Security
Your venue data — orders, staff records, revenue history — is valuable and sensitive. Here is exactly how we protect it.
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Your order history, staff records, and customer data are never sent over an unencrypted connection.
Tappsy is built for compliance with UK GDPR and the Data Protection Act 2018. Data is stored in UK/EU data centres. We act as a data processor on your behalf and sign a Data Processing Agreement on request.
Every user account operates on the least-privilege principle. Owners, managers, and bar staff each see only what they need. Sensitive operations like voids and refunds require manager approval.
Owner and manager accounts support TOTP-based two-factor authentication (Google Authenticator, Authy, 1Password). 2FA is enforced at every login and cannot be bypassed. Terminal registration also requires 2FA when enabled.
Tappsy runs on UK and EU infrastructure. No customer data is transferred to servers outside the UK or EU. We use enterprise-grade cloud providers with ISO 27001 certification.
Your data is backed up daily with point-in-time recovery. Backups are encrypted, stored in a geographically separate location, and tested regularly. Retention period: 30 days.
Every action taken in the system — voids, refunds, logins, menu changes, permission changes — is recorded with timestamp and user attribution. Audit logs are immutable and available to export.
We publish our uptime history publicly at status.tappsy.io. Professional plan customers receive a contractual 99.9% uptime SLA with service credits for any shortfall.
GDPR
When you take table bookings or run a loyalty scheme, your venue is a data controller. Tappsy acts as your data processor — we only process personal data as you instruct us to, and never for our own purposes.
We maintain a Record of Processing Activities and can provide this to you or to the ICO on request. All sub-processors are listed in our DPA and are subject to GDPR-equivalent obligations.
Customers on the Professional plan receive a named Data Protection contact.
We process operational data under the performance of a contract. Marketing communications require explicit opt-in.
We collect only what is necessary. Staff PINs are bcrypt-hashed and never stored in plain text.
Your customers can request access, rectification, or deletion of their data. We support these requests within the statutory 30-day window.
We do not transfer personal data outside the UK or EU. All infrastructure is located in compliant regions.
If you discover a security vulnerability in Tappsy, please report it to us before disclosing it publicly. We commit to acknowledging your report within 48 hours and resolving confirmed vulnerabilities within 30 days.
security@tappsy.ioWe do not currently operate a bug bounty programme, but we acknowledge all good-faith reports publicly if desired.
FAQs
We're happy to go into more detail. Enterprise customers can request a security questionnaire response and our infrastructure documentation.