Where your data lives.
Inventory, recipes, sales, supplier prices, allergens — that's the operating heart of a food business. Here's exactly how we hold it.
Database in the ca-central-1 region (Montreal/Toronto) on Neon's managed Postgres. Application runs on Vercel's North American edge. We do not export your data to non-Canadian regions. If you sign as a Canadian buyer, your operating data stays in Canada — written into the DPA.
Every connection over HTTPS (TLS 1.3). Database storage encrypted with AES-256 at rest. Backups encrypted with separate keys. The only way to read your row is to authenticate as a member of your org — the database itself doesn't expose plaintext to us.
One shared Postgres cluster, but every row carries an org_id and every query filters by it. Multi-tenancy guards live in `lib/tenant-guards.ts` and run on every read + write. Cross-tenant queries fail at the application layer before they hit the database.
Five roles: owner / admin / manager / accountant / staff. Each lower role inherits a subset of the next. Revenue-facing pages (sales, food cost %, labor) are accountant+; counts and receiving are manager+. Members can be scoped to a single location so a satellite-store lead never sees the central kitchen's books.
Automatic daily snapshots + continuous WAL archiving. If you accidentally delete a recipe or a child's profile, we can restore from any second within the last 7 days. Backups stored in a separate region from the primary.
Every PO send, invoice scan, count adjustment, dispatch, and role change writes a row to the audit log with who/when/what. Soft-deletes preserve history — your historical reports stay accurate even if you remove an old item. Hard-delete on request only.
No credit-card numbers (our PCI-compliant payment processor holds them — we receive tokens only). No social insurance numbers. No driver's licence info. No photos of receipts after the AI scan extracts the data (the image is discarded once you confirm the line items). No parent or child medical records beyond the allergen + dietary flags you choose to enter.
Database: Canadian-hosted Postgres (Ontario region). Hosting: Canadian edge. Auth: third-party identity provider (sessions only, no PII). AI invoice scan: third-party AI API (sends only the image, not your account). Email: Canadian-hosted ESP. Error monitoring: scrubbed of PII before send. We pick vendors whose contract terms let us swap them — your data is never locked to one.
Owners of restaurants, daycares, bakeries who need to write a security review for their parent company or franchise: we'll answer in writing within the same business day. If you need a signed BAA, a custom DPA, or a SOC 2 type-II attestation, ask — we'll route you to the right path.