Your data is safe with us
We built with security as a first-class concern, not an afterthought.
Catering businesses trust Catertoo with their clients, contracts, and payments. We treat that seriously: every business runs in its own isolated data space, card details never touch our servers, and your records stay yours - exportable on request and never sold.
Tenant isolation
Every catering business gets its own isolated data space. Row-level security ensures that no user - regardless of permissions - can ever access another business's clients, events, or proposals.
Payment security via Stripe
We never store raw card numbers. All payment data is handled by Stripe, a PCI DSS Level 1 certified payment processor. Funds flow directly to your Stripe-connected bank account.
Encryption everywhere
All data is encrypted in transit using TLS 1.2+. Sensitive data at rest is encrypted at the storage layer. Passwords are hashed using bcrypt and never stored in plain text.
Access controls
Role-based permissions limit what each team member can see and do. Session tokens are rotated on login and invalidated on logout.
Multi-factor authentication
Add a second factor to every sign-in: authenticator apps (TOTP), passkeys, or one-time recovery codes. You and your team enroll from your security settings.
Your data, your control
Your data is yours. Each business's records are fully isolated, exportable on request, and never sold or shared. Cancel anytime and leave with everything intact.
Infrastructure and subprocessors
Catertoo is hosted on Fly.io in the United States, with DNS managed through Cloudflare. Payments run through Stripe (PCI DSS Level 1) and optional sign-in uses Google. We rely on a small, vetted set of subprocessors.
Responsible disclosure
Found a vulnerability? Email security@catertoo.com and we'll respond within 24 hours. We take every report seriously.
Ready to run catering the modern way?
Sign up free and send your first proposal this afternoon. No card, no setup, no contract.