Smaqly is built with security and data protection at its core. Here we summarize how we protect your and your guests' data β technically, organizationally, and legally. All core data is hosted in the EU.
All traffic is encrypted in transit (TLS) and data is encrypted at rest with our EU hosting providers.
Multi-tenant isolation enforced at the database level with row-level security β one restaurant can never see another's data.
Role-based access per employee + additional two-factor authentication (TOTP) on sensitive administrative actions.
Sensitive actions are logged with user, timestamp, and details β so it's always traceable who did what.
Rate limiting, server-side input validation, and XSS protection on all public and admin surfaces.
Automatic code and dependency scanning (CodeQL + Dependabot) as well as error and threat monitoring in production (Sentry).
Powered by European enterprise infrastructure
All core data (database, hosting, email) is stored in the EU β Supabase eu-central-1 (Frankfurt) + Vercel + Resend (EU).
The restaurant is the data controller, Craftory is the data processor. A data processing agreement (DPA) is established during onboarding.
Built-in 1-click data export (JSON), deletion, and rectification β so you can easily comply with access and deletion requests.
Personally identifiable customer data (phone/address) is automatically deleted after a set retention period following the last order.
Cookie banner with granular opt-in (essential/analytics/marketing separated). Marketing consent is isolated from the order.
Fixed procedure for handling and reporting security breaches to the Data Protection Authority within 72 hours.
| Supplier | Purpose | Region |
|---|---|---|
| Supabase | Database & storage | EU (Frankfurt) |
| Vercel | Application hosting | EU (Frankfurt) |
| Resend | Transactional email | EU |
| Frisbii | Subscription / billing | EU (DK) |
| Flatpay | Card payment (terminal) | EU (DK) |
| OpenAI / Anthropic / fal | AI features (optional) | EU/USA β under SCC |
| Sentry | Error & operational monitoring | EU/USA β under SCC |
Some sub-processors (AI, operational monitoring) may process data outside the EU under the EU Commission's standard contractual clauses (SCC). AI features are optional and activated per restaurant.
Smaqly is GDPR-compliant today and built according to recognized security principles. Formal SOC 2 or ISO 27001 audit is available upon request for larger customers β our architecture (RLS, audit trail, two-factor, monitoring, automated testing) is already designed to support that process.
Contact us β we are happy to send the data processing agreement and answer security questions.
Contact us βSecurity & privacy inquiries: hello@smaqly.dk
Privacy policy & terms: smaqly.dk/legal/privacy Β· smaqly.dk/legal/terms
Data Processing Agreement (DPA) available upon request.
This is an overview, not a legal contract. Specific requirements are addressed in the data processing agreement.