Security
Your data. Your domain. Locked down.
Plain on the surface. Serious underneath. Encrypted in transit, restaurant-scoped in the database, and governed by role-based access. Below: what runs today, what’s coming by general availability.
Note · Today
In place now.
- Encryption
- TLS in transit and managed encryption at rest through our hosting and database providers.
- Tenant scoping
- Restaurant data is scoped by restaurant across menus, hours, logs, history, invites, users, and custom domains.
- Access control
- Role-based access with owner, manager, and staff roles. MFA for owner accounts is on the roadmap.
- Change history
- Prompts, actions, and version history are recorded so teams can review what changed and restore previous states.
- Data ownership
- Your data is yours. Your guest data is never sold. Export support is available on request.
- Hosting
- Vercel for the public page, managed Postgres for product data, and Supabase-supported auth infrastructure.
Note · Coming
In place by general availability.
- Owner MFA
- Multi-factor authentication for owner accounts.
- SSO and OAuth
- Single sign-on for owner accounts on group plans.
- Audit log export
- Filterable, exportable change log for finance and compliance.
- Customer DPA
- A standard data-processing addendum for customers who need it.
- Penetration testing
- Annual third-party pen test, with a public summary.
Note · Disclosure
Found something? Tell us.
If you’ve found a vulnerability — or even a hunch worth checking — write us at security@getkitch.app. We review good-faith security reports quickly and are building a formal responsible-disclosure policy.