Trust & Safety

Security at Stellar POS

Stellar POS, Inc. Last Updated: May 21, 2026 Version 1.0
Overview

Our Security Commitment

Stellar POS processes sensitive financial and business data for restaurants and retail businesses. We take security seriously — not because we're required to, but because our customers' livelihoods depend on it. This page describes the technical and organizational measures we maintain to protect your data.

TLS 1.3 Encryption AES-256 at Rest JWT Auth Rate Limited CCPA Compliant 72h Breach Notice
Section 01

Data Encryption

  • In transit: All communications between the POS app, dashboard, and servers use TLS 1.3. HTTP is redirected to HTTPS site-wide.
  • At rest: Sensitive database fields are encrypted using AES-256. Database backups are encrypted before storage.
  • Staff PINs: PINs are stored as one-way cryptographic hashes. We cannot recover a PIN — only reset it.
  • Payment card data: We never store full card numbers. All payment data is tokenized by our certified payment processors (Stripe, Elavon). We are out of PCI scope for card storage.
  • JWT tokens: Authentication tokens are short-lived and cryptographically signed. Compromised tokens cannot be used after expiration.
Section 02

Access Control

  • Role-based access (RBAC): Owner, Manager, Cashier, and Kitchen Staff roles have different permission levels. Sensitive actions are gated by role.
  • 3-Tier Confirmation: High-risk actions (voids, large refunds, staff deactivation) require Manager PIN verification, verified against the backend API in real time — not stored locally.
  • Rate limiting: Login endpoints are limited to 10 attempts per 15-minute window per IP address to prevent brute-force attacks.
  • Anomaly detection: The system automatically flags unusual refund patterns (more than 3 refunds per week or more than $100 in refunds by a single staff member) and alerts the owner.
  • Audit logging: All refunds, voids, manager PIN approvals, and clock-in/out events are permanently logged with timestamp and staff identity.
Section 03

Infrastructure

  • Hosting: Hosted on Railway, running on enterprise-grade cloud infrastructure with physical security, redundant power, and network monitoring.
  • Database backups: Automated backups every 6 hours, retained for 30 days, stored encrypted in a geographically separate location.
  • Uptime target: 99.5% monthly uptime for cloud features, excluding scheduled maintenance.
  • Offline mode: The POS app functions without internet connectivity. Transactions queue locally and sync securely when connectivity is restored.
  • Dependency updates: Security patches applied within 48 hours of release. Critical vulnerabilities addressed within 24 hours.
Section 04

Application Security

  • Input validation: All API inputs are validated and sanitized before processing.
  • SQL injection prevention: All database queries use parameterized statements via Prisma ORM. Direct SQL is never used with user input.
  • Security headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Strict-Transport-Security headers are enforced on all responses.
  • Dependency scanning: Third-party dependencies are regularly scanned for known vulnerabilities.
  • Secrets management: API keys and database credentials are stored in environment variables, never in code or version control.
Section 05

Incident Response Timeline

0 – 1 hour
Detection and initial triage. On-call engineer assesses severity and scope.
1 – 4 hours
Containment. Affected systems isolated. Unauthorized access revoked.
4 – 24 hours
Full investigation. Root cause identified. Scope of affected data determined.
Within 72 hours
Merchant notification (as required by WA RCW 19.255 and applicable federal law). Regulatory notification if required.
Within 30 days
Full incident report. Remediation complete. Preventive measures implemented and documented.
Section 06

Compliance

  • PCI DSS: Card processing handled exclusively by certified Level 1 payment processors. Stellar POS is not a card data storage environment.
  • CCPA/CPRA: California Consumer Privacy Act compliant. See Privacy Policy for consumer rights details.
  • Washington State RCW 19.255: Data breach notification law. We notify within 72 hours of confirmed breach.
  • FLSA/California Labor Code: Payroll tools designed to support compliance, though merchants bear ultimate compliance responsibility.
  • GDPR: Data Processing Agreements (DPAs) available upon request for merchants with EU customers.
Section 07

Your Responsibilities

Security is a shared responsibility. Merchants must:

  • Use a strong, unique password for the owner dashboard (minimum 12 characters)
  • Change default staff PINs immediately after setup and rotate them periodically
  • Never share Manager PINs with cashier-level staff
  • Keep POS tablet operating system and Stellar POS app updated
  • Report any suspected security incidents to security@stellarpos.us within 24 hours
  • Maintain physical security of POS hardware
  • Do not install unauthorized software on POS devices
  • Enable screen lock/PIN on POS tablets
Section 08

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in Stellar POS:

  • Email a detailed description to security@stellarpos.us
  • Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue
  • Do not publicly disclose until we have had the opportunity to remediate

We commit to: acknowledging receipt within 48 hours, investigating within 14 business days, and crediting researchers who report valid issues (with their consent).

Section 09

Security Contact

Report security issues: security@stellarpos.us
Privacy matters: privacy@stellarpos.us
General inquiries: legal@stellarpos.us

For urgent security incidents, please include "URGENT SECURITY" in your subject line.