Security

Security is a core principle at Ferntie. We implement comprehensive measures to protect your data and ensure the integrity of our platform. Restaurant data often contains sensitive business information, and we take that responsibility seriously.

Encryption: All data transmitted between your devices and our servers is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption.

Hosting: Our infrastructure is hosted on secure, industry-leading cloud providers with SOC 2 Type II compliance. We maintain strict access controls and monitoring.

Redundancy: Critical systems are deployed across multiple availability zones with automatic failover to ensure continuous availability.

Secure Authentication: User authentication is handled by Clerk, a leading identity platform that specializes in secure authentication. All authentication flows follow industry best practices.

Password Requirements: We enforce strong password policies. Passwords are never stored in plain text — only salted hashes using bcrypt are retained.

Session Management: Sessions expire automatically after inactivity. We support secure session invalidation across all devices.

Role-Based Access: Our platform implements role-based access control (RBAC). Restaurant owners can define roles with specific permissions for staff members.

Principle of Least Privilege: Our team follows the principle of least privilege. Employees have access only to systems necessary for their roles, and access is regularly reviewed.

PCI Compliance: Payment processing is handled by trusted payment providers. We do not store complete card numbers or sensitive card data on our servers.

Fraud Detection: We implement transaction monitoring to detect and prevent fraudulent activities. Unusual patterns trigger automated alerts and review processes.

Backups: Regular automated backups are performed with encrypted storage. Backups are tested periodically to ensure data integrity and recoverability.

Data Isolation: Each restaurant's data is logically isolated. Technical measures prevent unauthorized access between tenants.

Data Retention: We retain data only as long as necessary. Upon account closure, data is deleted according to our retention policy.

Continuous Monitoring: Our systems are monitored 24/7 for suspicious activities, anomalies, and performance issues. Automated alerts notify our security team of potential threats.

Incident Response: We maintain a documented incident response plan. In case of a security incident, we follow established procedures to contain, investigate, and remediate.

Breach Notification: In the unlikely event of a data breach affecting your information, we will notify affected users within 72 hours as required by applicable regulations.

Regular Assessments: We conduct regular security assessments, including vulnerability scanning and penetration testing, to identify and address potential weaknesses.

Dependency Updates: We maintain updated dependencies and libraries. Security patches are applied promptly when released by vendors.

Bug Bounty: We maintain a responsible disclosure program for security researchers to report vulnerabilities safely.

Training: All team members complete security awareness training. We conduct regular security drills and phishing simulations.

Background Checks: Background verification is performed for employees with access to sensitive systems.

While we implement robust security measures, maintaining security is a partnership. You can help by:

• Using strong, unique passwords and enabling two-factor authentication
• Keeping your account credentials confidential
• Regularly reviewing user access and removing inactive accounts
• Reporting suspicious activities immediately
• Keeping your devices and browsers updated
• Using secure networks, especially when accessing sensitive data

If you discover a security vulnerability or have security concerns, please contact us through your dashboard. We appreciate responsible disclosure and will work with you to address any issues promptly.