·
WineUp
HOME
Privacy PolicyTerms of ServiceRefund & CancellationSafeguards
Legal

Safeguards (TOMs & DPAs)

Technical and Organisational Measures (TOMs) and the list of sub-processors used by WineUp Labs to deliver the platform. This page is referenced by §6 (Sub-processors), §10 (Security) and §11 (Breach notification) of the Privacy Policy and is part of WineUp's Data Processing Addendum offering.

Last updated · February 2026

WineUp Labs (“WineUp”) acts as a data processor for personal data submitted by subscribing restaurants and their staff. This Safeguards page documents the concrete Technical and Organisational Measures (TOMs) we operate, the third-party sub-processors we rely on, and the data-processing agreements that flow down to them. It complements the Privacy Policy and the Data Processing Addendum (DPA) we sign with restaurants on request.

This page is updated whenever a TOM is materially changed or a sub-processor is added or removed. Restaurants subscribed to WineUp can request prior written notice of sub-processor changes by emailing wineuptech@gmail.com with subject “Sub-processor notice opt-in”.

Live service health and 30-day uptime are publicly verifiable at /status.

1. Encryption in transit

  • All traffic between the diner / merchant browser and WineUp is forced over HTTPS / TLS 1.2 or higher with modern cipher suites. HTTP traffic is redirected to HTTPS at the edge.
  • Strict-Transport-Security (HSTS) is enforced with a one-year max-age and the includeSubDomains directive.
  • Internal communication between application services and the database uses TLS 1.2+.
  • JSON Web Tokens issued at login are signed (HS256), short-lived for sensitive operations (5-minute confirmation tokens) and rotated on password reset.

2. Encryption at rest

  • The primary database (MongoDB Atlas, see §7 below) encrypts all data at rest using AES-256, including backups and snapshots.
  • Passwords are never stored in plain text. They are hashed with the bcrypt algorithm (default work factor 12) prior to persistence. The application never logs raw passwords or hashes.
  • Stripe payment-method data is tokenised: WineUp stores only the Stripe customer ID and the card metadata necessary for invoicing (last 4, brand, country). Full card numbers and CVV are never transmitted to or stored by WineUp.
  • 2FA codes and password-reset tokens are stored hashed (SHA-256) with a short TTL; the plaintext value is delivered to the user only at the moment of issue.

3. Access control and authentication

  • Merchant accounts are authenticated by email + password or by Emergent-managed Google OAuth. Passwords must contain at least 8 characters.
  • Two-factor authentication (2FA) via email is required on every login from a new device and for every sensitive action (account deletion, subscription cancellation). Trusted-device cookies expire after 30 days and can be revoked individually or globally by the merchant.
  • Brute-force protection: failed login attempts are rate-limited per email; sensitive-action codes are single-use, expire in 10 minutes and lock after 5 wrong attempts.
  • Server-side authorisation is enforced on every API route: data is queried with the caller's tenant scope (restaurant_id) so no cross-tenant read or write is possible, even with knowledge of internal IDs.
  • Inside WineUp Labs, production database access is restricted to authorised engineers, follows the principle of least privilege and is logged centrally.

4. Tenant isolation

WineUp is multi-tenant at the application layer. Every collection (restaurants, dishes, wines, pairings, tables, sessions, orders, notifications, staff, guest profiles, etc.) is keyed by restaurant_id. Every read and write query is scoped server-side to the caller's active restaurant. Cross-tenant requests return 403 Forbidden and are recorded in the warning log for auditing.

5. Network and platform security

  • Application servers run inside an isolated Kubernetes cluster. The cluster only exposes a single HTTPS ingress; all other ports are firewalled.
  • Secrets (database credentials, Stripe keys, OpenAI keys, email API keys, JWT signing key) are stored in environment-managed secrets and are never committed to source control.
  • Dependencies are scanned for known vulnerabilities; security patches are applied within 7 days of public disclosure for high or critical severity findings.
  • Production data is never copied to developer workstations or to non-production environments.

6. Backups and disaster recovery

  • The MongoDB Atlas backend operates daily snapshots with a 7-day retention window, plus continuous point-in-time backups within a rolling 24-hour window.
  • Backups inherit the same AES-256 encryption-at-rest guarantees as the primary database.
  • WineUp targets a Recovery Time Objective (RTO) of 24 hours and a Recovery Point Objective (RPO) of 24 hours for catastrophic failure.
  • Restores are tested at least once per calendar quarter.

