Security & Compliance

Customer data is transmitted over TLS and stored on a managed database platform that encrypts data at rest. Service credentials, API keys, and provider secrets are kept in environment configuration and are not written to logs or version control.

Venora is multi-tenant by design. Every request is authorized against an organizationId and, where applicable, a venueId. Row-level security policies on tenant-scoped tables enforce isolation at the database layer, in addition to application-layer checks. Enterprise tenants may opt for a fully dedicated database.

Venora supports email and password authentication along with OAuth (Google) via our authentication provider. Sessions are managed by the provider with secure cookie handling. Email verification and password reset flows are available out of the box.

Authorization is enforced server-side using a roles registry and per-permission grants. Roles assigned to staff and admins are stored in the database and validated on every privileged request. Client roles and tenant identifiers from the browser are never trusted.

Sensitive actions — including authentication events, payments, checkouts, session lifecycle, stock changes, permission grants, and access-denied attempts — are recorded to an audit log keyed by tenant. Logs are retained for review and reconciliation.

Payment card data is processed exclusively by PCI-DSS Level 1 certified providers — Razorpay and Stripe. Venora servers do not see, store, or transmit raw card numbers. Tokenized references and provider-issued IDs are used for reconciliation and billing only.

Strict HTTP security headers — Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and Referrer-Policy — are enforced on every response. Rate limiting is applied to sensitive API routes. Every change goes through code review and a CI pipeline (type-check, lint, build) before reaching production. We monitor security advisories from GitHub for our dependencies.

Venora runs on hardened managed cloud infrastructure with TLS termination, automated platform patching, and least-privilege access to operational systems. Database backups are handled by our managed database provider per their published policy. We target high availability but do not currently offer a contractual uptime SLA — Enterprise customers can request one in writing.

Venora's operations are aligned with the EU General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act (DPDP). We are not currently certified against SOC 2 or ISO 27001; formal certifications are on our roadmap as we onboard enterprise customers. See our Privacy Policy for details on data we collect and how it is processed.