Security isn't a feature toggle at oliiva — it's baked into the architecture. Every layer, from the database to the browser, is hardened by default.
All data is encrypted in transit with TLS 1.3. Passwords are never stored — only bcrypt hashes with a cost factor of 12. Database backups are encrypted at rest with AES-256.
Platform staff, restaurant staff, and end-clients each authenticate through a separate session surface. A compromised client token cannot escalate to staff or platform access — ever.
Every database query is scoped to a single tenant via Row-Level Security (RLS) policies enforced by Supabase/PostgreSQL. No cross-tenant data leakage is architecturally possible without a direct DB breach.
Card data never touches our servers. Stripe (PCI DSS Level 1 certified) tokenises all card details at the browser layer. We store only Stripe Customer IDs and non-sensitive metadata.
Production runs behind Cloudflare (DDoS protection, WAF). The application server exposes no direct ports — all traffic is proxied. SSH access is key-only; root login is disabled.
Every inbound webhook (Stripe, Tap, Wise) is verified with HMAC-SHA256 signature validation before any payload is processed. Replay attacks are blocked by timestamp comparison (±5 min).
All platform staff actions, tenant config changes, and payment events are written to append-only audit logs. Logs are retained for 12 months and cannot be deleted via the UI.
npm dependencies are pinned and reviewed on every change. Dependabot monitors for CVEs. We run `npm audit` as part of CI. No dependency with a known high-severity vulnerability ships.
Data processing agreement available on request. Personal data is stored in EU data centres (Frankfurt). Data export and erasure supported.
SAQ-A scope — card data is fully delegated to Stripe. No cardholder data is stored, processed, or transmitted by oliiva.
Production infrastructure targets 99.9 % uptime. Status page at status.oliiva.com (coming Q3 2026).
If you discover a security vulnerability in oliiva, please report it to security@oliiva.com. We acknowledge all reports within 48 hours and commit to keeping you updated through resolution. We do not pursue legal action against good-faith researchers.
For general questions: hello@oliiva.com · Privacy policy