Security at Mise

Security isn't an afterthought at Mise. It's foundational to everything we build. We understand that restaurant operators trust us with sensitive business data, financial information, and operational details. We take that responsibility seriously.

Our security program is designed around three core principles:

• Defense in Depth: Multiple layers of security controls protect your data at every level.
• Least Privilege: Access to data is restricted to only what's necessary for each function.
• Continuous Improvement: We regularly assess and enhance our security posture.

Encryption in Transit

All data transmitted between your devices and Mise servers is encrypted using TLS 1.3, the latest and most secure transport layer protocol. We enforce HTTPS across all connections and use HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.

Encryption at Rest

Your data is encrypted at rest using AES-256 encryption, the same standard used by banks and government agencies. Database backups are also encrypted, ensuring your data remains protected even in our backup systems.

Key Management

Encryption keys are managed through secure key management services with automatic key rotation. Keys are never stored alongside the data they protect.

Mise is hosted on enterprise-grade cloud infrastructure that provides:

• Physical Security: Data centers with 24/7 security, biometric access controls, and video surveillance.
• Network Security: Firewalls, intrusion detection systems, and DDoS protection.
• Redundancy: Multi-region deployment with automatic failover to ensure high availability.
• Monitoring: 24/7 automated monitoring with real-time alerting for anomalies.

We maintain 99.9% uptime SLA and perform regular disaster recovery testing to ensure business continuity.

Role-Based Access Control (RBAC)

Mise implements granular role-based access controls, allowing you to define exactly what each team member can see and do within the platform. Roles include Owner, Manager, and Staff, each with configurable permissions.

Multi-Factor Authentication (MFA)

We support multi-factor authentication for all accounts. MFA adds an extra layer of security by requiring a second form of verification beyond your password.

Audit Logs

All user actions are logged with timestamps, user identification, and IP addresses. These audit logs help you track who did what and when, supporting both security monitoring and compliance requirements.

We are committed to protecting the privacy of your data:

• Data Minimization: We only collect data necessary to provide our services.
• Purpose Limitation: Your data is used only for the purposes you've authorized.
• Data Retention: We retain data only as long as necessary and provide data export and deletion options.
• No Data Selling: We never sell your data to third parties. Period.

For more details, please review our Privacy Policy.

We maintain a comprehensive incident response plan that includes:

• 24/7 Monitoring: Automated systems continuously monitor for security threats.
• Rapid Response: Our security team is on-call to respond to incidents immediately.
• Communication: In the event of a security incident affecting your data, we will notify you promptly with details and remediation steps.
• Post-Incident Review: Every incident is analyzed to prevent recurrence and improve our defenses.

PCI-DSS

While Mise does not directly process payment card data (this is handled by your POS system and payment processor), we follow PCI-DSS guidelines for any payment-related information that flows through our integrations.

SOC 2 Type II

We are actively working toward SOC 2 Type II certification, which will provide independent verification of our security controls. This certification demonstrates our commitment to maintaining the highest security standards.

GDPR Awareness

We implement privacy-by-design principles and provide tools to help you comply with data protection regulations, including data export and deletion capabilities.

We carefully vet all third-party services and integrations:

• Vendor Assessment: Third-party vendors undergo security review before integration.
• Minimal Data Sharing: We only share the minimum data necessary for integrations to function.
• Secure APIs: All integrations use encrypted, authenticated API connections.
• Regular Review: We periodically reassess vendor security postures.

Our team members are held to high security standards:

• Background Checks: All employees with access to customer data undergo background verification.
• Security Training: Regular security awareness training for all team members.
• Access Reviews: Employee access is reviewed quarterly and revoked immediately upon departure.
• Secure Devices: Company devices are encrypted and managed with mobile device management (MDM).

We value the security research community and welcome responsible disclosure of potential vulnerabilities. If you discover a security issue, please report it to us at:

Please include a detailed description of the vulnerability, steps to reproduce, and any relevant screenshots or proof of concept. We commit to:

• Acknowledging your report within 48 hours
• Providing regular updates on our investigation
• Not taking legal action against good-faith security researchers
• Recognizing your contribution (with your permission) once the issue is resolved