Security & Compliance Overview
How Tiquo protects your data, platform, and business with enterprise-grade security
Security & Compliance
Security, privacy, and trust are foundational to everything Tiquo builds.
From platform architecture and infrastructure design to payments, identity, and data handling, Tiquo is engineered to protect businesses, teams, and customers at every level. Security is not treated as a feature or an add-on—it is embedded directly into how the platform is designed, built, and operated.
Tiquo combines a unified in-house platform architecture with industry-leading infrastructure providers to deliver a secure, resilient, and enterprise-grade operating system for the service economy.
Our Commitment to Security
Tiquo is designed to meet the highest standards of reliability, data protection, and operational integrity.
We partner with trusted global providers such as AWS and Stripe, align with recognised international security frameworks, and continuously monitor and improve our systems. This approach ensures that every interaction across the Tiquo platform is safe, stable, and secure—whether it takes place through the web app, mobile apps, PDQ terminals, APIs, or customer-facing experiences.
Tiquo aligns its overall security posture with the NIST Cybersecurity Framework and the NIST Privacy Framework, ensuring consistent application of globally recognised security and privacy principles across the platform.
Reducing the Attack Surface
Traditional hospitality and service-industry technology stacks rely on dozens of loosely connected systems, each introducing additional data exposure, authentication complexity, and security risk.
Tiquo reduces this risk by consolidating core operations, payments, customer data, and workflows into a single unified platform. By minimising external integrations and eliminating fragmented data flows, Tiquo significantly reduces the overall attack surface.
Fewer Systems
Consolidated operations reduce complexity
Fewer Integrations
Limited third-party dependencies
Tighter Control
Stronger platform governance
Fewer Vulnerabilities
Reduced exposure points
This consolidation strategy aligns with CIS Critical Security Controls by limiting unnecessary system exposure and simplifying security management.
Built In-House for Maximum Security
Unlike many platforms that depend heavily on third-party software and fragmented vendors, Tiquo is built entirely in-house.
Owning the full technology stack gives Tiquo complete visibility, control, and accountability across every layer of the platform. This approach drastically reduces reliance on external vendors and limits unnecessary data exposure.
Full Stack Ownership
Complete visibility and control
Data Minimisation
Strict principles for all subprocessors
Proprietary Models
AI models used where possible to avoid unnecessary data sharing
Secure Coding
Follows OWASP ASVS and OWASP Top Ten standards
Where subprocessors are required, such as AI model providers, Tiquo applies strict data-minimisation principles and audits all integrations carefully.
AI Privacy Protections
Tiquo applies strict privacy controls to all AI-assisted features. No raw personally identifiable information is sent to external AI models.
| Data Type | Treatment |
|---|---|
| Email Addresses | Reduced to domain-level only |
| Physical Addresses | Truncated to city-level granularity |
| Phone Numbers | Never transmitted—only anonymised counts where required |
These controls ensure AI systems operate with sufficient context while preventing unnecessary exposure of sensitive data.
Automated Decision Safeguards
AI-assisted outputs within Tiquo are informational only and are designed to support users rather than replace decision-making.
Tiquo does not use AI to make automated decisions with legal or similarly significant effects without meaningful human involvement, in alignment with GDPR Article 22.
Security Framework Alignment
Tiquo's security and compliance approach is grounded in recognised global standards and best practices.
Across infrastructure, identity, data protection, payments, and operations, Tiquo aligns with established frameworks including NIST, CIS, OWASP, and PCI DSS (via Stripe). These frameworks guide everything from architectural decisions and access controls to monitoring, incident response, and ongoing improvement.
This structured, standards-driven approach ensures Tiquo remains resilient, auditable, and trusted by businesses operating at scale.
Infrastructure & Platform Security
Tiquo's infrastructure and platform architecture are designed to deliver security, reliability, and resilience by default. Every layer—from cloud infrastructure to data storage and device access—is built to support enterprise-grade availability and strong operational governance.
AWS Cloud Infrastructure
Tiquo is built on Amazon Web Services, a globally trusted cloud platform known for security, scalability, and operational maturity.
AWS provides enterprise-grade physical and network security controls and supports compliance with internationally recognised standards, including ISO 27001, SOC, and CSA STAR. This foundation enables Tiquo to operate on a proven, globally distributed infrastructure that scales reliably as usage grows.
Tiquo's cloud environment follows CIS Benchmarks to ensure AWS services are configured according to hardened, industry-approved security baselines.
Built for Consistency, Durability & Fault Tolerance
Tiquo's data layer is designed for continuous reliability and strong consistency.
The platform uses a write-ahead log (WAL) and ACID-compliant transactions to maintain data integrity at all times. Databases are replicated across multiple AWS availability zones using Amazon RDS (MySQL), protecting against individual node or zone failures.
| Feature | Specification |
|---|---|
| Backup Durability | 99.999999999% (11 nines) |
| Replication | Multi-AZ deployment |
| Transactions | ACID-compliant |
| Data Integrity | Write-ahead logging |
Regular incremental backups are performed and stored with 11 nines durability, ensuring data remains safe, recoverable, and resilient even in the event of infrastructure disruption.
