Trust & security at Restock
Restock is the multi-tenant platform for beverage distribution. This page shows where we stand on compliance, reliability, and security — and how to reach us. We believe in being candid about what's live today and what's still on the roadmap.
Compliance status
Controls tracked continuously in Drata. Target completion Q4 2026.
Restock is not designed for protected health information.
Service reliability
90-day uptime
99.97%All systems operational. Each bar represents one day; green indicates full availability.
Sub-processors
We engage the following sub-processors to deliver the Service. We perform due diligence on each and bind them to data protection obligations. We provide at least 30 days' notice before adding or replacing a sub-processor.
| Sub-processor | Purpose | Data location | Reference |
|---|---|---|---|
| Supabase | Managed Postgres database, authentication, hosting | United States | DPA / privacy ↗ |
| Stripe | Payment processing (PCI DSS Level 1) | United States | DPA / privacy ↗ |
| Netlify | Static hosting and content delivery network | United States | DPA / privacy ↗ |
| Resend / Postmark | Transactional email delivery | United States | Resend ↗ / Postmark ↗ |
| Cloudflare | DNS and content delivery network | United States | DPA / privacy ↗ |
Data residency: Customer Data is currently hosted in the United States. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses and the UK IDTA, as described in our DPA and Privacy Policy.
Security practices
Encryption in transit and at rest, Postgres Row Level Security for tenant isolation, least-privilege access, audit logging, and managed backups. Read the full Security Overview for what's live versus planned, and review our Data Processing Agreement for contractual commitments.
Vulnerability disclosure
We welcome reports from the security community. If you believe you've found a vulnerability in Restock:
- Email security@restock.supply with details and reproduction steps. (PGP key:
[placeholder — published prior to launch].) - Give us reasonable time to investigate and remediate before any public disclosure. We follow a 90-day coordinated disclosure timeline.
- Do not access, modify, or delete data that isn't yours, degrade the Service, or violate the Acceptable Use Policy while testing.
Safe harbor: We will not pursue legal action against researchers who act in good faith, comply with this policy, and avoid privacy violations and service disruption. We do not currently offer a paid bug bounty, but we are grateful for responsible reports and will credit reporters where appropriate.
Security contact
Security questions, disclosures, or documentation requests: security@restock.supply.
Need compliance documents?
Request our SOC 2 report (under NDA), a penetration test summary, or a countersigned DPA. We'll review and respond by email.