Security & Trust at Aedan Rose
Your restaurant runs on us — reservations, orders, customer details, and payments. We treat that responsibility seriously. Here is a plain-English look at how we protect your data, built on the same modern cloud infrastructure that powers thousands of internet businesses.
Data encryption
Your data is protected both while it moves and while it sits at rest.
- In transit: every connection to Aedan Rose — our website, dashboard, AI widget, and APIs — is served over HTTPS using modern TLS encryption.
- At rest: our databases and file storage run on managed cloud providers that encrypt stored data at rest by default.
- Secrets and credentials are stored in environment-level secret management, never in our source code.
Payments & card data
We deliberately never want to hold your customers' card numbers.
- Payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor — the highest level of payment security certification.
- Card numbers are entered directly into Stripe's secure systems. We never store full card numbers on our servers.
- VIP reservation deposits and online orders settle through Stripe straight to your account — we don't sit in the middle of your card data.
Tenant data isolation
Every restaurant's data is logically separated so one account can never see another's.
- Our database enforces row-level security (RLS), scoping records to the owning restaurant at the data layer — not just in application code.
- Conversations, reservations, orders, menus, analytics, and team data are all keyed to your restaurant.
- Defense in depth: isolation is enforced in both the application and the database, so a single bug can't cross tenant boundaries.
Access control & least privilege
People and systems get only the access they actually need.
- Authentication is handled by Google Firebase Auth, an industry-standard identity provider.
- Role-based access in your dashboard lets you give each team member their own login with the right permissions — safer than a shared password.
- Internal services connect with scoped, least-privilege database credentials rather than blanket admin access.
Privacy & your data rights
You stay in control of your data, and we support the rights that GDPR and CCPA give your users.
- You own your restaurant content and customer data — see our Privacy Policy.
- Request data access or deletion anytime via our data deletion request (no sign-in required).
- Every marketing email includes a one-click unsubscribe, honored immediately. Transactional messages are kept minimal.
Reliability & status
We monitor the platform continuously and publish live system health.
- Real-time service health is available on our public status page.
- We run on managed cloud infrastructure with automated backups of our primary databases.
- We aim to give advance notice of scheduled maintenance whenever practical.
Straight talk on certifications. Aedan Rose is a young company, and we believe trust is earned by being honest about exactly where we are. We do not currently hold SOC 2, ISO 27001, or our own PCI DSS certification, and we don't claim to. What you see on this page describes practices that are genuinely in place today.
Where it matters most — card data — we lean on Stripe's PCI-DSS Level 1 certification precisely so that sensitive payment information is handled by specialists, not us. As we grow, we intend to pursue formal security readiness, and we'll update this page as those milestones are actually reached — not before.
How AI fits in
Aedan Rose is an AI-powered platform. Here's how that interacts with your data.
AI models & your data
- Conversational AI is powered by Google's Gemini models to understand and respond to customers.
- The AI is grounded in your menu, hours, and settings so it answers about your restaurant specifically.
- We recommend daily human review of reservations and orders — AI is a powerful assistant, not an unsupervised operator.
Infrastructure
- Hosted on managed, reputable cloud platforms with provider-level physical and network security.
- Firestore is our source of truth; a synced Postgres database powers analytics with row-level isolation.
- We minimize the personal data we collect and retain it only as long as needed to run your service.
Responsible disclosure
Found a security issue? We want to hear about it. We welcome reports from security researchers and will work with you in good faith to investigate and fix verified vulnerabilities. Please give us reasonable time to respond before any public disclosure, and avoid accessing or modifying data that isn't yours while testing.
Email us directly — we read every report.
Report a security issueSecurity & privacy contact: help@aedanrose.ai
Last updated: June 20, 2026