Security at Sitoo

Since the Unified Commerce Platform anchored by POS is central to our customer’s operations, security is at the heart of what we do.


The Sitoo Security team establishes policies and controls to monitor compliance. The team continuously verifies security and compliance through third-party auditors.

Security compliance

Sitoo currently maintains an ISO 27001:2022 compliance certification and a SOC 2 Type II certification. Our ISO 27001 certificate and live compliance status is available on our Trust Report:

Data protection

By default, Sitoo encrypts data at rest and data in transit for all of our customers. Sitoo leverages AWS for data encryption in transit (TLS 1.2+) and at rest (AES-256). Sitoo uses the AWS Key Management Service (KMS) to enable data at rest encryption across our products. We use this for encrypting data within databases (RDS, NoSQL), and data stored within S3 etc.

Product security

Vulnerability scanning

Sitoo requires vulnerability scanning in our Secure Development Lifecycle (SDLC):

  • Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain

  • Static analysis security testing (SAST) of code during pull requests and on an ongoing basis

  • Dynamic analysis security testing (DAST) of running applications.

Penetration testing

Sitoo engages with external independent penetration testing firms at least annually. All areas of the Sitoo products (APIs, Backoffice web app, POS apps (iOS and Android), and cloud infrastructure are in scope for these assessments.


Sitoo utilizes a structured employee onboarding process involving background checks, reference checks, and interviews with relevant Sitoo employees. All Sitoo employees have reviewed and accepted all relevant policies and procedures.

Sitoo provides comprehensive security training to all employees upon onboarding and annually. In addition, all new employees attend a live onboarding session with the Sitoo Security Team centered around security principles guiding the company’s work. All new engineers also attend mandatory training focused on secure coding principles and practices.

Responsible Disclosure

Looking to report a security concern? Please visit our Responsible Disclosure page.