Kitch is a simple command center for restaurants. You can build your app, update menus, text staff, and launch promos in one place.

For restaurant owners and teams who want fast updates without dev work.

How fast can I make changes?

In seconds. Type what you need. Kitch does it.

Security at Kitch

We keep your restaurant’s data safe.

Simple to use. Locked down under the hood. You own your data. We protect it.

Pre-launch notice: items marked On full launch will be in place by full launch (GA). General Availability (GA)

Join the waitlist

Privacy-first. No spam. Cancel anytime.

Core safeguards

Built-in protections today and commitments we're marching toward.

Defense in depth

Layered controls span product, infrastructure, and people.

Tenant isolation

Each restaurant workspace is kept apart with strict guardrails.

Encryption

Modern encryption protects data in transit and at rest.

Roles & permissions

Simple roles today; richer RBAC lands with the full launch.

Snapshot

What’s live now vs. on full launch

We’re pre-launch. The items below are scheduled to be in place by full launch (GA).

Capability	Now	On full launch (GA)
Authentication	Pre-launch environment.	Email-based auth; MFA recommended for owners On full launch
RBAC	Pre-launch environment.	Least-privilege roles for owner, staff, admin On full launch
Backups & DR	Pre-launch environment.	Scheduled backups, restore tests; targets at GA: RPO ≤ 24h, RTO ≤ 12h On full launch
Logging & audit	Pre-launch environment.	Centralized logs; sensitive actions audited On full launch
Status page	Pre-launch environment.	Public status page with uptime history On full launch
SSO	Pre-launch environment.	Enterprise SSO/OAuth availability On full launch
Regional data residency	Pre-launch environment.	Regional hosting options for enterprise On full launch
Data export/deletion	Export available on request during waitlist.	Self-serve export and deletion requests honored within published timelines On full launch

Overview

How we protect your business

Clear basics for everyone. Extra details for IT below.

Pre-launch: The controls in this section will be in place by full launch (GA). On full launch

Encryption

Core protections stay on around the clock.

Data is locked when it moves and when it sits.

Strong keys. Modern ciphers.

For IT: protocols & keys

TLS 1.2+ for all ingress traffic.
AES-256 at rest (provider managed).
Cloud KMS + rotation.

Access control

Owners stay in charge of who sees what.

Only the right people see the right things.

Owners set staff roles.

For IT: auth & RBAC

Role-based access control with least-privilege defaults.
Support for SSO/OAuth where available on enterprise plans. On full launch
MFA encouraged for owners and admins.

Tenant isolation

The right walls between restaurants.

Your restaurant runs in its own lane.

No mix ups between brands or branches.

For IT: data model

Separate DB/schema per tenant.
Row-level and network isolation.
Strict domain routing per tenant.

Reliability

Resilience you can count on

If something breaks, we’ll fix fast and restore.

Pre-launch: The controls in this section will be in place by full launch (GA). On full launch

Continuity planning

Resilience work is underway as we head to GA.

Backups will run on an automated cadence by GA.

Rollback window targeted at 7 days of history.

Multi-zone high availability planned for production.

For IT: DR & SLOs

Daily backups plus point-in-time recovery where supported.
DR runbooks with quarterly restore tests.
Target SLOs published per tier. Status page planned at GA. On full launch

Operational awareness

We respond quickly and learn from every blip.

Incident response plans will be drilled before GA.

Monitoring coverage expands across services.

Audit trails deepen alongside platform maturity.

For IT: logging & alerts

Centralized logs with retention policies.
Alerts on auth anomalies, rate spikes, and error budgets.
Post-incident reviews shared with customers as needed.

Privacy

Guardrails for customer trust

We don’t sell it. We don’t share it without consent.

Pre-launch: The controls in this section will be in place by full launch (GA). On full launch

Data residency

Hosted in reputable clouds. Regional options planned for enterprise. On full launch

Sub-processors

Short, vetted list. Will publish at GA; update if it changes. On full launch

Analytics

Product analytics improve Kitch. Personal data minimized; access limited.

Policy highlights

Pre-launch framing

We’re laying the governance groundwork now so it’s ready at GA.

Vulnerability Disclosure (VDP)

72-hour acknowledgment; email security@getkitch.com; we welcome good-faith reports; bounties not offered pre-launch; formal program planned at GA. On full launch

Data retention (at GA)

We'll publish a simple schedule at GA for app data, logs, and backups; minimize data; defined deletion timelines; minimize analytics PII. On full launch

Compliance roadmap

We’re aligning people, process, and proof

Structured milestones keep the team honest and accountable.

In progress

Secure SDLC with automated dependency scans.
Policy set drafted and under internal review.
Pen-testing before GA with remediation tracking.

Planned after GA

SOC 2 Type I → Type II progression.
Formal VDP & bug bounty rollout.
Public status page history.

FAQ

Answers for owners and IT

Do you store my payment details?

PSP handles card data; no full PAN in Kitch.

Can I export my data?

On request during waitlist; self-serve at GA On full launch.

Do you support Single Sign-On?

Planned for enterprise at GA On full launch; today secure email auth; MFA recommended.

Where is my data hosted?

Top-tier cloud; regional options at GA On full launch.

Will you run a penetration test?

Pre-GA external pen-test with remediation tracked and ongoing cadence. On full launch

What are your incident notification targets?

Target initial update ≤ 72h after confirmation. On full launch

Do you offer a Data Processing Addendum (DPA)?

Available at GA; DPA coverage for PIPEDA/GDPR/CCPA/CPRA where applicable. On full launch

How do you handle PCI DSS for card data?

Out-of-scope to PSP; only payment tokens handled.

How often are backups taken and where stored?

Automated schedule, encrypted storage, periodic restores at GA On full launch.

Can I request full account deletion?

Yes at GA; timelines honored; backups cleared on normal cycle except legal holds On full launch.

Contact

Questions or a security review?

Email security@getkitch.com or request access to our Responsible Disclosure (coming soon).

Join the waitlist