Secure by design for restaurants that run on us

We align our control objectives with the OWASP Application Security Verification Standard (ASVS). That means systematic input validation, auth/session hardening, and secure defaults across the stack.

• Central auth with role-based access and least privilege
• Strong password hashing (Argon2/Bcrypt)
• Rate limiting and abuse prevention on sensitive routes
• Code reviews and dependency monitoring

• TLS in transit with modern ciphers and HSTS
• At-rest encryption at the database and volume levels
• Key and secret isolation in server-side environments

• Hardened network edges and WAF/CDN shielding
• Daily backups, point-in-time restore, and disaster recovery drills
• Separate environments for dev, staging, and production

• Passwords stored using modern password hashing
• Sessions scoped and rotated; short-lived tokens for APIs
• Optional device/session revocation via admin panel

We follow NIST guidance for memorized secrets and do not require arbitrary composition rules that reduce usability.

• Static checks and dependency audits during CI
• Security headers by default: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
• Content Security Policy tuned to block inline and cross-site script execution

• Centralized logs and alerts for auth, privilege, and data access anomalies
• Runbooks for detection, triage, containment, and customer comms
• Post-incident reviews and hardening

We welcome reports from the security community. If you believe you have found a vulnerability, contact contact@pos.ecomsmartify.com.

You can also find our /.well-known/security.txt file with contact and policy details.