Security at MenuSpy

Last updated: January 4, 2026

Our Commitment

Your restaurant data is your competitive advantage. We treat security as a core product requirement, not an afterthought. MenuSpy uses enterprise-grade infrastructure and follows industry best practices to keep your data safe.

Infrastructure Security

Google Cloud Platform

Our backend runs on Google Firebase, part of Google Cloud. Google maintains SOC 1, SOC 2, SOC 3, ISO 27001, and other certifications.

Vercel Hosting

Our frontend is hosted on Vercel's global edge network with automatic DDoS protection and SSL/TLS encryption.

Stripe Payments

Payment processing handled by Stripe, a PCI-DSS Level 1 certified provider. We never see or store your card details.

Automatic Backups

Data is automatically backed up with point-in-time recovery available. Backups are encrypted and stored in separate locations.

Data Encryption

In Transit

All connections use TLS 1.2+ (HTTPS)
HSTS (HTTP Strict Transport Security) enforced
API calls encrypted end-to-end

At Rest

Database encrypted using AES-256
Encryption keys managed by Google Cloud KMS
Backups encrypted with separate keys

Passwords

Passwords hashed using bcrypt (never stored in plain text)
Firebase Authentication handles secure password management
Support for password reset via secure email links

Application Security

Authentication

Firebase Authentication with secure session management
Session tokens with automatic expiration
Protection against session hijacking

Authorization

Firestore Security Rules enforce data access controls
Users can only access their own restaurant data
Competitor data isolation between accounts

Input Validation

All user inputs validated and sanitized
Protection against SQL injection, XSS, and CSRF attacks
Rate limiting on API endpoints

Operational Security

Access Controls

Principle of least privilege for team access
Production database access restricted and logged
No customer data in development environments

Monitoring

Real-time error and security monitoring
Automated alerts for suspicious activity
Regular security log reviews

Incident Response

Documented incident response procedures
Commitment to notify affected users within 72 hours of confirmed breach
Post-incident analysis and remediation

Data Collection Practices

What We Access

Your Data: Only what you provide (account info, menu uploads, preferences)
Competitor Data: Only publicly available information (public websites, public reviews)

What We Never Access

Point-of-sale (POS) systems
Private business databases
Password-protected competitor pages
Customer personal information from other restaurants

Third-Party Security

We carefully vet all third-party services:

Google Firebase SOC 2, ISO 27001

Stripe PCI-DSS Level 1

Vercel SOC 2 Type II

Google Cloud FedRAMP, HIPAA

Your Security Responsibilities

Security is a shared responsibility. We recommend:

Use a strong, unique password for your MenuSpy account
Don't share your login credentials
Log out when using shared devices
Keep your email account secure (used for password recovery)
Report any suspicious activity to us immediately

Reporting Security Issues

If you discover a security vulnerability:

Contact us immediately through our website
Provide details to help us understand and reproduce the issue
Give us reasonable time to address the issue before public disclosure
We appreciate responsible disclosure and will acknowledge your contribution

Questions?

Security questions or concerns? Contact us through menuspy.ai.