Uptime & Reliability
Tiquo is engineered for high availability and enterprise reliability.
The platform is designed to maintain a Monthly Uptime Percentage (MUP) of 99.99% across all core systems. Services and databases are redundantly distributed across multiple availability zones, ensuring continuity if one region experiences disruption.
Tiquo maintains formal business continuity and disaster recovery practices aligned with ISO 31000 principles for operational risk management.
Security Controls & Operational Governance
Tiquo's operational security framework aligns with the CIS Critical Security Controls, providing strong baseline protections across infrastructure and platform governance.
| Control Area | Implementation |
|---|---|
| Vulnerability Management | Continuous scanning and remediation |
| Configuration | Secure defaults and enforcement |
| Privileges | Tightly controlled administrative access |
| Logging | Centralised monitoring and anomaly detection |
Device Management & Endpoint Protection
Tiquo enforces strict device management and endpoint security policies across all connected systems.
This includes:
- Mobile Device Management (MDM)
- Encryption standards
- Remote wipe capabilities
Interface and device standards follow W3C Web Standards, ensuring consistent, interoperable behaviour across browsers, operating systems, and environments.
Identity & Access Management
Tiquo's identity and access management framework is designed to protect every user, session, and device while remaining simple, accessible, and auditable.
The platform separates staff and customer identity flows, enforces strong authentication controls, and provides detailed visibility into access and activity across all products, devices, and environments.
Accessibility & Inclusive Design
Accessibility is built into every identity and security interaction within Tiquo.
| Standard | Implementation |
|---|---|
| WCAG 2.2 | Perceivable, operable, and consistent interfaces |
| WAI-ARIA | Compatibility with assistive technologies |
| EN 301 549 | Global accessibility compliance |
Authentication, security notifications, and account controls remain accessible to all users, regardless of ability or context.
Authentication & Identity Security
Tiquo protects every login, session, and device through two fully isolated identity frameworks—one for staff and one for customers.
| Feature | Description |
|---|---|
| SSO & MFA | OAuth, SAML, and OIDC support |
| Device Tracking | View and revoke active sessions |
| Access Controls | Role-based permissions and audit logs |
| Security Hardening | CSRF/XSS protections, bot mitigation |
| Password Policy | Aligned with NIST 800-63B guidance |
| Feature | Description |
|---|---|
| Passwordless | One-time passcodes for frictionless access |
| Identity Providers | OIDC and OAuth support where required |
| Security | CSRF and XSS protections enforced |
Identity Protection & Account Hardening
Tiquo actively protects accounts against common identity-based attacks.
- Credential-stuffing protection through behavioural analysis
- New device verification always requires two-factor authentication
- Automatic MFA enforcement via one-time passcode if not configured
- Mandatory re-authentication for sensitive actions
Sensitive actions such as modifying security settings or adding new contact details require mandatory re-authentication.
Payments Security
Tiquo's payments infrastructure is designed to deliver secure, reliable, and globally compliant transactions across online and in-person environments.
Payments security is enforced across every layer of the stack—from fraud prevention and auditability to card terminals and third-party processing—ensuring that sensitive payment data is always protected.
Payments Security Overview
Tiquo aligns its payment infrastructure with PCI DSS Level 1 requirements through its direct integration with Stripe, ensuring cardholder data is handled according to the highest industry security standards.
All payment flows are designed to be auditable, resilient, and secure by default—without requiring customers or businesses to manage complex compliance obligations themselves.
Payments Regulatory Scope
Tiquo is a software platform and does not act as the payment processor or Merchant of Record.
Card payments are processed by regulated payment service providers, including Stripe, and Tiquo does not store cardholder data.
Online Payments
All online payments processed through Tiquo support 3D Secure (3DS) authentication, providing an additional verification layer for high-risk or suspicious transactions.
| Protection | Description |
|---|---|
| 3D Secure | Additional verification for transactions |
| ML Fraud Detection | Real-time behavioural analysis |
| Device Fingerprinting | Unique device identification |
| Velocity Checks | Rate-based anomaly detection |
| IP Reputation | Known threat source blocking |
| Audit Logs | Complete transaction traceability |
Secure Development & Engineering Standards
Security is embedded directly into Tiquo's engineering workflow through a modern DevSecOps approach spanning the full development lifecycle.
| Practice | Implementation |
|---|---|
| Security Scanning | Automated vulnerability detection |
| Dependency Monitoring | Continuous package auditing |
| Infrastructure-as-Code | Immutable, consistent deployments |
| API Documentation | OpenAPI standard compliance |
Card Terminals (PDQ Security)
Tiquo's card terminals (PDQs) operate on hardware that is certified to EMVCo Level 1 & Level 2, meeting global standards for secure chip-and-PIN and contactless payments.
| Feature | Description |
|---|---|
| Cryptographic Security | Secure key management |
| Tamper-Resistant Hardware | Physical protection |
| Compliance Updates | Continuous certification maintenance |
| Bot Detection | Invisible CAPTCHA and risk scoring |
| Audit Logs | Complete transaction traceability |
Payments Processed by Stripe
Under the hood, Tiquo integrates directly with Stripe, a global leader in secure online payment infrastructure.
