Security Policy
Last updated: 6 July 2026
1. Security overview
kore protects restaurant operational data using defence in depth: application permissions, database row-level security, encrypted transport, and audited administrative actions.
2. Technical controls
- Authentication: Supabase email/password with secure HTTP-only session cookies.
- Authorisation: 31 granular permissions; roles assigned per user and location.
- Database: PostgreSQL row-level security on all tenant tables.
- Transport: TLS 1.2+; HSTS enabled in production.
- Headers: Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff.
- Webhooks: HMAC-SHA256 verification for Shopify; idempotent processing.
- Rate limiting: sign-in, password reset, and webhook endpoints.
- Storage: private bucket for invoice documents; organisation-scoped paths; signed download URLs (10 min).
- Audit: database triggers and admin actions logged to audit_logs.
3. Incident response
Suspected incidents should be reported immediately to the platform administrator and privacy@thekrestaurant.com.
We will investigate, contain, remediate, and notify affected parties where required by law.
4. User responsibilities
- Use strong, unique passwords.
- Sign out on shared devices.
- Grant least-privilege roles.
- Rotate demo credentials before any shared environment.
- Do not commit secrets to source control.