tm
tablemenu
Trust and security

Security at Table Menu

Last updated: 2026-04-23

Table Menu does not store, process, or transmit credit card numbers on its servers. Card entry happens entirely inside Stripe or Clover's secure, PCI-certified environments. Here is what we do to protect operator and guest data.

No card data stored

Stripe Elements and Clover Hosted Checkout are cross-origin. Table Menu receives only payment tokens, never PANs or CVVs.

SAQ A self-attested

Annual PCI DSS v4.0 SAQ A self-assessment. Most recent attestation: April 2026.

Canadian data residency

Production data is stored in Supabase ca-central-1 (Montreal). Some subprocessors are US-based and disclosed on the subprocessor page.

Encryption everywhere

TLS 1.2 or higher in transit. AES-256 at rest. scrypt for password hashes.

Payment security

When a guest enters card details, they are typing into a Stripe-hosted iframe served from js.stripe.com, or are redirected to Clover's checkout page on clover.com. Table Menu's servers never see the card number, expiry, or security code. We receive only a secure token that we use to reference the payment.

Stripe is a Level 1 PCI DSS Service Provider. Clover is a Level 1 PCI DSS Service Provider. Their certifications are verified annually by a Qualified Security Assessor.

Table Menu completes a PCI DSS v4.0 SAQ A self-assessment each year and maintains a signed Attestation of Compliance on file.

Infrastructure

  • All connections to tablemenu.app and tenant subdomains are encrypted with TLS 1.2 or higher. HTTP is redirected to HTTPS.
  • All data stored in our Supabase database is encrypted at rest using AES-256. The primary database region is ca-central-1 (Montreal, Canada).
  • Production database access is restricted to named engineers via role-based permissions. No shared credentials.
  • Each restaurant's data is isolated using PostgreSQL row-level security policies. One tenant cannot access another's data.
  • Dependencies are scanned for vulnerabilities via Dependabot and npm audit. Patches are applied on a rolling basis.
  • Five adversarial security audit rounds closed more than 130 findings before our first tenant launch. Security hardening is a continuous process.

Privacy and PIPEDA

Table Menu operates under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Our Privacy Policy describes in full what data we collect, how we use it, and your rights as a guest or operator. A full list of subprocessors is available at tablemenu.app/legal/subprocessors.

Responsible disclosure

If you discover a security vulnerability in Table Menu, please email security@tablemenu.app. Our full Vulnerability Disclosure Policy (including scope, safe harbor language, and response SLAs) is at tablemenu.app/legal/vdp. Our security.txt file is published per RFC 9116.

Contact

Security inquiries: security@tablemenu.app
Privacy inquiries: privacy@tablemenu.app
General support: hello@tablemenu.app