All payment information is encrypted, tokenised, and processed securely within Stripe's systems. Tiquo never stores cardholder data directly, significantly reducing risk and compliance overhead.
Threat Detection & Monitoring
Tiquo employs a multi-layered threat detection and monitoring strategy to protect the platform against abuse, disruption, and emerging security risks.
Protection is applied across network, application, and account layers, combining real-time analysis, automated mitigation, and continuous testing to ensure the platform remains resilient and responsive.
Threat Detection Overview
Tiquo continuously monitors platform activity to identify anomalous behaviour, malicious traffic, and potential vulnerabilities before they can impact customers or operations.
This approach combines:
- Automated detection
- Behavioural analysis
- Structured response controls
Network & Application-Layer Protection
Tiquo protects against distributed denial-of-service attacks across Layer 3, Layer 4, and Layer 7, ensuring availability even under high-volume or targeted attack scenarios.
| Protection | Description |
|---|---|
| DDoS Mitigation | Multi-layer attack prevention |
| Behavioural Analysis | Hundreds of contextual signals |
| Traffic Fingerprinting | Request pattern identification |
| Bot Filtering | Automated threat blocking |
| Legitimate Bot Allowance | Preserves performance and accessibility |
Account & Abuse Protection
Staff accounts are protected against brute-force attacks through:
- Adaptive rate limiting
- Smart lockouts
- Enforced cooldown periods
- Invisible CAPTCHA-style controls
- Dynamic risk scoring
Behaviour-based bot detection systems operate invisibly in the background, blocking abusive traffic without interrupting legitimate users or introducing unnecessary friction.
Proactive Testing & Continuous Monitoring
Tiquo applies a proactive security lifecycle to identify and mitigate vulnerabilities before they become risks.
| Practice | Description |
|---|---|
| Penetration Testing | Automated and manual testing |
| Vulnerability Scanning | Continuous security assessment |
| Dependency Monitoring | Third-party package auditing |
| Code Reviews | Structured security analysis |
| Threat Modelling | Ongoing risk assessment |
Every release undergoes verification to ensure changes meet security expectations before reaching production.
Data Protection & Compliance
Tiquo is designed to protect personal and operational data across every layer of the platform—from storage and encryption to privacy rights and regulatory compliance.
Data protection is embedded directly into platform architecture, operational processes, and product design, ensuring lawful processing, strong safeguards, and consistent global privacy standards.
Data Protection Overview
Tiquo applies a defence-in-depth approach to data protection, combining encryption, redundancy, access controls, and governance frameworks to safeguard customer and business data at all times.
Controls are designed to ensure:
- Confidentiality
- Integrity
- Availability
- Recoverability
Data Encryption & Storage
All data processed by Tiquo is encrypted both at rest and in transit.
| Layer | Standard |
|---|---|
| Data at Rest | AES-256 encryption |
| Data in Transit | TLS 1.2+ |
| Platform Traffic | HTTPS enforced |
| Browser Security | HSTS enabled |
| Backup Durability | 99.999999999% (11 nines) |
Databases are replicated across multiple availability zones to ensure resilience against physical or regional failures.
Privacy & Data Protection
Tiquo is built to meet leading global privacy and data protection requirements.
| Regulation | Status |
|---|---|
| GDPR | Compliant |
| UK Data Protection Act (DPA) | Compliant |
| ICO Registration | Registered (United Kingdom) |
| CCPA | Compliant |
Privacy principles are applied consistently across all products and regions, ensuring lawful processing, purpose limitation, data minimisation, and transparency by default.
International Data Transfers
Tiquo supports secure and lawful international data transfers across regions.
| Framework | Alignment |
|---|---|
| U.S. Data Privacy Framework | EU-U.S., UK Extension, Swiss |
| CBPR | Cross-Border Privacy Rules |
| PRP | Privacy Recognition for Processors |
Global Privacy, Ethics & Data Rights
Tiquo maintains a global approach to privacy, ethics, and user data rights.
| Standard | Implementation |
|---|---|
| POPIA | Transparent processing and clear rights |
| ePrivacy Directive | Explicit, configurable consent |
| Data Minimisation | Strong practices throughout platform |
Certifications & Assurance
Tiquo aligns its controls and operational practices with recognised international security and compliance frameworks.
| Framework | Status |
|---|---|
| NIST Cybersecurity Framework | Aligned |
| NIST 800-53 | Aligned |
| NIST 800-63 | Aligned |
| PCI DSS | Inherited via Stripe |
| SOC 2 Type II | In Progress |
| ITIL | Service management practices aligned |
Tiquo enforces SOC 2-aligned controls across subprocessors to ensure consistent security, availability, and confidentiality.
Fiscal & POS Compliance
Fiscal and POS requirements vary by jurisdiction. Where required, Tiquo supports reporting to tax authorities, either directly or via certified fiscal systems, and provides immutable records, audit logs, and exports.
Fiscal reporting obligations remain with the merchant or operator, depending on local rules.