Security & Compliance

1. Data Encryption

All data transmitted to and from the Tableside platform is encrypted using industry-standard protocols:

• In transit: TLS 1.3 encryption on all data transfers between your devices and our servers
• At rest: AES-256 encryption for all stored data in our databases and backups
• Backups: Encrypted backups stored in geographically separate, secure locations

2. Payment Card Security (PCI DSS)

Tableside takes payment security seriously and operates in compliance with the Payment Card Industry Data Security Standard (PCI DSS):

• PCI DSS SAQ compliance: We follow SAQ requirements applicable to our service model
• No full card storage: We never store full payment card numbers — all card data is tokenized immediately at the point of capture
• End-to-end encryption: All payment transactions use end-to-end encryption from terminal to processor
• PCI Level 1 certified processor: Payment processing is handled by a PCI Level 1 certified payment processor

3. Access Controls

We implement strict access controls to ensure only authorized individuals can access sensitive data:

• Multi-factor authentication (MFA): Required for all Tableside staff accessing production systems
• Role-based access control (RBAC): Platform users can assign granular permissions to managers, staff, and administrators
• Least-privilege principle: Internal staff are granted only the minimum access needed for their role
• Audit logging: All access to customer data is logged and periodically reviewed

4. Infrastructure Security

Our infrastructure is designed and operated with security as a primary consideration:

• SOC 2 Type II certified data centers: Customer data is stored in data centers that hold SOC 2 Type II certification
• Data residency: All customer data is stored in the United States
• 24/7 monitoring: Continuous infrastructure monitoring with automated alerting for anomalies
• Firewall & DDoS protection: Network-level firewalls and distributed denial-of-service (DDoS) mitigation
• Regular patching: Operating systems and software dependencies are kept up to date with security patches

5. Security Assessments & Testing

• Regular security assessments: We conduct periodic internal and third-party security reviews of our platform
• Vulnerability management: Identified vulnerabilities are tracked and remediated according to their severity
• Dependency scanning: Automated scanning of software dependencies for known vulnerabilities

6. Incident Response & Breach Notification

In the event of a confirmed security incident affecting customer data:

• 72-hour notification: We notify affected customers within 72 hours of a confirmed breach
• Incident guidance: We provide template letters and guidance to help you meet your own breach notification obligations to guests and employees
• Remediation: We take immediate steps to contain and remediate security incidents
• Post-incident review: We conduct root-cause analysis after incidents to prevent recurrence

7. Regulatory Compliance

Tableside is committed to complying with applicable data protection regulations:

• CCPA (California): California Consumer Privacy Act — rights for California residents and businesses
• VCDPA (Virginia): Virginia Consumer Data Protection Act
• CPA (Colorado): Colorado Privacy Act
• CTDPA (Connecticut): Connecticut Data Privacy Act
• UCPA (Utah): Utah Consumer Privacy Act
• GDPR / UK GDPR: Standard Contractual Clauses (SCCs) available; Data Processing Agreements (DPAs) available upon request

To request a Data Processing Agreement, email privacy@tablesidepos.com with the subject line “DPA Request”.

8. Data Retention

• Active accounts: Data is retained for the duration of your active account
• Post-cancellation: A 30-day grace period is provided after cancellation to export your data
• Transaction records: Payment and transaction records are retained for 7 years to meet legal and accounting requirements
• Secure deletion: Data is securely deleted after retention periods expire

9. Third-Party Vendor Security

We carefully vet all third-party service providers (subprocessors) that handle customer data:

• All subprocessors are required to maintain appropriate security standards
• Data processing agreements are in place with all subprocessors
• A detailed subprocessor list is available to customers upon request

For our full subprocessor list, see the Subprocessors page or email privacy@tablesidepos.com.

10. Reporting a Security Concern

If you believe you have found a security vulnerability or have a security concern related to Tableside, please contact us immediately:

We take all security reports seriously and will respond promptly to investigate and address any legitimate concerns.

11. Related Policies

• Website Privacy Policy — How we handle visitor data on our website
• Customer Privacy Practices — Detailed data practices for restaurant platform users
• Subprocessors — Third-party service providers we use
• Terms of Service — Master Service Agreement