Security · Posture & Controls

Attribution data is financial data. We treat it that way.

Restaurant app operators hand us POS, loyalty, and campaign signals from dozens of locations. Every byte is encrypted, tenant-isolated, and auditable, with a small-blast-radius design, Canadian data residency by default, and a written incident response posture we'll walk you through in the Enterprise Audit.

Compliance

Assurances that matter to your legal team.

We picked the frameworks restaurant tech CTOs actually ask about during RFPs. No theatre, no roadmap placeholders. Dates below are enforceable.

PIPEDA
Canadian privacy law
Default posture · TO residency
GDPR
EU & UK
DPA on file · Article 28
PCI-DSS
Scope-free by design
We never touch card data
Architecture

Four pillars of defense in depth.

Controls that are independently meaningful, so one failure doesn't cascade.

01 · DATA

Encryption everywhere, keys rotated.

  • AES-256-GCM at rest (Postgres + S3-compatible object store).
  • TLS 1.3 in transit with HSTS, OCSP stapling, and modern cipher suites.
  • Per-tenant envelope encryption; keys rotated every 90 days via AWS KMS.
  • Row-level security enforced at the Postgres level, no app-code bypass path.
02 · ACCESS

Least privilege, logged end-to-end.

  • SSO (SAML/OIDC) with enforced MFA for all staff dashboards.
  • Production access gated by a short-lived IAM session and a break-glass approver.
  • Every query against tenant data is logged, immutable for 365 days.
  • Secret material lives in a hardware-backed vault, never in env files or repos.
03 · NETWORK

Isolated per-tenant, zero-trust internal.

  • VPC-peered workloads, private subnets only. No public database endpoints.
  • Tenant-scoped namespaces, logical + physical separation for enterprise plans.
  • Egress gateway with allowlists; unknown outbound traffic fails closed.
  • DDoS protection and Bot filtering in front of every public edge.
04 · PROCESS

Humans in the loop, not above it.

  • Code review required on every production path, no solo deploys.
  • Quarterly third-party penetration test; findings disclosed in your DPA on request.
  • All staff go through annual secure-coding + phishing drills.
  • Written incident response runbook with 30-minute detect-to-page SLA.
Incident Response

When something goes wrong, here's the clock we run on.

Timelines from first signal to your inbox. Enterprise contracts tighten the first two; all are measurable.

30min
Detect → page oncall
4h
Page → tenant notification
72h
Preliminary post-mortem
14d
Final RCA + remediation plan
Subprocessors

Every vendor that touches your data.

Updated whenever we add or change infrastructure. A 30-day change notice goes out via email on your DPA contact.

VendorPurposeRegionCert.
AWS (ca-central-1) Compute, storage, KMS Canada ISO 27001
Cloudflare Edge, WAF, DDoS Global ISO 27001
Vercel Static site & preview Global Enterprise
Datadog Observability, tracing US-1 / EU-1 ISO 27001
1Password Secret & credential vault Canada Enterprise

Found something? We want to hear.

Responsible disclosure gets a human reply within 24 hours. No legal threats, no bounty gimmicks, just a patch and credit if you want it.

security@dualasolutions.com