Enterprise-grade security built into every layer of OpenDine. From encryption to access controls โ here's how we protect you.
Security isn't a feature โ it's the foundation. We build with these principles at every layer.
All data is encrypted at rest with AES-256 and in transit with TLS 1.2+ using strong cipher suites. Encryption keys are managed separately from data.
Every request is authenticated and authorized. We use the principle of least privilege โ each user and service gets only the permissions they need.
Every significant action on the platform is logged with actor, timestamp, and IP. Logs are immutable and retained for 2 years for forensic analysis.
Your restaurant's data is completely isolated from all other tenants. Database queries are scoped by tenant_id โ there's no cross-tenant data leakage.
99.9% uptime SLA backed by automated failover, regular backups (3x daily), and disaster recovery procedures with tested RTO/RPO targets.
We run automated vulnerability scanning on every code push, conduct quarterly penetration tests with third-party security firms, and maintain a bug bounty program.
Built on Google Cloud Platform with security at every layer
Browser / App / KDS Device
DDoS + Firewall + CDN
K8s Cluster ยท Load Balancer
Managed DB ยท AES-256 ยท RLS
We meet global standards for data protection, security, and operational excellence.
OpenDine is fully compliant with the General Data Protection Regulation. We provide data portability, the right to erasure, and consent management for all EU users. Our DPA (Data Processing Agreement) is available on request.
In compliance with India's Digital Personal Data Protection Act. We are registered as a Data Fiduciary and maintain all required records of processing activities. Consent capture, purpose limitation, and data minimization are built into our architecture.
OpenDine maintains SOC 2 Type II compliance (annual audit). This covers the Trust Services Criteria: Security, Availability, Confidentiality, and Processing Integrity. Our most recent audit report is available to Enterprise customers under NDA.
OpenDine does not store card data. Payment processing is handled by certified PCI DSS-compliant third-party providers (Razorpay, Stripe). Our roadmap includes direct PCI DSS Level 1 compliance by Q4 2026.
We have a structured, tested incident response process to protect you in the rare event of a security issue.
Automated monitoring systems scan for anomalies 24/7. Security alerts escalate to our on-call security team within 5 minutes of detection.
The security team classifies severity (Critical / High / Medium / Low), determines scope, and activates the appropriate response team within 30 minutes.
Affected systems are isolated immediately. Automated playbooks can contain common threats within 60 seconds without human intervention.
Affected customers are notified within 72 hours per GDPR Article 33. Enterprise customers receive direct notification within 4 hours of confirmed breach.
After every significant incident, we conduct a blameless post-mortem within 7 days, document lessons learned, and implement preventive changes within 30 days.
We take security seriously and welcome responsible disclosure from security researchers and customers. If you discover a vulnerability in OpenDine, please report it to us immediately and we will work with you to resolve it quickly.
Scope: All OpenDine production infrastructure, web application, and APIs. Excluded: social engineering, DoS attacks on our infrastructure, and issues already known to us.
We commit to: acknowledge receipt within 24 hours, provide a initial assessment within 5 business days, and work toward a fix within 90 days for confirmed vulnerabilities.