Tenant isolation
Layout is multi-tenant: many companies (merchants) on one platform. Isolation is enforced at every layer:- Data — All stored data is scoped by company (and often location). There is no shared cross-tenant data; one merchant cannot see or change another’s catalog, orders, or configuration.
- APIs — Requests are authenticated and then scoped to a company. Backend logic and data access enforce that scope; no cross-tenant reads or writes are possible.
- Square — OAuth tokens and Square API usage are per company. Tokens are stored in a tenant-scoped way and used only for that company’s Square calls.
- Webhooks — Incoming Square webhooks are cryptographically verified and internally routed so that an event from one merchant can never affect another merchant’s data.
Authentication and access control
- Customer app — Users sign in via phone-based authentication. The backend verifies the session before performing any action (ordering, checkout, accessing loyalty or gift card data). Only the authenticated user can place orders or access their account.
- Dashboard and panel — Access is controlled by identity and role. Staff and owners are associated with a company. Role-based permissions are enforced so that only authorized users can change branding, Square connection, or view orders and analytics.
- Square connection — Only authorized dashboard users can connect or disconnect Square. Stored tokens are not exposed in the UI or to the customer app.
Payment and card data
- No card storage — Layout does not store raw card numbers or payment data. The customer app uses Square’s in-app payment flow to generate a one-time token (nonce), which is sent to the Layout backend and forwarded to Square to create the payment. Card data never touches Layout’s systems.
- Square — All payment processing and settlement happen in Square. PCI scope for card data is Square’s.
Secrets and sensitive credentials
- Secrets (OAuth credentials, webhook signing keys, and similar) are not hardcoded or committed to source. They’re managed via a secure configuration mechanism and injected at runtime.
- Per-tenant Square OAuth tokens are stored securely and used only by backend services for that tenant. They are automatically refreshed before expiry — merchants never need to manually reconnect.
- Sensitive push notification credentials are stored in a restricted area of the data store, accessible only to privileged backend services.
Webhooks and data integrity
- All incoming webhooks from Square are cryptographically verified before any data is read or written. Unverified requests are rejected immediately.
- Each webhook is processed only for the merchant it belongs to. Cross-tenant processing is not possible by design.
App identity and Universal Links
Each merchant’s branded iOS app uses per-company Universal Links, so shared links (menu items, short links) open the correct branded app for each merchant. The credentials that power this are stored securely per brand and never exposed publicly.Summary
| Area | Principle |
|---|---|
| Tenancy | All data and API access scoped by company and location; no cross-tenant access possible. |
| Identity | Phone auth for customers; role-based access for dashboard and panel; all actions tied to the authenticated user and company. |
| Payments | No card data in Layout; nonces only; Square handles all processing and settlement. |
| Secrets | Not in code or repo; securely managed per-tenant; auto-rotated where applicable. |
| Webhooks | Cryptographic verification required; tenant-scoped processing; invalid or cross-tenant requests rejected. |