Security in plain English
Your restaurant's data and your guests' details live in our systems. We take that seriously. This page tells you exactly how we keep them safe — without the jargon — so you can hand it to your CFO, your bank, or your security questionnaire without rewriting a word.
Where your data lives
Restpy runs on AWS Mumbai (ap-south-1) primary, with disaster-recovery replication to AWS Singapore (ap-southeast-1). Everything sits inside a private VPC behind a load balancer with WAF rules tuned to the OWASP Top 10. Public access goes only through CloudFront with TLS 1.3.
- At rest: AES-256 on all RDS volumes, S3 buckets and EBS snapshots.
- In transit: TLS 1.3 with HSTS preload submitted.
- Backups: daily encrypted snapshots, 35-day retention, point-in-time recovery.
- Tenancy: single database, row-level tenant isolation via `restaurant_id` enforced at the query layer (BranchScope-style middleware on every model).
Application-layer protections
- CSRF on every form (tokens rotated per session).
- Role-based access control + per-staff permission overrides, audited.
- Email-OTP 2FA — toggleable per-role (super admin, owner, manager, kitchen, etc.).
- Brute-force protection with exponential back-off after 5 failed login attempts.
- IP allow-listing for sensitive accounts (super admin, accountant).
- Rate limiting on every public endpoint via Cloudflare and an in-app token-bucket fallback.
- Auto-logout on idle (default 60 min for managers, 8 min for waiter / kitchen tablets shared between staff).
- Strict CSP + X-Frame-Options + X-Content-Type-Options headers on every response.
Payments & PCI
Card data never touches Restpy's servers. Razorpay (PCI-DSS Level 1) and Stripe (also Level 1) handle tokenisation directly. Restpy only ever sees the opaque payment-intent id and the post-capture status webhook. Your customers' cards stay with the network. Your restaurant's own Razorpay keys can be plugged in — payments collected from QR/web orders go to your bank, not ours.
Compliance
- SOC 2 Type II — certified Q1 2026 by Prescient Assurance.
- ISO 27001:2022 — in progress, targeting Q3 2026.
- GDPR (EU) — DPA available on request. EU guest data lives in the same encrypted store; data-subject deletion is a one-click action in the super admin console.
- India DPDP Act — full compliance. Grievance officer reachable at team@ketpy.com.
- GSTIN / e-invoice IRN — direct API integration with the IRP for B2B invoices over ₹50,000.
Reporting a vulnerability
We pay bug bounties up to ₹2,00,000 for critical issues. Email team@ketpy.com with proof-of-concept and reproduction steps. Please give us 90 days before public disclosure. We acknowledge every valid report within 48 hours.
Audit logs & forensics
Every change a staff member makes — menu edit, order status change, refund, login, settings change — is logged with timestamp, role, IP and user agent in an append-only activity table. Logs are immutable for 12 months minimum, exportable to CSV at any time. If anything ever goes wrong, you can answer "who did what" in under a minute.