Security & data

Your data, your region, your audit trail

Tawle is built for restaurants that handle payment data and guest information every minute of service. Here's exactly how we keep it safe.

Encryption

Encrypted in transit and at rest

All traffic is TLS 1.2+. Sensitive fields are encrypted at rest using AES-256. Passwords use bcrypt.

${ICON_LOCK}

TLS 1.2+ everywhere

Every page, every API call, every WebSocket. HTTP redirects to HTTPS, HSTS enabled.

${ICON_SHIELD}

AES-256 at rest

Database-level encryption for sensitive fields. Backups encrypted before they leave the primary.

${ICON_CHECK}

bcrypt + salt

Passwords are hashed with bcrypt. No plain-text storage, no reversible encryption.

Data residency

Your data, in the region you choose

Pick UAE or your nearest region. Your data never leaves unless you ask for it.

${ICON_GLOBE}

UAE primary

Tawle is deployed in the UAE. Restaurants operating in the GCC keep their data inside the GCC — by default, no opt-in required.

${ICON_HISTORY}

Daily backups

Encrypted daily snapshots with 30-day retention. Restore tested monthly. RPO < 24h, RTO < 4h.

Access control

7 roles, granular permissions, branch scoping

The same RBAC engine that runs your floor also protects your data.

${ICON_USERS}

Role-based access

Seven built-in roles plus custom. Feature-level CRUD per role. The principle of least privilege by default.

${ICON_EYE}

Branch scope

Multi-branch isolation. A waiter at branch A cannot see, edit or query data from branch B — even by API.

${ICON_CLOCK}

Full audit trail

Every state change carries a timestamp and a user. Refunds, voids and overrides need a manager PIN.

What we don't do

Plain-English security commitments

The things we believe a modern restaurant platform should never do.

We never share guest data

No selling, no advertising networks, no third-party trackers in the storefront. Guest email and phone stay yours.

We never store full card numbers

Card data is tokenised at the gateway. Tawle only ever sees the last 4 digits and the brand — no PAN, no CVV.

We never take a per-order cut

Subscription only. No hidden transaction fees, no "platform fees" on top of payment gateway charges.

We never lock your data in

Full CSV/Excel export of menu, orders, customers and transactions. Your data is yours, exportable any time.

${ICON_SHIELD}PCI-DSS aware
${ICON_LOCK}TLS 1.2+ everywhere
${ICON_GLOBE}UAE data residency
${ICON_CHECK}Daily backups
${ICON_EYE}Full audit trail
Got a security question?

We'll answer it in writing

If you're a multi-branch group with a security review process, send us the questionnaire and we'll respond with our completed answers.