Security is an architecture choice, not a checklist.

Data residency

All tenant data is stored in Amazon RDS (Postgres 16, multi-AZ) in the ap-southeast-2 region — Sydney. Backups stay in-region. CloudFront caches public assets; no PII transits non-AU edges.

Tenant isolation

Every table carries a tenant_id foreign key. Postgres Row-Level Security is enabled on every tenant-scoped table with a policy keyed off a session GUC set per request. Our integration test suite proves, against a real Postgres, that cross-tenant reads and writes are impossible — not a convention, an invariant.

Audit log

Every write path emits an audit row. The log is immutable at three layers: the repository only offers append, the Postgres role has no UPDATE/DELETE privilege on the audit table, and a trigger throws on attempted mutation. A per-tenant SHA-256 hash chain provides tamper evidence for external review.

Staff credentials

Staff sign-in is handled via Clerk with 2FA available on owner accounts.

Payment card data

halopos never touches card data. EFTPOS adapters return only last-4, scheme, and an auth code. Our Stripe Billing integration uses Stripe-hosted Checkout and the Customer Portal — card entry happens on Stripe's pages, never ours. PCI scope is therefore zero by architecture, confirmed by ADR-007.

Hardware Bridge

The Bridge runs on a Mac mini on the venue LAN. It holds only an opaque bearer token scoped to one tenant + one location. It can poll queued print jobs and ack them; it cannot read orders, menus, or payments. The token is rotatable from /admin/security.

Reports & compliance

BAS export produces auditable CSV + JSON rollups in venue-local time (DST-safe). Daily summary, item-mix, and payment reconciliation reports share the same pure aggregators — the UI, the API, and the export all see the same numbers.

Pen-testing & SOC2

A pen-test is scheduled in the run-up to GA (M3). SOC2 Type I readiness is tracked as a post-GA objective; the audit-log and access-control prerequisites are already in place.