kore

← Back to sign in

Security Policy

Last updated: 6 July 2026

1. Security overview

kore protects restaurant operational data using defence in depth: application permissions, database row-level security, encrypted transport, and audited administrative actions.

2. Technical controls

  • Authentication: Supabase email/password with secure HTTP-only session cookies.
  • Authorisation: 31 granular permissions; roles assigned per user and location.
  • Database: PostgreSQL row-level security on all tenant tables.
  • Transport: TLS 1.2+; HSTS enabled in production.
  • Headers: Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff.
  • Webhooks: HMAC-SHA256 verification for Shopify; idempotent processing.
  • Rate limiting: sign-in, password reset, and webhook endpoints.
  • Storage: private bucket for invoice documents; organisation-scoped paths; signed download URLs (10 min).
  • Audit: database triggers and admin actions logged to audit_logs.

3. Incident response

Suspected incidents should be reported immediately to the platform administrator and privacy@thekrestaurant.com.

We will investigate, contain, remediate, and notify affected parties where required by law.

4. User responsibilities

  • Use strong, unique passwords.
  • Sign out on shared devices.
  • Grant least-privilege roles.
  • Rotate demo credentials before any shared environment.
  • Do not commit secrets to source control.