Security at Nordkestrel

Infrastructure

Nordkestrel is hosted on Cloudflare. The stack runs globally at Cloudflare's edge — no self-managed servers, no private VPC to patch, no SSH keys lying around.

Data in transit

• All traffic to admin, storefronts, and API is served over TLS 1.2+ (TLS 1.3 preferred).
• HTTP requests are automatically upgraded to HTTPS.
• API calls require a valid Clerk-signed JWT in the Authorization header.

Data at rest

• Cloudflare D1 is encrypted at rest.
• R2 object storage is encrypted at rest.
• OAuth tokens for third-party integrations (social accounts, Stripe) are stored encrypted.

Authentication and authorization

• Operator authentication is handled by Clerk (organization-based auth with optional MFA).
• Every API request is authorized against the restaurant's staff roster before any data is returned.
• Role-based access — Owner, Admin, Manager, Cashier, Kitchen — each with a scoped permission set.
• Tenant isolation: every query filters by restaurant_id; cross-tenant reads are rejected at the middleware layer.

Payments

• Payments are processed by Stripe via Stripe Connect. Card data is tokenized by Stripe Elements in the diner's browser — it never reaches our servers.
• Nordkestrel is a PCI DSS SAQ-A merchant (no direct cardholder data handling).
• Payouts go directly from Stripe to the restaurant's bank account — we are not a money transmitter.

Audit logging

Sensitive admin actions (staff changes, menu publishes, payout triggers, refunds, domain changes) are written to an immutable audit log tied to the restaurant. Logs are retained for 12 months.

Rate limiting and abuse protection

• Per-IP and per-endpoint rate limits on write-heavy routes (promotion redemptions, domain operations, uploads).
• Cloudflare's bot and DDoS protections in front of every request.
• Automatic blocking of known-bad IPs through Cloudflare's managed rules.

Secrets and keys

• Secrets live only in Cloudflare Workers environment bindings — never committed to source control.
• Rotation policy: Stripe and Clerk keys rotated on compromise or staff offboarding; Resend API key rotated annually.

Data portability

Restaurants can export orders, customers, menus, and campaign data as CSV at any time from the dashboard. Full account deletion purges operational data within 30 days.

Reporting a vulnerability

If you believe you have found a security issue, please email our security contact. Include reproduction steps and a description of the impact. Please do not probe production systems for vulnerabilities beyond what is needed to demonstrate the issue, and do not access data that does not belong to you.

We commit to acknowledging reports within 3 business days and will credit researchers who responsibly disclose issues in our changelog.

Compliance

We're a small team building in public and have not yet pursued formal SOC 2 or ISO 27001 certification. Our controls are modeled on those frameworks, and we will seek certification as customer demand warrants.