BeverageStack
Legal

Security Policy

Public-facing security policy for the BeverageStack platform.

Applies to
Platform security, account protection, customer data and operational controls
Document type
Website and platform policy
Version
v1.0 — Effective 25 June 2026
At a glance
This Security Policy describes the administrative, technical and organisational controls BeverageStack uses to protect the website, platform, customer workspaces, user accounts and business data.

1. Security principles

PrincipleMeaning for BeverageStack
Least privilegeUsers and personnel should have only the access needed for their role.
Visibility with controlAudit history and role-based permissions support accountability without exposing unnecessary data.
Secure operationsSecurity is treated as an operational discipline, not a once-off technical setting.
Customer separationCustomer workspaces and permissions are designed to reduce unauthorised access between teams.
Responsible disclosureSecurity concerns should be reviewed, triaged and remediated proportionately.

2. Shared responsibility model

BeverageStack responsibilitiesCustomer responsibilities
Maintain reasonable platform, infrastructure, application and supplier security controls.Use strong, unique credentials and protect user devices.
Provide role-based access, account controls and audit capabilities where available.Assign roles carefully, remove users promptly and review access regularly.
Monitor and respond to security events affecting the platform.Report suspected compromise or misuse promptly through appropriate support channels.
Maintain data-processing and security policies.Avoid entering unnecessary, unlawful or sensitive data into the platform.
Use reasonable safeguards for backups, development and change control.Export, verify and maintain business records needed for internal governance and continuity.

3. Access control and authentication

  • Access to BeverageStack is limited to authorised users and approved personnel.
  • Role-based permissions are used to control access to workspaces, modules and key records where functionality allows.
  • Administrative access is limited to personnel who require it for support, security, maintenance or operational purposes.
  • Credential and session controls are used to reduce unauthorised access risk.
  • Customers are responsible for ensuring that departing staff, contractors or temporary users are removed promptly.

4. Data protection and encryption

BeverageStack uses reasonable technical and organisational controls to protect data against unauthorised access, alteration, disclosure and loss. These controls may include encryption in transit, protected credential storage, access restrictions, backup controls, workspace separation, secure service-provider configurations and privacy-conscious data minimisation.

Customers should not use BeverageStack as a repository for payment-card data, special-category data, children's data, government identifiers or highly sensitive regulated records unless expressly permitted in a separate written agreement.

5. Infrastructure and platform controls

  • Cloud and infrastructure providers are selected to support reliable, secure platform operations.
  • Production systems are logically separated from development or testing environments where appropriate.
  • Configuration changes should be reviewed and managed to reduce avoidable security and availability risk.
  • Supplier access is controlled according to need, confidentiality and security requirements.
  • Security-relevant configurations are reviewed as the platform evolves.

6. Audit logs and monitoring

BeverageStack may maintain audit logs and security records to support operational visibility, account control, troubleshooting, fraud prevention, incident investigation and compliance. Logs may include account events, key record changes, timestamps, IP addresses, device or browser information, administrator actions and error events.

Audit logs are not a substitute for customer governance. Customers should maintain appropriate internal controls, approval processes, stock procedures, pricing reviews and reporting checks.

7. Development and change management

  • Code, configuration and feature changes should follow controlled development and deployment practices.
  • Testing is used to reduce operational, functional and security defects before material changes are released.
  • Security and privacy considerations are assessed when new features, integrations or data flows are introduced.
  • Emergency changes may be made where needed to protect security, availability or platform integrity.

8. Backups and continuity

BeverageStack aims to maintain reasonable backup and recovery practices appropriate to the platform's scale, customer needs and risk profile. Backup availability, restoration time, data loss tolerance and continuity commitments may vary by plan, customer agreement, technical environment and third-party provider availability.

Customers should keep their own records, exports and operational documentation where required for stock control, audit, finance, regulatory compliance and continuity.

9. Incident response

PhaseTypical activity
IdentifyDetect unusual activity, service disruption, vulnerability reports or suspicious account behaviour.
AssessEvaluate scope, systems affected, data affected, customer impact and legal notification requirements.
ContainLimit further exposure, revoke access, patch, isolate systems or disable affected functionality where needed.
RemediateFix root causes, restore services, rotate secrets or implement additional controls.
ReviewDocument lessons learned and improve controls, monitoring or process where appropriate.

10. Vulnerability management

BeverageStack reviews vulnerabilities based on severity, exploitability, affected systems and customer impact. Remediation may include patches, configuration changes, dependency updates, compensating controls, supplier action or emergency mitigation. Responsible reports of suspected vulnerabilities will be triaged in good faith.

11. Personnel and supplier controls

  • Personnel with access to customer data or production systems are expected to follow confidentiality and security obligations.
  • Access rights are assigned based on business need and reviewed where appropriate.
  • Service providers are expected to apply appropriate confidentiality, security and data-protection controls.
  • Where suppliers materially support the platform, BeverageStack assesses them proportionately to the nature and risk of the service.

12. Customer security responsibilities

  • use strong, unique passwords and approved authentication methods;
  • protect laptops, phones, browsers and networks used to access BeverageStack;
  • remove users immediately when access is no longer needed;
  • assign permissions according to job role and commercial sensitivity;
  • review audit history and workspace activity where available;
  • avoid uploading sensitive data not needed for BeverageStack's business purpose;
  • report suspected account compromise, mistaken access, suspicious exports or unusual activity promptly.

13. Security limitations and policy updates

No security programme can eliminate all risk. BeverageStack cannot guarantee that unauthorised access, service interruption, human error, device compromise, supplier failure or malicious activity will never occur. This policy will be updated as the platform, legal requirements, technical controls and customer needs evolve.