Last updated: March 1, 2025

Security

At DishPatch, security is foundational — not an afterthought. We handle sensitive voice conversations and order data for thousands of restaurants daily, and we take that responsibility seriously.

Infrastructure Security

DishPatch runs on SOC 2 Type II-certified cloud infrastructure. All services are deployed in isolated virtual private clouds with strict network segmentation. We conduct quarterly infrastructure audits and annual third-party penetration tests.

  • Encryption in transit: All data in transit is protected by TLS 1.3 or higher
  • Encryption at rest: All stored data is encrypted using AES-256
  • Key management: Encryption keys are managed using a dedicated HSM-backed key management service
  • Database security: Production databases are not publicly accessible and require MFA for administrative access

Voice & Call Security

All phone calls handled by DishPatch are transmitted over encrypted SRTP channels. Call recordings are stored in isolated, encrypted object storage accessible only by authenticated services. Access logs are retained for 1 year.

Application Security

  • All code changes undergo peer review and automated security scanning before deployment
  • We follow OWASP Top 10 guidelines for web application security
  • Dependency vulnerability scanning runs on every build
  • Admin access to production systems requires hardware MFA (FIDO2)

Access Controls

We operate on a principle of least privilege. Employees only have access to systems necessary for their role. All access is reviewed quarterly. Departing employees are immediately offboarded from all systems.

Compliance

  • SOC 2 Type II: Annual audit — report available to Enterprise customers under NDA
  • PCI DSS: We do not store cardholder data. Payment processing is handled by a PCI-certified third party (Stripe)
  • CCPA / GDPR: We support data subject rights requests and maintain a Data Processing Agreement for applicable customers

Incident Response

In the event of a confirmed breach affecting your data, we will notify you within 72 hours of discovery as required by applicable law.

Responsible Disclosure

Report security vulnerabilities to info@dishpatch.io. We acknowledge receipt within 24 hours and do not pursue legal action against good-faith researchers.