CliqMenu Legal
Security Policy
How CliqMenu protects your data — encryption, access controls, hosting, and responsible disclosure.
In short
Encrypted in transit and at rest, hosted in AWS Sydney, no card numbers stored, and consent-gated, audited support access.
This summary is for convenience only — the full document below is what applies.
On this page
What changed3 versions
This Security Policy describes, in plain terms, how CliqMenu protects the data entrusted to it. It supplements our Privacy Policy. It is a summary of our practices, not a warranty; no system can be guaranteed perfectly secure.
1. Hosting and data residency
The Platform runs on Amazon Web Services (AWS) in the Sydney region (ap-southeast-2), Australia. Our applications are served over a global content delivery network, and our backend is serverless (managed compute, a managed database, and object storage). Customer and business data is stored in Sydney.
2. Encryption
- In transit: all traffic uses TLS. In addition, requests and responses between our apps (BMS / FOS / OMS) and our servers are protected by an application-layer encryption envelope (AES-256).
- At rest: databases and file storage are encrypted at rest using AES-256.
3. Authentication and access control
- Owners, staff, and administrators sign in with email one-time passcodes; bot protection is applied at sign-in.
- Access to data is scoped to the relevant business and role. Staff permissions are managed by the business owner.
- Administrative "support access" to a business account is consent-gated and time-boxed, and Customer personal information is masked during such access. Sensitive administrative actions are recorded in an audit log.
4. Payment security
CliqMenu does not store card or bank-account numbers. Online payments are handled by PCI-compliant providers (Stripe in Australia / New Zealand; Cashfree in India). We hold only the account identifiers needed to route payouts. Because card details are entered directly with the payment provider's hosted checkout and never reach CliqMenu's servers, CliqMenu's own PCI DSS exposure is minimised (SAQ-A-eligible scope).
5. Backups and resilience
The database has point-in-time recovery enabled (a 35-day window) within the Sydney region, and production data stores have deletion protection. We design for recoverability while keeping data within region.
6. Logging and monitoring
We log application activity for reliability and security within our AWS environment, and we keep the personal information appearing in logs to the minimum needed. We do not currently send application logs to any third-party logging service; if we introduce one, it will be listed as a sub-processor under our Privacy Policy and this section updated.
7. Data retention and deletion
Data is retained and deleted as described in the Privacy Policy, including staged deletion of closed accounts and tax-retention of order records.
8. Responsible disclosure
If you believe you have found a security vulnerability, please report it to security@cliqmenu.com. Give us reasonable time to investigate and fix the issue before public disclosure, and do not access or modify data that is not yours. We appreciate responsible reports and will acknowledge them.
9. Changes
We may update this policy. The current version is always published here with its version and effective date.