The GNV Catering Platform is designed as operational trust infrastructure. Security is not an afterthought — it is foundational to the verification continuity, data integrity, and operational reliability that the platform provides.
Infrastructure Security
The platform is built on AWS infrastructure with the following measures:
Encryption in transit — all traffic encrypted via TLS 1.2+; no unencrypted endpoints
Encryption at rest — all data stores encrypted using AES-256 (AWS KMS-managed keys)
Secrets management — credentials and API keys managed via AWS Secrets Manager; no secrets in source code
Network isolation — services deployed within private VPC subnets with controlled ingress/egress
Least-privilege access — IAM policies scoped to minimum required permissions for each service component
Multi-factor authentication — MFA enforced for all administrative and infrastructure access
Monitoring and alerting — CloudWatch, CloudTrail, and automated alerting for anomalous activity
Authentication and Access Control
Identity management — user authentication via AWS Cognito with secure session handling and token rotation
Role-based access control (RBAC) — users access only features and data appropriate to their assigned role
Tenant isolation — each organisation's data is logically isolated at the data layer; cross-tenant access is prevented by design
Scoped permissions — API-level authorisation ensures requests are validated against tenant, site, and role context
Session security — secure, time-limited tokens with automatic expiry and refresh mechanisms
Audit and Operational Integrity
Audit logging — administrative actions, data modifications, and access events are logged with timestamps and actor identification
Immutable event history — operational events relevant to verification and traceability are preserved to maintain evidence continuity
Traceability continuity — the platform maintains chain-of-custody integrity for verification data across the network
Change tracking — modifications to reference data, recipes, and operational records are versioned and attributable
Data Integrity and Sync
Offline resilience — the platform supports offline operation with deterministic reconciliation on reconnection
Conflict resolution — concurrent modifications are handled through defined precedence rules to prevent data loss
Operational continuity — critical workflows (meal service, allergen display) remain functional during connectivity interruptions
Backup and recovery — automated backups with point-in-time recovery capabilities
AI Governance
Where the platform uses AI-assisted workflows:
Probabilistic outputs — AI-generated results are clearly identified as recommendations, not verified facts
Human oversight — AI outputs require human review and approval before affecting operational data
Confidence indicators — where applicable, AI outputs include confidence levels to support informed decision-making
Boundary enforcement — AI systems operate within defined scope limits and cannot override verified data without human authorisation
For full detail on how AI is and is not used on the platform, see our Platform page.
Incident Response
Detection — automated monitoring for security events, anomalous access patterns, and system integrity issues
Escalation — defined severity levels with corresponding response timeframes and escalation paths
Containment — procedures for isolating affected systems while preserving evidence and operational continuity
Remediation — root cause analysis, patching, and verification before returning to normal operation
Communication — affected parties notified in accordance with severity, contractual obligations, and applicable law
Responsible Disclosure
If you discover a security vulnerability, we ask that you disclose it responsibly:
— Email security@globalnutritionvalue.com with details of the vulnerability
— Include steps to reproduce, potential impact, and any supporting evidence
— Allow reasonable time for investigation and remediation before public disclosure
— Do not access, modify, or exfiltrate other users' data during testing
— Do not disrupt service availability or degrade platform performance
We acknowledge all valid reports and will keep you informed of remediation progress. We do not pursue legal action against researchers acting in good faith under this policy.
Security Contact
For security concerns, vulnerability reports, or security-related enquiries: security@globalnutritionvalue.com
This address is monitored separately from general support and is reserved for security matters.