Skip to content
TToster
Security

Security built for serious business

From authentication to audit logs — every layer of Toster is designed to protect your customers' data and your business.

GDPREU data protection
PCI-adjacentvia Stripe / LiqPay
SOC 2in progress

Authentication

JWT access tokens with 15-minute expiry. Refresh token rotation on every use. Separate signing secrets for staff and customer tokens. Atomic rotation prevents race conditions.

15m access / 7d refresh / atomic rotation

RBAC — 11 roles

Owner, manager, operator, cook, packer, courier, cashier, marketing, accountant, HR, and API-only roles. Granular permission matrix — staff see only what their role allows.

11 roles · granular permissions

Multi-tenancy isolation

Every query is scoped by org_id from JWT. No cross-tenant data leakage by design. PostgreSQL row-level security planned for defense-in-depth.

org_id scoping · RLS planned

Data privacy (GDPR)

Right to erasure (Art. 17) and portability (Art. 20) endpoints implemented. Customer data anonymization on request. EU-resident data stays in EU infrastructure.

GDPR Art. 17 & 20 · EU data residency

Webhook security

All outgoing webhooks signed with HMAC-SHA256. Replay protection via timestamp validation (5-minute window). Delivery log with retry history.

HMAC-SHA256 · 5-min replay window

Audit log

Every create, update, and delete is logged with before/after snapshots, user ID, IP address, and timestamp. Tamper-evident, queryable, exportable.

before/after · IP · user · timestamp

Rate limiting

5 failed auth attempts per 15 minutes per IP. Per-org API quota enforcement. Redis-backed sliding window counters. Lockouts auto-expire.

5 attempts / 15 min · per-org quotas

Secrets management

All secrets in Railway encrypted environment variables. Rotation policy documented. No secrets in code or logs. Separate secrets per environment.

Railway env · rotation policy

Fiscalization compliance

Integrated with certified fiscal providers in 6 countries: Checkbox (UA), KSeF (PL), EET (CZ), Fiskaly (DE), VeriFacTu (ES), Stripe Tax (US). Receipts are legally binding.

6 countries · certified providers

Found a vulnerability?

We take security seriously. If you discover a vulnerability, please report it responsibly. We aim to respond within 48 hours.

[email protected]

Our security checklist

Input validation on every API endpoint (Zod)

SQL injection prevention via Prisma parameterized queries

XSS prevention via React's default escaping

CORS configured per environment

TLS enforced on all connections

Secrets never logged or included in error responses

Dependencies audited with npm audit on every deploy

HTTP security headers (HSTS, CSP, X-Frame-Options)