What we do
to keep your data safe.

100% RLS coverage across 95 tenant tables (audit dated May 10, 2026). Every read query from the operator-facing application enforces RLS via the user's JWT. Service-role bypass is reserved for webhooks, jobs, and the /backoffice cross-tenant surface — and even there we explicitly scope every query by organization_id.

We never see, transmit, or store a full PAN. PCI scope reduced to the SAQ-A category (zero card data touched by our servers).

TOTP-based MFA via authenticator apps. Required for owner role on accounts with 2+ locations. Backup codes generated at enrollment and stored as bcrypt hashes.

Every webhook out of Zayos signed with t={timestamp},v1={hmac}. Verification rejects deliveries older than 5 minutes. Webhook secrets rotatable from /app/integrations.

Order status changes, refunds, menu edits, member adds/removes, integration changes — all logged with actor user_id, role, and IP. Retained 13 months (SOC-2 alignment).

Auth, OTP, password-reset, magic-link, promo validation, order placement, and customer-help submission — all rate-limited per-IP × per-brand. 429 returns Retry-After header.

HTTP traffic 308-redirected to HTTPS. HSTS preload on apex domain. Certificate auto-renewal via Let's Encrypt.

Postgres + R2 file storage encrypted at rest by the provider. Backup snapshots are encrypted and retained 30 days.

If we become aware of a personal-data breach affecting your tenant, we email + call within 72 hours with: scope of data affected, timeline, remediation steps, regulatory-notification recommendations.

Operational status at /status. We don't hide outages — incidents post automatically when health metrics degrade, before tickets land.

Internal RLS + access-control + audit-log audit completed May 10, 2026 (clean). External Type-1 attestation in progress.

Data subject access, correction, deletion supported per /zayos/legal/privacy §7. SCC + UK Addendum available for EU/UK transfers.

Stripe Connect handles all card data. Annual SAQ-A self-attestation on file.