Security

Boring where it matters.

We don't ask you to trust us — we publish how the platform actually works.

Tenant-isolated Postgres + RLS
Every row in our database carries a venue_id. Postgres row-level security policies (shipped in v3.3) reject cross-tenant reads at the database layer — even a misconfigured API route can't leak another venue's data. We back this up with an automated cross-tenant test suite that runs on every deploy.
TOTP 2FA for venue owners
Owners can enrol an authenticator app (Google Authenticator, 1Password, etc.) for two-factor login. Recovery codes are issued at enrolment time. We don't use SMS — it's a known weak factor.
Stripe-handled payments
Card numbers never touch our servers. We use Stripe Elements / Checkout for capture and Stripe Billing for subscriptions. We hold customer IDs and metadata only. (Stripe is PCI-DSS Level 1.)
Encrypted backups, EU region
Daily automated backups, 30-day retention. Database hosted in EU (Supabase, Frankfurt). We can run point-in-time restores up to seven days back without contacting you first.
GDPR-aligned data handling
Customer-PII columns are isolated and exportable. We anonymise inactive customer rows after 90 days of dormancy. Subject access and deletion requests are handled via your /account/customers screen.
Granular staff roles
Owner, manager, waiter, kitchen, host — each with strictly-scoped permissions enforced server-side. Invites are single-use signed tokens; revocation is immediate.

Responsible disclosure

If you've found a security issue, please email security@lodat.co.uk with reproduction steps. We'll acknowledge within 24 hours and aim to fix or mitigate within 7 days. We don't pay bounties yet, but we will name + credit you in our changelog with permission.

Talk to us about security

Security

Boring where it matters.

We don't ask you to trust us — we publish how the platform actually works.

Tenant-isolated Postgres + RLS
Every row in our database carries a venue_id. Postgres row-level security policies (shipped in v3.3) reject cross-tenant reads at the database layer — even a misconfigured API route can't leak another venue's data. We back this up with an automated cross-tenant test suite that runs on every deploy.
TOTP 2FA for venue owners
Owners can enrol an authenticator app (Google Authenticator, 1Password, etc.) for two-factor login. Recovery codes are issued at enrolment time. We don't use SMS — it's a known weak factor.
Stripe-handled payments
Card numbers never touch our servers. We use Stripe Elements / Checkout for capture and Stripe Billing for subscriptions. We hold customer IDs and metadata only. (Stripe is PCI-DSS Level 1.)
Encrypted backups, EU region
Daily automated backups, 30-day retention. Database hosted in EU (Supabase, Frankfurt). We can run point-in-time restores up to seven days back without contacting you first.
GDPR-aligned data handling
Customer-PII columns are isolated and exportable. We anonymise inactive customer rows after 90 days of dormancy. Subject access and deletion requests are handled via your /account/customers screen.
Granular staff roles
Owner, manager, waiter, kitchen, host — each with strictly-scoped permissions enforced server-side. Invites are single-use signed tokens; revocation is immediate.

Responsible disclosure

Talk to us about security

Boring where it matters.

Security pillars

Tenant-isolated Postgres + RLS

TOTP 2FA for venue owners

Stripe-handled payments

Encrypted backups, EU region

GDPR-aligned data handling

Granular staff roles

Responsible disclosure

Boring where it matters.

Security pillars

Tenant-isolated Postgres + RLS

TOTP 2FA for venue owners

Stripe-handled payments

Encrypted backups, EU region

GDPR-aligned data handling

Granular staff roles

Responsible disclosure