Security

1. Infrastructure

BevSync is built on enterprise-grade infrastructure providers, all hosted in the United States:

All data is stored and processed in the United States. We do not currently offer regional data residency options.

2. Encryption

3. Authentication

4. Data Isolation

BevSync is a multi-tenant platform. We enforce strict data isolation so that no Organization can access another's data:

• Organization-scoped queries — every database query is automatically scoped to the authenticated user's Organization ID. There is no path to query another Organization's data.
• Location access control — within an Organization, users are restricted to the Locations they have been granted access to. This is validated on every server action.
• Row-level security — RLS policies are enabled on Supabase database tables as an additional layer of defense.
• Role-based permissions — five user roles (Owner, Manager, Bartender, Accountant, Viewer) with granular permissions determine what actions each team member can perform.

5. PII Protection

When users connect point-of-sale systems, BevSync automatically strips all personally identifiable information (PII) from sales data before it is stored:

• Customer names, email addresses, and phone numbers
• Full payment card numbers, CVV/CVC, and expiration dates
• Social Security Numbers and IP addresses
• Billing, shipping, and delivery addresses
• Employee and server names (replaced with [REDACTED])

Only aggregated sales amounts, quantities, timestamps, and optional payment type summaries are retained for analytics. For full details, see Section 5 of our Privacy Policy.

6. Audit Logging

BevSync maintains a comprehensive audit trail of significant actions across the platform. Each audit log entry records:

• User who performed the action
• Action type (create, update, delete, etc.)
• Entity type and ID affected
• Previous and new values (for updates)
• Timestamp

Unauthorized access attempts are logged with the IP address of the requester. Superadmin impersonation actions are explicitly audit-logged. Audit logs are retained indefinitely and are available to Enterprise plan customers.

7. POS Credential Storage

POS integrations require API keys or OAuth tokens to connect. These credentials are:

• Encrypted using AES-256-GCM before being stored in the database
• Decrypted only at the moment of use for API calls to POS providers
• Never logged, displayed in the UI, or included in data exports
• Deleted when a POS connection is disconnected

Webhook endpoints for POS providers (Square, Toast, Clover) use HMAC-SHA256 signature verification or application-level handshakes to authenticate incoming requests.

8. Data Portability

You own your Organization's data and can export it at any time:

• Self-service export — via Settings > Data, export products, inventory, brand deals, sales, brands, locations, or a complete backup
• Formats — JSON and CSV
• API export — available on Professional and Enterprise plans
• No vendor lock-in — we encourage you to maintain your own backups and will assist with data migration if needed

9. Sub-Processor Security

Our core infrastructure providers maintain their own rigorous security programs:

• Supabase — independently audited; see their security page for current certifications. Supabase Security
• Netlify — independently audited; see their security page for current certifications. Netlify Security
• Resend — Resend Security

10. Reporting Vulnerabilities

If you discover a security vulnerability in BevSync, we ask that you report it responsibly. Please email:

security@bevsync.net

When reporting, please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any relevant screenshots or logs (redact sensitive data)

We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.