Security

We never see or store full card numbers. Every payment is handled by Stripe, processed on AroodMe's platform Stripe account, and transferred to the partner restaurant's Stripe Connect Express account on Stripe's schedule. AroodMe's commission is deducted at transfer time; the breakdown is recorded for every sale and shown to the restaurant on their Payouts page.

Stripe webhook deliveries are signed and verified. Each event is archived for forensic replay and gated by an idempotency table so the same event cannot fulfill twice. A daily reconciliation script compares our records against Stripe's and alerts on drift.

Every database table is protected by row-level security policies. Restaurants cannot read other restaurants' data. Customers can only read their own packs. Admins are scoped to a separate role and every admin action that touches money or commercial terms is recorded in an append-only audit log.

All traffic is served over HTTPS with strict transport security. Auth sessions ride on HttpOnly cookies refreshed server-side. We do not run a service worker, so there is no persistent client cache to poison.

Service-role keys never reach the browser. Server-only modules enforce that boundary at build time. Internal admin endpoints are guarded server-side, not by client logic alone.

Operators have a separate health-check secret to probe live infrastructure without exposing it publicly. Sensitive admin actions (refunds, commission changes, restaurant lifecycle changes) write before/after snapshots into an audit log that admins can read but cannot mutate.

Our observability pipeline runs a scrubber on every event before it leaves the process — phone numbers, emails, OTP codes, tokens, payment-method details, raw webhook bodies, and free-form address fields are stripped before they ever reach a third-party logging service.

Email security@aroodme.com. We respond within two business days and credit researchers who follow responsible-disclosure norms.