Security Policy
OperoPOS handles real-money transactions and customer personal information for thousands of merchants. Security is not an afterthought — it is built into every layer of the platform. This document explains the controls we have in place and how to report a vulnerability.
Infrastructure
OperoPOS runs on enterprise-grade cloud infrastructure with 24/7 monitoring, automated patching, and physical security controls audited under SOC 2 and ISO 27001. All traffic is served over HTTPS with TLS 1.2 or higher, and HTTP requests are automatically upgraded.
Data Isolation
OperoPOS is multi-tenant, but tenants are isolated at the database layer using row-level security (RLS). Every table that holds merchant-owned data has policies that restrict access to the owning store and its authorized staff. This means even if an application bug allowed a request to reach the wrong query, the database itself would refuse to return another merchant's data.
Authentication and Sessions
Passwords are hashed with bcrypt and never stored in plaintext. Sessions use signed JWTs with rotating refresh tokens. Customer-facing online ordering uses one-time email codes (6 digits, 10-minute expiry) rather than passwords. Staff accounts created through the invitation system are forced to change their temporary password on first login.
Encryption
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Database backups are encrypted and stored in geographically separated regions.
Role-Based Access Control
OperoPOS supports six staff roles (Owner, Admin, Manager, Cashier, Viewer, Kitchen) and per-branch assignments. A cashier assigned to one branch cannot view sessions, orders, or reports from another branch. Roles are enforced both in the application and at the database row-level.
Audit Logs
Sensitive actions — order acceptance/denial, session open/close, refunds, staff role changes — are written to immutable audit logs. Owners and admins can review these logs from the dashboard.
Payment Card Data
OperoPOS never stores raw card numbers, expiry dates, CVV codes, or magnetic-stripe data. When card payment is taken, it happens through a PCI-DSS compliant processor of your choice; OperoPOS only sees the result (success/failure) and a transaction reference.
Vulnerability Disclosure
If you discover a security vulnerability, please report it to security@operopos.com. We aim to acknowledge reports within 48 hours and to fix verified issues as quickly as possible. We do not currently run a paid bug bounty, but we publicly credit researchers who responsibly disclose impactful issues.
What We Ask of You
Your security depends on us — and on you. Use a strong, unique password. Do not share your account with staff; create individual accounts for each person and assign appropriate roles. Revoke access immediately when staff leave. Keep your devices updated and protected.
Incident Response
In the event of a confirmed security incident affecting your data, we will notify you by email within 72 hours, describe the scope of the incident, the data affected, and the steps we are taking to remediate it.
Contact
Security questions, audit requests, or vulnerability reports: security@operopos.com.