Your data, your region, your audit trail
Tawle is built for restaurants that handle payment data and guest information every minute of service. Here's exactly how we keep it safe.
Encrypted in transit and at rest
All traffic is TLS 1.2+. Sensitive fields are encrypted at rest using AES-256. Passwords use bcrypt.
TLS 1.2+ everywhere
Every page, every API call, every WebSocket. HTTP redirects to HTTPS, HSTS enabled.
AES-256 at rest
Database-level encryption for sensitive fields. Backups encrypted before they leave the primary.
bcrypt + salt
Passwords are hashed with bcrypt. No plain-text storage, no reversible encryption.
Your data, in the region you choose
Pick UAE or your nearest region. Your data never leaves unless you ask for it.
UAE primary
Tawle is deployed in the UAE. Restaurants operating in the GCC keep their data inside the GCC — by default, no opt-in required.
Daily backups
Encrypted daily snapshots with 30-day retention. Restore tested monthly. RPO < 24h, RTO < 4h.
7 roles, granular permissions, branch scoping
The same RBAC engine that runs your floor also protects your data.
Role-based access
Seven built-in roles plus custom. Feature-level CRUD per role. The principle of least privilege by default.
Branch scope
Multi-branch isolation. A waiter at branch A cannot see, edit or query data from branch B — even by API.
Full audit trail
Every state change carries a timestamp and a user. Refunds, voids and overrides need a manager PIN.
Plain-English security commitments
The things we believe a modern restaurant platform should never do.
We never share guest data
No selling, no advertising networks, no third-party trackers in the storefront. Guest email and phone stay yours.
We never store full card numbers
Card data is tokenised at the gateway. Tawle only ever sees the last 4 digits and the brand — no PAN, no CVV.
We never take a per-order cut
Subscription only. No hidden transaction fees, no "platform fees" on top of payment gateway charges.
We never lock your data in
Full CSV/Excel export of menu, orders, customers and transactions. Your data is yours, exportable any time.
We'll answer it in writing
If you're a multi-branch group with a security review process, send us the questionnaire and we'll respond with our completed answers.