Security & Compliance

Your restaurant P&L data, protected at every layer

Data Security Standards

Your restaurant's financial data is sensitive. We treat it with the security standards of a bank.

Encryption in Transit

All data traveling between your systems and our servers uses TLS 1.3 encryption. No exceptions, no backdoors.

Encryption at Rest

P&L data stored in our database is encrypted using AES-256. Keys are rotated quarterly per industry standard.

Audit Logging

Every access to your data is logged with timestamp, user identity, and action. Logs are immutable and retained for 2 years.

Role-Based Access

CFO sees all locations. Location managers see only their store's P&L. Permissions enforced at the database layer.

Compliance & Certifications

We comply with financial and privacy standards that matter to restaurant operators.

Current Certifications

  • SOC 2 Type II Audited annually by Big Four firm. Covers security, availability, processing integrity, confidentiality, and privacy.
  • GDPR Compliant Data subject rights enforced. Privacy-by-design. EU representative on file.
  • CCPA Compliant California privacy law. Opt-out rights. Vendor agreements signed.
  • PCI DSS Ready If you process payments through us, we follow PCI DSS controls (no cardholder data stored).

Attestations

  • No HIPAA (not applicable to P&L data, but we note it).
  • No FedRAMP (enterprise restaurants don't require federal-level certification).
  • Happy to discuss custom audits or attestations for large restaurant groups.

Data Access & Control

You own your data. You control who sees it.

User Provisioning

Add or remove team members in seconds. Permissions take effect immediately. No manual backend work.

Data Export

Export your full P&L history as CSV or JSON anytime. No lock-in. Format is documented and machine-readable.

Data Deletion

Request permanent deletion of your account and all associated data. We securely wipe it within 30 days. Automated confirmation email provided.

Integrations & API

Our API uses OAuth 2.0. Your API key is scoped to specific permissions. Revoke access anytime from the dashboard.

Incident Response

In the unlikely event of a security incident, here's our process.

Detection

Our security operations team monitors for anomalies 24/7. Automated alerts trigger on unauthorized access attempts, bulk data downloads, or unusual geographic logins.

Response

Potential incident detected → notify affected customers within 4 hours → post-mortem analysis within 24 hours → transparency report within 1 week.

Notification

We'll call and email you directly. No press release before customer notification. We err on the side of transparency.

Infrastructure & Hosting

Your data runs on enterprise-grade infrastructure.

Privacy & Data Handling

What Data We Collect

What We Don't Collect

Third Parties

We share data only with trusted vendors (AWS, Stripe, SendGrid) under data processing agreements. All are SOC 2 certified.

Compliance Team & Escalation

Questions? Contact us directly.

Response time: within 24 hours for compliance-related requests.

Ready to Get Started?

Your P&L data belongs in a secure, compliant system. Start your free trial today.

Back to Home