Section 01
Certifications and payment scope
Margin Kitchen completed a SOC 2 Type II audit in 2025 covering the security, availability, and confidentiality trust services criteria for the Margin Kitchen application and supporting infrastructure. The report is available under NDA — email security-officer@marginkitchen.com to request it.
Subscription payments are processed by a PCI-DSS Level 1 certified payment processor (Stripe). Margin Kitchen does not store raw cardholder data; card details are tokenized by the processor and only tokens are retained.
Section 02
Hosting and encryption
- Production hosting: AWS in the us-east-1 region.
- Encryption at rest: AES-256 for application databases, object storage, and backups.
- Encryption in transit: TLS 1.3 for all traffic between browsers, the application, and internal services.
- Backups: encrypted, cross-AZ, with point-in-time recovery for the primary database.
Section 03
Access control, SSO, and MFA
Margin Kitchen uses role-based access control (RBAC) so users only see the data and actions their role requires.
- SSO via Okta and Microsoft Entra ID (SAML 2.0 / OIDC) on eligible plans.
- MFA is required for all administrator accounts on the Margin Kitchen side.
- Roles: Owner, Admin, Manager (GM / kitchen manager), Staff — financial data is gated to Owner and Admin by default.
- Multi-location operators can scope access by location so unit-level managers only see the units they run.
Section 04
Tenant isolation
Each organization's data lives in its own workspace and is filtered at the database layer with row-level security tied to the user's organization and active location. Cross-tenant access is structurally not possible from the application.
Section 05
Immutable audit logs and retention
- Immutable audit logs retained for 365 days covering recommendation approvals, overrides, role changes, integrations, and destructive actions.
- Financial records retained for 7 years to meet standard restaurant accounting and audit requirements.
- Raw telemetry (product usage, request logs) retained for 1 year, then aggregated or deleted.
- Backups retained for 30 days on a rolling basis.
Section 06
Subprocessors
Margin Kitchen uses the following subprocessors to deliver the service. Customers on annual plans receive 30 days' written notice before a new subprocessor is engaged.
- AWS — production hosting, storage, and managed database (us-east-1).
- Stripe — subscription billing and PCI-DSS Level 1 payment processing.
- SendGrid — transactional email (brief delivery, invites, security notices).
- Twilio — SMS notifications for opt-in operator alerts.
Section 07
AI governance
System Generated — Review Required
Margin Kitchen does not automatically change prices, publish schedules, place supplier orders, or make staffing decisions. Every recommendation is presented for a manager to approve, edit, or reject.
See Responsible AI for the full model, override, and feedback policy.
Section 08
Incident response
Report suspected incidents to security-officer@marginkitchen.com with the subject "Security". Our on-call security officer acknowledges P1 reports within 4 hours, 24/7.
- P1 (confirmed breach, data exposure, service down): 4-hour response SLA.
- P2 (suspected vulnerability, degraded control): 1 business day.
- P3 (informational, hardening request): 5 business days.
We coordinate responsible disclosure with reporters and notify affected customers of confirmed incidents per the timelines in our DPA.
Questions
Email security-officer@marginkitchen.com and we'll route your request to the right team at Margin Kitchen.
