Security — MenuPulse

Four Layers of Protection

🔐

Verified Identity on Every Request

Every request to our servers is checked against your active session. If the session is missing or expired, the request is refused before any data is touched.

🏠

Your Account, Your Data Only

Your data is locked to your account at the server level. No request — however it is constructed — can retrieve another customer's data using your credentials.

🛡

Database-Level Isolation

Ownership is enforced directly in the database using Row Level Security policies — a second, independent barrier that operates below the application layer.

🔒

Encrypted at Rest & in Transit

All data is encrypted at rest (AES-256) and all traffic between your browser, our API, and our database travels over TLS 1.2 or higher.

How You Sign In

MenuPulse uses magic-link authentication — you enter your email, receive a secure link, and click to sign in. There are no passwords to be phished or leaked.

When you sign in, your browser receives a signed session token. Every API call your browser makes to our backend includes that token. Our servers verify it on every single request — your data is only accessible when that verification passes.

No passwords stored — we cannot leak what we do not hold
Session tokens expire automatically and refresh silently while you are active
Signing out immediately invalidates your session across all devices
Your verified identity — not anything you type into a form — controls what data you can see

How We Keep Accounts Separate

MenuPulse serves multiple restaurant groups on shared infrastructure. Every piece of your data — recipes, invoices, staff, AI briefs, integrations — is tagged to your account ID in the database.

Two independent mechanisms enforce isolation simultaneously:

Server-side ownership checks — every endpoint uses your verified session identity to scope database queries. Parameters you send in a request are never trusted to determine what data you can access.
Row Level Security at the database — Postgres enforces ownership rules at the storage layer. Even if the application layer were somehow bypassed, the database itself refuses to return rows that do not belong to your account.

Both layers must fail simultaneously for any cross-account data access to occur.

Additional Protections

Rate limiting — All API requests are rate-limited per IP address. Automated abuse and credential-stuffing attempts are throttled before they reach application logic.
Clickjacking prevention — Every page served by MenuPulse includes an X-Frame-Options: DENY header, preventing your session from being embedded inside a malicious iframe.
HTTPS enforcement (HSTS) — Browsers are instructed to connect to MenuPulse exclusively over HTTPS for 12 months via a Strict-Transport-Security header. Downgrade attacks to plain HTTP are blocked.
MIME sniffing prevention — A X-Content-Type-Options: nosniff header prevents browsers from misinterpreting file types in ways that could enable content injection.
Browser permission lockdown — Camera, microphone, and geolocation browser APIs are explicitly disabled via a Permissions-Policy header. MenuPulse never requests access to these.
Restricted API origin (CORS) — The backend API only accepts requests from menupulse.io and authorized Vercel preview deployments. Requests from any other origin are rejected before reaching application logic.

What We Protect

Every category of customer data is covered by both enforcement layers described above:

Recipes and specs — formulations, prep steps, allergens, plating notes, portion costs
Invoices and pricing — vendor invoices, line item pricing, cost trend history
Staff and schedules — employee records, shift schedules, labor targets, availability
Financial data — prime cost entries, food cost percentages, labor summaries
Operational AI — Sage daily briefs, restaurant memory, proactive alerts
POS and review data — sales data from Toast, Google review snapshots and sentiment
Integrations — third-party API credentials (e.g., Toast) stored encrypted

Infrastructure Partners

We rely on a small number of trusted providers to run MenuPulse. Here is what each one handles and how your data is treated.

Supabase

Database, authentication, and file storage. Data encrypted at rest and in transit. Hosted on AWS. SOC 2 Type II certified.

Anthropic (Claude)

Powers the Sage AI engine. Operational context is sent to Claude to generate briefings and recommendations. Anthropic does not train on API-submitted data by default.

Stripe

Billing and subscription management. Card data is never seen or stored by MenuPulse — Stripe handles all payment processing under PCI DSS compliance.

Railway

Hosts the MenuPulse backend API. Application code and environment variables only — no customer data is persisted on Railway infrastructure.

Vercel

Hosts the MenuPulse frontend. Serves static files only — no customer data passes through or is stored on Vercel.

Resend

Transactional email delivery — Sage daily briefs and operational alerts sent to your inbox from sage@menupulse.io.

What We Do Not Do

We do not sell or share your data with third parties for advertising or profiling
We do not use your recipes, costs, or operational data to train AI models
We do not store payment card numbers, CVVs, or full card data — Stripe handles all of that
We do not access your account data for any purpose other than providing MenuPulse to you
We do not retain data after account deletion beyond what is required by law

Your Rights

Export — You can request a full export of your account data at any time. Email hello@menupulse.io.
Deletion — You may request complete deletion of your account and all associated data. We will confirm completion within 30 days.
Integration control — You can disconnect any third-party integration (e.g., Toast POS) at any time from the Integrations page — no contact required.
Correction — If we hold inaccurate information about you, contact us and we will correct it promptly.

Our Commitment

Your restaurant's data is yours. We are stewards of it, not owners. Our obligation is to protect it with the same seriousness you apply to your back-office files — except the locks are cryptographic, enforced at multiple independent layers, and continuously reviewed.

If you have a security question, concern, or want to report a vulnerability, we respond within one business day.

hello@menupulse.io

Your Data Is Yours