Security Policy

Infrastructure

Oliver runs on cloud infrastructure (AWS and Vercel) with multiple availability zones for resilience. We use managed databases with point-in-time recovery and continuous backups. Production access is restricted to a small set of senior engineers and audited.

Encryption

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Card data is never stored on Oliver servers — it is tokenised by the payment processor at the moment of capture.

Payment security

Oliver POS does not store card numbers. Card data is handled by our integrated processors (Stripe, Moneris, Vendara, Sensi Pay, etc.), each of which is PCI-DSS Level 1 certified. Oliver POS is PCI-DSS scope-reducing — the merchant's exposure is limited because the sensitive data never touches our servers.

Access controls

Merchants manage staff access via the Oliver Hub with role-based permissions (cashier, manager, owner). Multi-factor authentication is enforced for owner and admin roles. Every privileged action is logged with the staff member, timestamp, and IP.

Vulnerability management

We run automated dependency scanning on every build, monthly infrastructure scans, and annual third-party penetration tests. Security findings are tracked in our internal ticket system with SLAs by severity.

Incident response

We have a documented incident response procedure with on-call engineers 24/7. In the event of a data incident affecting merchants or shoppers, we notify affected parties within the timeframes required by applicable law (72 hours for GDPR).

Responsible disclosure

Found a security issue? Please email security@oliverpos.com before public disclosure. We respond within 2 business days, work with researchers in good faith, and credit findings (with permission) in our security acknowledgements.

Merchant-side security

Some security is in the merchant's hands: keeping WordPress and WooCommerce up to date, choosing strong staff passwords, enabling MFA, restricting register access to dedicated devices, and reviewing the audit log periodically. The Oliver Hub surfaces guidance on each of these.