Security & data protection.

In one paragraph

VentaLens reads your Loyverse data read-only, stores it in an encrypted PostgreSQL database hosted in Singapore, and isolates every merchant at the database layer with Postgres Row-Level Security. We request the minimum Loyverse permissions, hold no write access, and never ingest customer or staff contact details. Traffic is encrypted in transit (TLS 1.3, HSTS), data is encrypted at rest, payment cards are handled entirely by Stripe — we never see your card number — and you can export or delete your data at any time.

1. Where your data is hosted

• Database: Supabase (managed PostgreSQL) in Singapore — AWS region ap-southeast-1. Your analytical data does not leave that region.
• Application servers: Fly.io in Singapore (the sin region), co-located with the database to keep data in-region and latency low.
• Operating entity: SKANDAN PTE. LTD. (UEN 202621966R), a Singapore-incorporated company.

2. Tenant isolation

Every row of merchant data is tagged with a tenant ID and protected by Postgres Row-Level Security (RLS). Isolation is enforced by the database itself, not just by application code:

• Tenant-scoped tables have RLS enabled and forced, so even a query that forgets to filter cannot return another business's rows.
• Each request runs in a tenant-scoped database session bound to the authenticated merchant's ID — there are no cross-merchant query paths in the product.
• We never pool, compare, or mix one business's data with another's.

For support and debugging, our internal admin tooling can query across accounts — it is the only role that bypasses RLS — and every such privileged action is written to an append-only audit log.

3. Encryption

• In transit: TLS 1.3. HTTPS is enforced and HTTP requests are redirected to HTTPS. We send a long-lived HSTS header (max-age=63072000; includeSubDomains; preload) so browsers refuse to connect over plain HTTP.
• At rest: the database is encrypted at rest with AES-256 (Supabase default), and so are managed backups.
• Your Loyverse Personal Access Token is encrypted a second time at the application layer (Fernet/AES) with a separate key before it is written to the database, and is used only to read your data. The encryption key supports rotation without downtime.

4. Read-only, minimal-scope Loyverse access

• Read-only. VentaLens never writes to, modifies, or deletes anything in Loyverse. Your Loyverse account stays the system of record. You can revoke our access from your Loyverse Back Office at any time and your account keeps working exactly as before.
• Minimum scope. We request only the read permissions the features in your plan need, and no write permissions.
• No customer-contact PII. We do not ingest customer records. An opaque customer reference id may appear on a receipt, but customer names, visit counts, spend history, and all contact details (email, phone, address, PIN) are discarded at the connection boundary and never written to our database, logs, or backups.
• Minimal staff data. For employees we ingest only an id and a display name (for the owner's accountability view) — no role, no email, no phone, no PIN.
• Purpose-bound by an allow-list. Each Loyverse field we keep maps to a specific feature. Any field not on the allow-list is dropped at the sync layer before the row is written — it never reaches our database.

5. Payments

Billing is handled by Stripe using Stripe-hosted Checkout and the Stripe Customer Portal. Card details are entered on Stripe's pages and stored in Stripe's PCI-compliant vault — VentaLens never sees, transmits, or stores your full card number or CVV. We hold only a Stripe customer/subscription reference and verify Stripe's webhook signatures before acting on any billing event.

6. Secrets and logging

• Secrets handling: credentials and API keys live in the platform's secret store (environment-injected), never in source code. Secret material such as your Loyverse token is additionally encrypted at rest at the application layer.
• PII-scrubbed structured logs: logs are structured JSON and pass through a scrubbing filter that strips secret-shaped values (tokens, API keys, JWTs, ciphertext) and truncates email-shaped fields. We do not log card numbers, passwords, or customer contact details.
• Error monitoring: when error monitoring (Sentry) is enabled, every event is run back through the same scrubber via a before_send hook before it leaves our systems, so request bodies, headers, and cookies are cleaned of PII and secrets.
• Status endpoints never leak secrets — they expose only booleans like "key set", never the key itself.

7. Network & application hardening

• Security headers on every response: Content-Security-Policy, HTTP Strict-Transport-Security (HSTS), X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and a locked-down Permissions-Policy (no camera, microphone, or geolocation).
• CORS is restricted to our known origins, never a wildcard.
• Rate limiting protects the API with a per-route, per-client token bucket, with tighter limits on authentication, connection, and email endpoints.
• Sign-in is passwordless (Google or one-time magic link) — we never set or store a password.
• Every change is audited. Mutations write an append-only audit row (actor, action, entity, before/after, with no secret material).

8. Backups & restore

• Backups: Supabase-managed, automated daily, encrypted, with a rolling 7-day retention window.
• Restore: we maintain a documented backup-restore runbook so the database can be recovered to a recent point in time.
• Because backups roll on a 7-day window, data you delete falls out of backups within 7 days.

9. Your data: export & deletion (PDPA/GDPR)

• Export: export your analytical data at any time from the product (Profile → "Export my data").
• Deletion: delete your account from your Profile page. Deletion is a soft-delete followed by a 30-day recovery grace period; after the grace window your data is hard-purged — raw receipts, derived insights, and the tenant's audit rows cascade out. A guard makes the purge impossible to run against an active or still-in-grace account.
• Disconnect: disconnect Loyverse from the Connect screen at any time and we stop syncing immediately.
• Audit-log retention: audit logs are kept for 1 year for security review, then purged automatically.
• We align with Singapore PDPA and EU GDPR. A Data Processing Agreement is available on request.

10. What we do not claim

We describe only controls that are actually in place. VentaLens does not currently hold a SOC 2, ISO 27001, or PCI DSS certification, and we make no such claim. We will update this page if that changes.

11. Reporting a security issue

If you believe you have found a security vulnerability or have a security question, email [email protected] with "Security" in the subject. Please give us a reasonable window to investigate and remediate before any public disclosure.

Operating entity: SKANDAN PTE. LTD. · UEN 202621966R · Singapore.