Skip to contentSkip to content
Trust

Security & trust.

Where your data lives, who touches it, and what happens when something goes wrong. Last updated .

§1Where your data lives

Application data — menus, ingredients, allergens, dishes, translations, printables — is stored in the EU (Ireland / Frankfurt) on managed Postgres infrastructure. Static assets and the marketing site are delivered by Cloudflare's global edge, with EU points-of-presence preferred.

We do not replicate customer data outside the EEA. Where a sub-processor operates from a non-EEA jurisdiction (e.g. transactional email delivery), transfers are governed by the European Commission's Standard Contractual Clauses. The full list is maintained in the Data Processing Addendum.

§2Tenant isolation

Every row of customer data is scoped to a workspace and enforced at the database with Row-Level Security. A request cannot read or mutate another workspace's rows regardless of the client, the endpoint, or the caller's role — the check runs inside the query planner, not in application code.

Roles (owner, manager, editor, viewer) live in a dedicateduser_rolestable and are resolved via a security-definer function, so privilege elevation is impossible from the client.

§3Authentication

Sign-in is email + password with optional Google OAuth. Sessions are held in httpOnly cookies with rolling refresh. Reset and invite links are single-use, time-limited, and delivered by a verified sending domain. Anonymous sign-ups and self-serve admin escalation are disabled at the auth layer.

§4Encryption

All traffic — marketing, admin, guest menus, printable exports, webhooks — is served over TLS 1.2+ with HSTS. Certificates renew automatically at the edge.

Data at rest is AES-256 encrypted on managed volumes. Backups are encrypted with independent keys and retained for 7 days on a rolling basis.

§5Audit trail

Publishing a menu writes an immutable version snapshot and an audit entry with the actor, timestamp, and readiness state. Scheduled publishes run through the same gate — there is no shortcut path that bypasses the compliance checklist. Restaurants can export their audit log at any time from the workspace's settings.

§6Backups and recovery

Postgres runs with point-in-time recovery. Daily encrypted snapshots are retained for 7 days; longer retention is available on Enterprise. Recovery Point Objective (RPO) is under 5 minutes; Recovery Time Objective (RTO) target is under 4 hours for a full-region failure.

§7Internal access

Production access is restricted to named engineers on organisation-issued hardware. Elevated database access requires justification and is logged. Support agents never see customer passwords or payment details — Paddle is the merchant of record for all billing, so card data never touches Crumb's systems.

§8Vulnerability management

Dependencies are automatically scanned on every deploy. Security advisories affecting production paths are patched within 7 days for High and 30 days for Medium severity. We welcome responsible disclosure at security@crumb.menu and respond within 3 business days.

§9Incident response

Confirmed personal-data incidents are notified to affected controllers within 72 hours as required by GDPR Article 33, with a follow-up post-mortem covering root cause, timeline, and remediation. Non-personal-data incidents (e.g. availability outages) are surfaced on the status page within 30 minutes of confirmation.

§10Compliance posture

  • EU 1169/2011 workflow — the full 14 regulated allergens, may-contain handling, ingredient-level source of truth.
  • GDPR — controller / processor roles set out in the DPA.
  • PCI — not applicable; card data never enters Crumb.
  • SOC 2 — not currently certified. Inherit relevant controls from our managed infrastructure providers; happy to share their reports under NDA.

§11Enterprise requests

For security questionnaires, DPIA support, countersigned DPAs, custom retention policies, or a sub-processor change subscription, write to security@crumb.menu. We reply within one business day.