We don't claim certifications we haven't actually audited. Below is what is real and shipping today.
Owner + platform admin: email + password (argon2id) + optional 2FA (TOTP, 8 backup codes). Staff POS: 2-step — pick who you are from the branch roster first, then enter the 4-digit PIN. Designed this way so even if two staff happen to share a PIN, audit attribution stays accurate — the server verifies the PIN only against the selected staff, no first-match-wins.
Every mutation (void, refund, comp, settings change, 86, inventory adjust, plan change) writes an audit row with actor + timestamp + meta. Owner has full audit-log access via the dashboard.
TLS 1.3 for all public endpoints. Postgres not exposed to the internet. Per-tenant rate limit (default 600 req/min) on top of a global IP rate limit.
Daily Postgres logical backup, retention 14 daily + 12 monthly, synced to S3 with versioning. Quarterly restore drill. 3am-scenario runbook kept internally.
Email security@posz.id (forwards to posz@uncle-z.com). No cash bug bounty yet, but real reports get credited in public release notes.