle. Telemetry failures never block file transfer or the user interface.
- Safe transfers. The Bridge will not overwrite an existing file at a destination; on a conflict it leaves the source in place and retries, so files are not silently clobbered.
Observability and telemetry
The Bridge ships operational logs to Axiom in roughly 15-second batches so Procuros can support your integration. The telemetry is metadata only:- Included: sync outcomes (success / skipped / failure), error types, timestamps, a per-installation identifier, platform, and Bridge version.
- Never included: file contents, file paths, or credentials.
Maintainability and updates
- Automatic updates. The Bridge checks for new, signed releases on an interval and installs them in the background. Stable and beta channels are available.
- Versioned configuration. Configuration is versioned with forward- and backward-compatible migrations, so upgrades and rollbacks are safe and do not discard settings.
Data handling summary
- Stored locally: configuration and operational logs, retained on the host until cleared.
- Transmitted to Procuros: business documents (via SFTP) and the metadata needed to route them.
- Transmitted as telemetry: operational metadata only, as described above.
Frequently asked questions
Does the Bridge require opening inbound firewall ports?
Does the Bridge require opening inbound firewall ports?
No. Every connection is initiated by the Bridge outbound. You only need to allow outbound access to the destinations listed under Connectivity.
What data leaves our network?
What data leaves our network?
Business documents are sent to Procuros over SFTP. Operational metadata (sync outcomes, error types, version, a per-installation identifier) is sent as telemetry. File contents, file paths, and credentials are never included in telemetry.
How are updates delivered and trusted?
How are updates delivered and trusted?
Updates are downloaded over HTTPS and cryptographically signed. The Bridge verifies the signature before installing and rejects anything unsigned or tampered with.
Which operating systems are supported?
Which operating systems are supported?
Windows (x64, via MSI) and Linux (x64, via
.deb or .rpm); both install the Bridge as a background service. macOS is not supported for customer installs.Who do we contact for help?
Who do we contact for help?
Email [email protected].