7. Sub-processors

WineUp relies on the following sub-processors to deliver the service. Each sub-processor is bound by a written data processing agreement (DPA) or equivalent contractual safeguards, and is GDPR-compatible.

Sub-processorPurposeData categoriesLocationDPA / safeguards
MongoDB Atlas (MongoDB, Inc.)Primary application database (managed)Restaurant account data, menus, wines, pairings, tables, sessions, orders, staff identifiersEU / US (region selected at deployment time)DPA
Emergent Labs (hosting infrastructure)Kubernetes hosting, HTTPS edge, secrets, monitoringAll application traffic, system logsEU / USMaster Service Agreement + DPA on file
Stripe, Inc.Payment processing for subscriptionsStripe customer ID, card brand, last 4, billing country, subscription status; full card data tokenised at StripeUS (with EU sub-processor for EU customers)DPA
OpenAI, L.L.C.AI menu extraction and pairing generationMenu text, wine descriptions, dish attributes uploaded by the Restaurant. No guest data is ever sent.US (data not used to train models per OpenAI API policy)DPA
Resend (Resend, Inc.)Transactional email delivery (OTP, password reset, weekly summary, order notifications)Merchant email address, email subject, rendered HTML bodyUS / EUDPA
Google LLC (Workspace / Identity)Emergent-managed Google OAuth sign-in (optional)Merchant email address, public profile picture, OAuth token (no Google password)EU / USDPA
IONOS / domain DNSDomain registration and DNS records for wineuptech.comDomain registration metadata (WHOIS), DNS queriesEUDomain registrar terms

8. International data transfers

When a sub-processor is located outside of the European Economic Area (EEA) or the United Kingdom, WineUp relies on the European Commission's Standard Contractual Clauses (SCCs) (module 3 — processor to processor), the UK Addendum where applicable, and on transfer impact assessments performed for each sub-processor. Where a sub-processor offers an EU data residency option, WineUp uses it by default for customers based in the EEA or UK.

9. Logging, monitoring and intrusion detection

  • Application logs capture authentication events, billing operations, AI job lifecycle, sensitive-action confirmations and abnormal errors. Logs do not contain raw passwords, full card numbers, OAuth refresh tokens or guest personal data.
  • Logs are retained for up to 90 days for security and fraud investigation, then deleted or anonymised.
  • Anomalies (repeated failed logins, cross-tenant access attempts, sudden traffic spikes) are alerted to the WineUp on-call engineer.

10. Vulnerability management and secure development

  • Code changes go through peer review prior to production deployment.
  • Dependency vulnerabilities are scanned on every build; critical fixes are deployed within 7 days of disclosure.
  • Test data sets used in development never contain production personal data.
  • Secrets are rotated on offboarding of any engineer with prior access and after any suspected compromise.

11. Incident response and breach notification

  • WineUp maintains an internal incident-response runbook covering detection, containment, eradication, recovery and post-mortem.
  • For any personal-data breach affecting Restaurant data, WineUp will notify the Restaurant's registered administrator email within 72 hours of becoming aware of the breach, including the nature of the incident, categories and approximate number of records affected, likely consequences and the measures taken or proposed to address it.
  • Post-incident reviews are completed within 14 days of containment and lessons are folded back into the runbook.

12. Data retention and deletion

  • Restaurant data is retained while the subscription is active and the Restaurant continues to use the platform.
  • On account deletion (Settings → Danger Zone), all linked data — restaurants, dishes, wines, pairings, tables, sessions, dish entries, wine orders, notifications, staff, guest profiles — is cascade-deleted within 30 days.
  • Backups containing deleted data are aged out within their retention window (see §6).
  • Security logs may be retained up to 90 days post-deletion to investigate fraud or abuse claims raised before deletion.

13. Data Processing Addendum (DPA)

Restaurants subject to GDPR, UK GDPR or comparable regimes can request a signed Data Processing Addendum from WineUp by emailing wineuptech@gmail.com with subject “DPA request”. Our standard DPA flows down the Standard Contractual Clauses to every sub-processor listed in §7 and references this Safeguards page as the canonical TOM annex.

14. Updates to this page

This Safeguards page is maintained in lock-step with the Privacy Policy. Material changes are notified to subscribed restaurants by email at least 14 days in advance. Continued use of the service after the effective date constitutes acceptance.

15. Contact

Security or privacy questions, breach reports, sub-processor objection notices, DPA requests: wineuptech@gmail.com.

Have a question? Email wineuptech@gmail.com

Made with Emergent