Skip to content

Train your staff BEFORE service,
not during.

Try Now →

Security at ShiftTrained

Last updated: July 5, 2026

Quick answer

ShiftTrained protects restaurant data with encryption in transit and at rest, database-enforced row-level isolation between customers, AES-256-GCM encryption on stored POS credentials, and Stripe-handled payments so card data never touches our servers. Every account can export or permanently delete its data self-serve. Our infrastructure providers are SOC 2 Type 2 audited.

Your menu is your business, and your staff roster is your people. We treat both that way. This page is the plain-English version of how ShiftTrained handles security — the same answers we give when a restaurant group or POS partner sends us a security questionnaire. Every claim below describes how the platform works today, not a roadmap.

What we hold, and what we deliberately don't

ShiftTrained stores your menus, the quiz questions generated from them, your staff's names and contact details, and their training scores. That's the product. Just as important is what we never hold: no payment card numbers (Stripe keeps those), no health or medical information — allergen data on ShiftTrained describes dishes, never people — and no government IDs or Social Security numbers. The least risky data is the data you never collect, so we don't.

Encryption in transit

Every connection to ShiftTrained — the dashboard, quiz links on your staff's phones, our APIs — is served exclusively over HTTPS with modern TLS. There is no unencrypted path to your data.

Encryption at rest

All customer data lives in a managed Postgres database that is encrypted at rest. Uploaded menu files sit in access-controlled cloud storage on the same footing.

Tenant isolation

Every restaurant's data is walled off with Postgres Row Level Security, enforced in the database itself — not just in application code. One customer's menus, staff, and scores are structurally invisible to every other customer.

POS credentials

When you connect Toast or Square, your credentials are encrypted with AES-256-GCM before they touch the database, in a table that no browser session can query — it is readable only by our servers. OAuth connections use read-only scopes.

Payments

All billing runs through Stripe, a certified PCI DSS Level 1 service provider. Card numbers never touch our servers and are never stored by us — we hold only a Stripe customer reference.

Your data, your controls

Export everything your account holds in one click from Settings, and delete your account through a two-step email-confirmed flow. Deletes are real deletes, not hidden archives.

Operational practices

  • Authentication is handled by an industry-standard identity layer (email plus password, or Google sign-in), with hashed passwords, per-IP rate limiting, and bot screening on signup.
  • A password change on any account triggers an immediate security notification to the account owner.
  • Administrative access on our side is role-gated, and sensitive administrative actions are recorded in an audit log.
  • Error monitoring and service-health checks run continuously, with automated alerts to the team when something looks wrong.
  • Staff-facing quiz links carry no passwords and expose no personal data beyond the first name and score your manager already sees.
  • SMS and email to your staff are consent-gated and honor STOP and unsubscribe instantly — compliance we proved the hard way through carrier A2P 10DLC approval.

AI and your menu data

The AI that reads your menu and writes your quiz questions runs on Anthropic's Claude API. Under Anthropic's commercial API terms, data sent to the API is not used to train their models. Your menu goes in, your questions come out, and your menu does not become anyone's training data — including ours. We never sell customer data, and we never share one customer's content with another.

Subprocessors

We build on a small set of established infrastructure providers, each independently audited:

ProviderWhat they do for usTheir certifications
VercelApplication hosting and deliverySOC 2 Type 2
SupabaseDatabase, authentication, file storageSOC 2 Type 2
StripePayments and billingPCI DSS Level 1, SOC 2
AnthropicAI menu parsing and question generationSOC 2 Type 2
ResendTransactional emailSOC 2 Type 2
TwilioSMS deliverySOC 2, ISO 27001
CloudflareBot protection on public formsSOC 2 Type 2, ISO 27001

Where we stand on formal certifications

We believe in saying exactly where we are. ShiftTrained itself is not yet SOC 2 certified — that audit is planned for when our enterprise footprint justifies it, and our infrastructure providers all carry SOC 2 Type 2 today. HIPAA does not apply to ShiftTrained because we are not a healthcare entity and store no protected health information. PCI DSS obligations are satisfied through Stripe, since card data never reaches our systems. Our Privacy Policy and Terms of Service cover data rights, retention, and the legal entity behind the product.

Reporting a security issue

If you believe you've found a vulnerability in ShiftTrained, email hello@shifttrained.com with "SECURITY" in the subject line. It routes to the founder, and security reports get answered first. We ask that you give us a reasonable window to fix an issue before disclosing it publicly, and we will never take legal action against good-faith research.

Frequently Asked Questions

Is ShiftTrained SOC 2 certified?

Not yet, and we say so plainly. Our infrastructure providers — Vercel, Supabase, Stripe, Anthropic — are all SOC 2 audited today, and a ShiftTrained SOC 2 engagement is planned for when our enterprise customer base justifies the annual audit. In the meantime, this page answers the substance of most vendor security questionnaires.

Does HIPAA apply to ShiftTrained?

No. ShiftTrained is not a healthcare provider, insurer, or business associate, and stores no protected health information. Allergen information on the platform describes menu items, never a person's medical condition.

Who can see my restaurant's data?

Your managers, the staff you invite (who see only their own quizzes and scores), and ShiftTrained staff when needed to support your account. Other customers structurally cannot see your data — isolation is enforced by Row Level Security in the database itself, not just by application code.

What happens to my data if I cancel or delete my account?

You can export everything first with one click from Settings. Account deletion is a two-step, email-confirmed flow, and it permanently removes your organization's data — deletes on ShiftTrained are hard deletes, not hidden archives.

Is my menu used to train AI models?

No. Menu parsing and question generation run on Anthropic's Claude API, and under Anthropic's commercial API terms that data is not used for model training. We don't train models on your content either, and we never share one customer's menus or questions with another customer.

How are my Toast or Square credentials protected?

POS credentials are encrypted with AES-256-GCM before storage, in a database table that browser sessions cannot query — only our servers can decrypt them, and only to sync your menu and roster. Square connections use OAuth with read-only scopes, and you can disconnect at any time.

Related Reading

Other angles on restaurant training, menu knowledge, and what AI changes for operators.

“Since we started using ShiftTrained, wine sales for both bottle and by-the-glass are up 34%.  The staff is not scared to talk about the wine anymore.”

George G. · Black Barrel · Chicago

Ready to train your staff BEFORE service?

Upload your menu.  AI builds the quiz.  Your team takes it on their phones.  Free trial, no credit card.

Free trial · No credit card