Security & RBAC
Authentication, roles, SSO, audit logs, and how MenuPi protects your menu data.
Updated May 18, 2026·5 min read
Authentication
MenuPi uses email + password by default with mandatory TOTP-based 2FA for Admins. Enterprise tier unlocks SAML 2.0 and OIDC for SSO providers including Okta, Azure AD, Google Workspace, and JumpCloud.
Roles
| Field | Type | Description |
|---|---|---|
| Owner | role | Full access, billing, transfer ownership. Cannot be removed by other roles. |
| Admin | role | Manage screens, integrations, team. No billing or ownership transfer. |
| Editor | role | Create and publish scenes/playlists. Cannot manage team or integrations. |
| Viewer | role | Read-only dashboard access. Useful for franchisees who watch but cannot edit. |
Location scoping
Any non-Owner role can be scoped to specific locations or zones. A regional manager Editor might only edit screens in their region. Scope is checked on every API call.
Audit log
Every privileged action — sign-ins, publishes, integration changes, user invites — is recorded. Available at Settings → Audit. Exportable as CSV. Retained 12 months on Growth, 36 months on Enterprise.
Data protection
- TLS 1.3 in transit, AES-256 at rest.
- SOC 2 Type II report available under NDA — see /legal/soc2.
- Data residency: US-East by default, EU-West (Frankfurt) optional on Enterprise.
- No customer PII is collected by the player — only operational telemetry.
Compliance docs
DPA, SOC 2 summary, and subprocessor list are public at /legal. Full SOC 2 report is gated by NDA.