Security at ShiftTrained
Last updated: July 5, 2026
Quick answer
ShiftTrained protects restaurant data with encryption in transit and at rest, database-enforced row-level isolation between customers, AES-256-GCM encryption on stored POS credentials, and Stripe-handled payments so card data never touches our servers. Every account can export or permanently delete its data self-serve. Our infrastructure providers are SOC 2 Type 2 audited.
Your menu is your business, and your staff roster is your people. We treat both that way. This page is the plain-English version of how ShiftTrained handles security — the same answers we give when a restaurant group or POS partner sends us a security questionnaire. Every claim below describes how the platform works today, not a roadmap.
What we hold, and what we deliberately don't
ShiftTrained stores your menus, the quiz questions generated from them, your staff's names and contact details, and their training scores. That's the product. Just as important is what we never hold: no payment card numbers (Stripe keeps those), no health or medical information — allergen data on ShiftTrained describes dishes, never people — and no government IDs or Social Security numbers. The least risky data is the data you never collect, so we don't.
Encryption in transit
Every connection to ShiftTrained — the dashboard, quiz links on your staff's phones, our APIs — is served exclusively over HTTPS with modern TLS. There is no unencrypted path to your data.
Encryption at rest
All customer data lives in a managed Postgres database that is encrypted at rest. Uploaded menu files sit in access-controlled cloud storage on the same footing.
Tenant isolation
Every restaurant's data is walled off with Postgres Row Level Security, enforced in the database itself — not just in application code. One customer's menus, staff, and scores are structurally invisible to every other customer.
POS credentials
When you connect Toast or Square, your credentials are encrypted with AES-256-GCM before they touch the database, in a table that no browser session can query — it is readable only by our servers. OAuth connections use read-only scopes.
Payments
All billing runs through Stripe, a certified PCI DSS Level 1 service provider. Card numbers never touch our servers and are never stored by us — we hold only a Stripe customer reference.
Your data, your controls
Export everything your account holds in one click from Settings, and delete your account through a two-step email-confirmed flow. Deletes are real deletes, not hidden archives.
Operational practices
- Authentication is handled by an industry-standard identity layer (email plus password, or Google sign-in), with hashed passwords, per-IP rate limiting, and bot screening on signup.
- A password change on any account triggers an immediate security notification to the account owner.
- Administrative access on our side is role-gated, and sensitive administrative actions are recorded in an audit log.
- Error monitoring and service-health checks run continuously, with automated alerts to the team when something looks wrong.
- Staff-facing quiz links carry no passwords and expose no personal data beyond the first name and score your manager already sees.
- SMS and email to your staff are consent-gated and honor STOP and unsubscribe instantly — compliance we proved the hard way through carrier A2P 10DLC approval.
AI and your menu data
The AI that reads your menu and writes your quiz questions runs on Anthropic's Claude API. Under Anthropic's commercial API terms, data sent to the API is not used to train their models. Your menu goes in, your questions come out, and your menu does not become anyone's training data — including ours. We never sell customer data, and we never share one customer's content with another.
Subprocessors
We build on a small set of established infrastructure providers, each independently audited:
| Provider | What they do for us | Their certifications |
|---|---|---|
| Vercel | Application hosting and delivery | SOC 2 Type 2 |
| Supabase | Database, authentication, file storage | SOC 2 Type 2 |
| Stripe | Payments and billing | PCI DSS Level 1, SOC 2 |
| Anthropic | AI menu parsing and question generation | SOC 2 Type 2 |
| Resend | Transactional email | SOC 2 Type 2 |
| Twilio | SMS delivery | SOC 2, ISO 27001 |
| Cloudflare | Bot protection on public forms | SOC 2 Type 2, ISO 27001 |
Where we stand on formal certifications
We believe in saying exactly where we are. ShiftTrained itself is not yet SOC 2 certified — that audit is planned for when our enterprise footprint justifies it, and our infrastructure providers all carry SOC 2 Type 2 today. HIPAA does not apply to ShiftTrained because we are not a healthcare entity and store no protected health information. PCI DSS obligations are satisfied through Stripe, since card data never reaches our systems. Our Privacy Policy and Terms of Service cover data rights, retention, and the legal entity behind the product.
Reporting a security issue
If you believe you've found a vulnerability in ShiftTrained, email hello@shifttrained.com with "SECURITY" in the subject line. It routes to the founder, and security reports get answered first. We ask that you give us a reasonable window to fix an issue before disclosing it publicly, and we will never take legal action against good-faith research.
Frequently Asked Questions
Is ShiftTrained SOC 2 certified?
Not yet, and we say so plainly. Our infrastructure providers — Vercel, Supabase, Stripe, Anthropic — are all SOC 2 audited today, and a ShiftTrained SOC 2 engagement is planned for when our enterprise customer base justifies the annual audit. In the meantime, this page answers the substance of most vendor security questionnaires.
Does HIPAA apply to ShiftTrained?
No. ShiftTrained is not a healthcare provider, insurer, or business associate, and stores no protected health information. Allergen information on the platform describes menu items, never a person's medical condition.
Who can see my restaurant's data?
Your managers, the staff you invite (who see only their own quizzes and scores), and ShiftTrained staff when needed to support your account. Other customers structurally cannot see your data — isolation is enforced by Row Level Security in the database itself, not just by application code.
What happens to my data if I cancel or delete my account?
You can export everything first with one click from Settings. Account deletion is a two-step, email-confirmed flow, and it permanently removes your organization's data — deletes on ShiftTrained are hard deletes, not hidden archives.
Is my menu used to train AI models?
No. Menu parsing and question generation run on Anthropic's Claude API, and under Anthropic's commercial API terms that data is not used for model training. We don't train models on your content either, and we never share one customer's menus or questions with another customer.
How are my Toast or Square credentials protected?
POS credentials are encrypted with AES-256-GCM before storage, in a database table that browser sessions cannot query — only our servers can decrypt them, and only to sync your menu and roster. Square connections use OAuth with read-only scopes, and you can disconnect at any time.
Related Reading
Other angles on restaurant training, menu knowledge, and what AI changes for operators.
Best Menu Training Programs
Our ranked breakdown of menu training tools, and why ShiftTrained leads.
The Menu-Knowledge Research
Real before-and-after data from two restaurants that rolled it out.
Restaurant Menu Training
How AI-driven quizzes replace pre-shift announcements with real retention.
See Everything It Does
The full ShiftTrained feature set, from menu upload to live leaderboards.
Cocktail Training
Train bartenders on specs, builds, and the cocktail menu.
Wine Training
Get your floor confident on the wine list and pairings.
Bartender Training App
Mobile bar training on cocktails, beer, and wine.
Restaurant Onboarding
New-hire training that doesn't take three weeks to set up.
Toast POS Integration
Connect Toast and your menu trains your staff automatically.
Square POS Integration
One-click Square connection that turns your catalog into a staff quiz.
Employee Handbook Training
Turn your handbook and steps of service into a quiz they have to pass.
“Since we started using ShiftTrained, wine sales for both bottle and by-the-glass are up 34%. The staff is not scared to talk about the wine anymore.”
George G. · Black Barrel · Chicago
Ready to train your staff BEFORE service?
Upload your menu. AI builds the quiz. Your team takes it on their phones. Free trial, no credit card.
Free trial · No credit card
