Security posture · April 2026

Encrypted, audited, and honest about both.

Restaurants trust us with ad event data tied to real customers. We protect it with infrastructure hygiene, third-party audits, and a rule: never store or share more than we need to fire a platform_click event cleanly.

Report a vulnerability Read the DPA

How we handle your data

Data handling

Ad event payloads flow through DineRoute edge workers, hashed where possible, encrypted in transit, never shared with third parties outside Meta/Google destinations the operator explicitly connects.

PII hashed (SHA-256) before transmission to ad platforms
No user-level event data retained beyond 30 days
Operator can export or delete all event logs on demand
GDPR DPA available on request · CCPA compliant

Infrastructure

Platform runs on Cloudflare Workers + Supabase Postgres with read-replicas across three regions. All traffic is TLS 1.3. No customer data touches our laptops.

Encryption at rest (AES-256) on all Supabase storage
TLS 1.3 enforced · HSTS preloaded · CSP headers strict
Secrets managed in Cloudflare Workers KV, rotated quarterly
99.95% uptime SLA for paid tiers (status.dineroute.com)

Compliance

Independent audit work started April 2026 with Vanta. We publish progress openly — no "SOC 2 compliant" posturing while pre-audit, no hidden subprocessors.

SOC 2 Type II audit in progress · complete Q3 2026
Vanta-monitored controls (access, MFA, endpoint, backups)
DPA, privacy policy, subprocessor list public
Annual penetration test · vulnerability disclosure program

Controls in effect

The specific things we do every day.

Compliance is easy to claim, hard to sustain. Here are the operational practices that make the badges meaningful.

01 Access controls: MFA required on all employee accounts. Role-based access to customer data, least-privilege by default, all actions audit-logged.
02 Encryption: AES-256 at rest, TLS 1.3 in transit. Keys rotated via Cloudflare-managed KMS. Backups encrypted and region-isolated.
03 Incident response: 24/7 on-call rotation. Status page at status.dineroute.com with active-incident updates. Public postmortems for anything customer-impacting.
04 Data residency: Primary data in us-east. EU customers can request eu-west residency (Enterprise tier). Never copied outside contracted region.
05 Subprocessor hygiene: Four subprocessors total (Cloudflare, Supabase, Stripe, Postmark). Full list at /subprocessors. 30-day notice of any change.
06 Vulnerability disclosure: Responsible disclosure to security@dineroute.com. We respond within 24 hours and publish a write-up after resolution when appropriate.

Certifications & Partners

The full compliance picture.

Where we stand with each framework and partner — status-honest, not status-posturing. Read the security overview →

In progress

SOC 2 Type II

Controls audit in progress with Vanta
Ready

GDPR

EU data handling · DPA on file
Compliant

CCPA

California resident rights honored
Applied

Meta Business Partner

Marketing Partner application pending
Verified

Google Partner

Certified admin for client accounts

Talk to us

Security questions go straight to a human.

No ticket routing, no tier-one gate. Our security team reads every email and replies within one business day, faster for anything active.

Disclosures · urgent
security@dineroute.com
PGP key on request · 24-hour ack
DPA & legal requests
legal@dineroute.com
Standard DPA at /dpa
Live status
status.dineroute.com
99.95% uptime last 90 days