ERP Integration Guide | Marquis Data

Platform How It Works Data Quality & Mastering IQ Insights Connected Analytics Security Why Marquis?

Solutions Finance Inventory Operations Pricing Sales Procurement Private Equity

ERP Integrations Microsoft Dynamics Epicor Sage SAP Acumatica NetSuite Infor Salesforce CRM All Other ERP Platforms

Resources Customer Stories Webinars Point of View ERP Integration Guides Manufacturing Data 101

Company Leadership Contact Us

Pattern 1 · On-Premise ERP

Your data stays inside your network until it's ready to move.

For on-premise ERP environments, Marquis uses Microsoft Integration Runtime (MIR) installed on a Windows Server inside your network. Data flows outbound only, on a schedule your IT team controls. No inbound connections. No changes to your firewall rules.

Client Network

ERP Database Tables

On-premise SQL / AS400 / ERP DB

Filesystem

Flat files, exports, operational data

Microsoft Integration Runtime
Installed on Windows Server inside your network

                Client-controlled

Encrypted outbound only

Marquis Azure

Azure Data Factory

Orchestration and pipeline execution

Marquis IQ Database

Dedicated client resource group

Outbound only, no inbound access

MIR initiates all connections outbound from inside your network. No inbound ports need to be opened. Your existing firewall configuration is unchanged.

TLS encryption in transit

All data transmitted from MIR to Azure is encrypted in transit using TLS 1.2 or higher. Data is never transmitted in plaintext.

Client IT installs and controls the agent

MIR is installed and managed by your IT team on a server you own. You control the service account, the schedule, and when the agent runs. Marquis never has access to the agent host.

IP allowlisting on the Marquis side

Connections from MIR are accepted only from your organization's IP range. All other source addresses are rejected at the Azure perimeter before reaching the pipeline.

Pattern 2 · Cloud-Hosted ERP

No on-premise agent required for cloud ERPs.

For cloud-hosted ERP systems such as NetSuite, Acumatica, and Salesforce, Marquis connects directly via the ERP's published API. Azure Data Factory handles the connection. No software is installed on your network.

Cloud ERP

ERP API Endpoint

NetSuite, Acumatica, Salesforce, and other cloud ERPs

OAuth / API key auth

Marquis Azure

Azure Data Factory

Direct API connection, no on-prem agent

Marquis IQ Database

Dedicated client resource group

No on-premise footprint

Nothing is installed on your network. Azure Data Factory connects to the ERP's API directly from Marquis Azure infrastructure. Your IT team grants API access and can revoke it at any time.

OAuth and API key authentication

Authentication uses OAuth 2.0 or scoped API keys depending on the ERP. Credentials are stored in Azure Key Vault and never exposed in pipeline configurations or code.

Read-only, scoped access

Marquis connects with read-only credentials scoped to the data required for analytics. Write access to your ERP is never requested or used.

Same encryption and isolation standard

TLS 1.2+ in transit, AES-256 at rest, and a dedicated client resource group, with the same guarantees as the on-premise pattern.

Azure Architecture

Every client is a dedicated, isolated Azure environment.

Each Marquis IQ client runs in its own dedicated Azure Resource Group. There is no shared database, no shared compute, and no cross-client data access possible at the infrastructure level. Your environment is yours, logically and physically separated from every other client we work with.

This is not a tenancy model. It is full environment isolation, which is why regulated manufacturers and PE portfolio companies with compliance requirements choose Marquis over shared-infrastructure analytics platforms.

Dedicated Azure Resource Group per client

No shared databases or shared compute

No cross-client data access at any layer

Data encrypted at rest with AES-256

Microsoft Entra identity and access management

Environment destroyed at contract conclusion

Data Export Controls

You define the data boundary. We stay within it.

Marquis connects only to the data environments you authorize. You define what enters the authorized data zone, and you retain full responsibility for ensuring that data is appropriate to share. We access what you approve. Nothing more.

For clients subject to export control requirements, including ITAR or EAR, Marquis operates on a client-certified data model. Restricted technical data remains in your controlled systems. The authorized data zone is established and maintained by your team, and Marquis connects only to that zone.

This model is designed to support your compliance posture, not complicate it. Your legal and compliance team retains full control over what Marquis can and cannot see.

Client-defined authorized data zone

Your team establishes and maintains the data environment Marquis is authorized to connect to. Access is scoped to what you approve, not what we request.

ITAR and export-controlled data stays with you

ITAR-restricted technical data, PII, and any other data your compliance team designates as restricted remains in your controlled systems. It does not enter the Marquis-connected environment.

Read-only access, data minimization

Marquis connects read-only and ingests only the data required to produce the analytics you've engaged us to deliver. We apply data minimization throughout the engagement lifecycle.

Two ways to connect. Built for security-first IT teams.

Your data stays inside your network until it's ready to move.

No on-premise agent required for cloud ERPs.

Every client is a dedicated, isolated Azure environment.

You define the data boundary. We stay within it.

Questions for your IT or security team?