VIND
EN
Request demo

Compliance / Security

Tenant isolation is the invariant.

Auth, RBAC, residency, backups — the parts a procurement compliance reviewer asks about. We answer with code and with honest gaps.

Talk to security Back to compliance

Data residency, end to end

The fiscal record never leaves the EU.

POS writes to local IndexedDB first; the API gateway syncs into Postgres in eu-central-1. The queue keeps the cashier selling through any network drop, and the receipt log stays immutable across every transition.

Tenant isolation is an invariant, not a guard rail

Every query that touches tenant data takes the tenant id from the authenticated session, never from a URL parameter, body field, or query string. Cross-tenant reads are not just unauthorised — they are unreachable by construction. Each release runs a grep gate against the services tree to catch any regression that tries to source tenant from request input.

Role-based access enforced twice

RBAC checks run at the API gateway and inside each service. A cashier session cannot reach the backoffice reports endpoint, the VAT-config endpoint, the user-management endpoint, or the audit-log endpoint — and removing the front-end gate would not unlock any of them. The matrix lives in agents.md and updates flow into both layers in the same PR.

Auth & session model

Sessions are JWT-bearer, device-bound, and short-lived. Refresh requires re-attesting the device identifier issued at activation. Manager overrides on the POS (refund > €X, void above threshold, force-close shift) require a fresh PIN, not just an existing session.

EU data residency

Production runs in AWS eu-central-1 (Frankfurt). Daily database snapshots stay inside the same region. We do not ship customer rows to a US-region analytics warehouse; the first-party marketing analytics endpoint is the only beacon and its log sink is the same region.

What we are working on

  • SOC-2 Type I — targeting Q4 2026. Labelled “targeting”, not “achieved”. When we have a report, it will say so.
  • Penetration test cadence. Annual third-party pentest with remediation tracked in the audit log.
  • Secret management. AWS Secrets Manager + KMS-encrypted env injection at deploy. No secrets in source, no secrets in .env files shipped to production.
  • Backup & restore drills. Quarterly restore exercise — we measure the time from “snapshot picked” to “POS register transacts again.”

Honest gaps

  • We are not ISO 27001 certified today. We follow the operational practices but have not gone through certification.
  • We do not offer customer-managed encryption keys (CMEK) in v1.
  • We do not currently publish SSO (SAML / OIDC) for the backoffice — it is on the roadmap.

Honesty about today’s posture is more useful than a marketing claim that breaks on the first compliance questionnaire.

Common questions

Where does my data live?
AWS eu-central-1 (Frankfurt). Daily database snapshots stay inside the same region. We do not ship rows to a US-region warehouse.
Do you support SSO?
Not in v1 for the backoffice. SAML and OIDC are on the roadmap. We have not committed a date because we have not designed the rollout — when we have, this page will reflect it.
What is your SOC-2 status today?
We are targeting Type I by Q4 2026. We are not certified today, and we say 'targeting' rather than 'achieved' on purpose. If a Type I report becomes available, this page will link to it.
Can a cashier read the audit log?
No. RBAC is enforced at the API gateway and inside each service. Removing the front-end gate would not unlock it. The matrix is in agents.md and updates flow into both layers in the same PR.

Send the compliance questionnaire. We'll answer it line-by-line.

Talk to security MTCA details