Topline is built for operators who protect sensitive business data. Your POS data, labor figures, and store performance metrics are some of the most sensitive information in your organization. This document summarizes how Topline protects that data — from the moment it's ingested to the day you decide to leave.
Security Controls at a Glance
| Control Area | What We Do | Standard / Detail | Status |
|---|---|---|---|
| Encryption at Rest | All client data encrypted on disk using AES-256. Encryption keys managed via AWS KMS with automatic rotation. | AES-256 / AWS KMS | ✓ |
| Encryption in Transit | All data transmitted between clients, Topline servers, and third-party integrations uses TLS 1.3. Older TLS versions disabled. | TLS 1.3 minimum | ✓ |
| Data Isolation | Each client's data is stored in a separate, isolated database. No multi-tenant data sharing. Your data is physically and logically separated from all other clients. | Per-client DB isolation | ✓ |
| Access Control | Role-based access control (RBAC). Admin accounts require multi-factor authentication (MFA/2FA). Access to production systems is logged and audited. | RBAC + MFA enforced | ✓ |
| Data Residency | All data stored and processed on AWS infrastructure in US East (N. Virginia). No data transmitted or stored outside the United States. | AWS us-east-1 | ✓ |
| Backups | Automated daily backups with 30-day retention. Backups are encrypted at the same level as production data. Restoration tested quarterly. | Daily · 30-day retention | ✓ |
| Integration Security | Connections to SBONet, Toast, and other back-office systems use OAuth 2.0 or API tokens. Credentials are never stored in plaintext — encrypted at rest in AWS Secrets Manager. | OAuth 2.0 / Secrets Mgr | ✓ |
| Read-Only Access | Topline requests read-only permissions from all integrated systems. We never write to, modify, or delete data in your POS or back-office systems. | Read-only API scopes | ✓ |
| Incident Response | Confirmed security incidents affecting client data: clients notified within 24 hours. Incident playbooks reviewed semi-annually. | 24-hr notification SLA | ✓ |
| Data Retention | Essentials: 2 years. Pro: Unlimited. Data deleted within 30 days of written cancellation request. Backup purge within 90 days. | Plan-based (see MSA §5) | ✓ |
| Vulnerability Mgmt | Application dependencies scanned weekly using Dependabot and Snyk. Critical vulnerabilities patched within 72 hours of disclosure. | Dependabot + Snyk | ✓ |
| SOC 2 Type II | Audit currently in progress with an accredited auditor. Expected certification Q3 2026. Report available to clients under NDA upon certification. | Expected Q3 2026 | In Progress |
Data Isolation & Storage
✓
Per-client database isolation
Your data lives in its own database instance. No other client can access it — technically or operationally.
✓
AWS us-east-1 only
Data never leaves the United States. Hosted in AWS Northern Virginia region with 99.99% infrastructure uptime SLA.
✓
No cross-client data sharing
We never aggregate or share your data with other clients. Your performance data is yours alone.
✓
Data portability
Export your data at any time. Full export available within 30 days of cancellation.
Access Control & Authentication
✓
2FA required for admin accounts
All administrative accounts require two-factor authentication. TOTP or hardware key supported.
✓
Role-based access control
Granular permissions by role: Operator, DM, GM, Read-Only. Staff see only what they need.
✓
Audit logging
All login events, data access, and configuration changes are logged and retained for 12 months.
✓
Topline employee access controls
Topline staff access to production data is role-gated, MFA-required, and logged. No standing access.
Integration Security (SBONet, Toast)
✓
Read-only API access
We request the minimum necessary permissions. Topline never writes to your POS or back-office systems.
✓
OAuth 2.0 / API token auth
Credentials stored in AWS Secrets Manager with AES-256 encryption. Never in plaintext, never in code.
✓
Revocable at any time
You can revoke Topline's access to your data source at any time from your account settings or the source system.
✓
Connection monitoring
Abnormal API activity triggers internal alerts. Connections are validated on each pull cycle.
Incident Response & Notification
✓
24-hour notification SLA
Any confirmed security incident affecting your data: we notify you within 24 hours of discovery.
✓
Incident response plan
Documented IR playbook reviewed semi-annually. Includes containment, forensics, notification, and remediation steps.
✓
Status page
Live platform status at status.topline.app. Subscribe for email/SMS notifications on incidents and maintenance windows.
✓
Post-incident review
For any significant incident, a written root cause analysis is provided to affected clients within 10 business days.
Compliance Roadmap
✓
Encryption Standards
Complete · 2024
✓
Access Controls + 2FA
Complete · 2025
⟳
SOC 2 Type II Audit
In Progress · Q3 2026
◷
Pen Test (Annual)
Planned · Q4 2026