In short
- Tenant data is separated with restaurantId and server-side authorization checks.
- Support access must be limited, traceable and justified.
- Backup, restore, e-mail and image storage must be finally documented against the selected production setup before broad commercial operations.
Technical and organisational measures
- Tenant-owned records are separated by restaurantId and server-side authorization checks.
- Admin sessions use random tokens stored in httpOnly cookies, with secure cookies in production.
- Passwords are stored as PBKDF2 hashes and password reset tokens are stored hashed with expiry.
- Superadmin activity, platform events and alerts are logged for support and security follow-up.
- Operational logs must avoid unnecessary personal data; sensitive event metadata is redacted where supported.
- Production secrets are managed through environment variables and must not be committed.
- Calendar export links are private bearer links and must be regenerated if shared with the wrong recipient.
Known roadmap items
- Final backup and restore policy must be documented against the selected production database.
- E-mail provider and image storage must be security-reviewed before activation.
- Support and production data access must be connected to an internal access routine before commercial launch.