0.0 · Enterprise

Run dozens of venues from one console.

Multi-site, multi-org, multi-event commerce with the security, auditability, and integrations enterprise buyers require. SSO, API, webhooks, white-label, audit log — all of it standard.

Get a DemoSee all features →
Sites · 4 active · 8 totalNow
live
Mainstage Fest
Day 2 · 84 terminals · $2.01M today
upcoming
Arc Amphitheatre
Doors in 6h · 28 terminals provisioned
complete
Harbor Stadium
Saturday · 162 terminals · $5.42M settled
setup
Pop-up Circuit · LV
4 trucks · menu pushed · awaiting PINs
1.0 · Multi-site

Multi-site. Multi-org. Multi-event.

Promoters and operators with more than one venue run the whole portfolio from one organization. Real-time live status per site. Consolidated reporting. Role-based access at the site or zone level. One billing relationship for all of it.

Each organization in Zerobeat owns one or more sites. Each site has one or more zones. Each zone has one or more POS stations. Permissions ladder up cleanly: cashier, lead, manager scope to a zone or a site; org admin scopes to the whole portfolio.

A multi-venue promoter sees every site’s live status on one dashboard — revenue running, terminals provisioned, anomalies surfacing, settlements due. Consolidated reports roll across the whole org. Per-site reports stay isolated when an operator needs to hand a sponsor a single-show settlement.

ORG

Organization

Owns sites, sets policy, holds the billing relationship. Org admins create new sites, manage integrations, run SSO.

SITE

Site

One venue or one event — a festival, a stadium, a pop-up. Site managers control menus, staff, zones, hardware.

ZONE

Zone

Bar, kitchen, gate, merch. Each zone routes orders, tracks revenue, scopes permissions and menus.

STATION

Station

A specific POS terminal. Provisioned to a zone, tied to a hardware fingerprint, traceable in the audit log.

2.0 · SSO

Enterprise identity, supported.

SAML 2.0 and OIDC out of the box. Just-in-time provisioning, role mapping, group sync. Plug your IdP in and your operators sign in with the same credentials they use for everything else.

SAML 2.0

Okta · Azure AD · OneLogin · JumpCloud

Standard SAML 2.0 endpoint, metadata exchange in minutes. JIT provisioning creates the Zerobeat user on first sign-in. Group attributes map to Zerobeat roles per your spec.

OIDC

Google Workspace · Auth0 · Ping

OpenID Connect for modern identity providers. PKCE code flow, refresh tokens, role claims. Same JIT provisioning and group-mapping model as SAML.

SCIM

User & group sync

Optional SCIM 2.0 endpoint for inbound user provisioning. Add a user in your IdP, the Zerobeat record shows up the same minute. Disable in IdP, Zerobeat session revokes.

3.0· API & webhooks

An API your engineering team can actually integrate.

REST for every domain object. Outbound webhooks for every domain event. Token auth, idempotency keys, exponential backoff retries.

POST · /v1/ordersCreate order
curl -X POST https://api.zerobeat.io/v1/orders \
  -H "Authorization: Bearer $ZB_TOKEN" \
  -H "Idempotency-Key: ord_4017_8821" \
  -d '{
    "site_id": "site_mainstage_fest",
    "zone_id": "zone_vip_bar",
    "items": [
      { "sku": "modelo_12oz", "qty": 2 },
      { "sku": "skimmers_iced_tea", "qty": 1 }
    ],
    "tender": [
      { "type": "card", "amount_cents": 4050 }
    ]
  }'
POST · /webhooks/yoursorder.completed
{
  "event": "order.completed",
  "timestamp": "2026-05-11T22:14:08Z",
  "site_id": "site_mainstage_fest",
  "zone_id": "zone_vip_bar",
  "order_id": "ord_4017_8821",
  "subtotal_cents": 4050,
  "tender": ["card", "drink_ticket"],
  "staff_pin": "0431"
}
REST

Domain objects

Orders, menus, staff, inventory, payments, refunds, reports. Standard REST verbs.

EVENTS

Webhooks

order.completed, payment.refunded, ticket.redeemed, shift.started, anomaly.detected, and more.

SAFETY

Idempotency & retries

Idempotency keys on writes. Exponential backoff retries on webhook delivery. Signed payloads.

LIMITS

Rate limits & scopes

Per-token rate limits with burst windows. Scoped tokens per integration. Revoke without redeploy.

4.0 · Audit log

Who did what, when, from where, with what payload.

Every platform change captured. Searchable, exportable, tamper-evident. The thing your security team asks for in the first call.

Audit log · last 24hFilter: org_zerobeat
  • 22:14:08lena@op.commenu.update+ Modelo 24oz · $14
  • 22:11:02marcus@op.comcomp.issue$14.00 · service recovery
  • 21:58:33systemanomaly.detected11 voids in 20min
  • 21:24:11aisha@op.comstaff.role_changelead → manager
  • 20:08:46api · token_4t8smenu.snapshotauto · pre-show snapshot
  • 18:14:02lena@op.comsite.startdoors open
5.0 · Branding

Your name on every screen the staff sees.

White-label the operator UIs, theme the portal per org, customize receipts per site. Multi-brand operators run their portfolio from one console without confusing the staff about whose venue they’re working.

White-label

Strip Zerobeat branding from operator UIs and receipts. Your logo, your colors, your name. Sub-organization branding for multi-brand promoters.

Custom themes

Per-org portal colors, logos, typography. Multi-brand operators switch the portal’s look as they switch organizations.

Custom receipts

Printed and emailed receipts customized per site or zone. Promoter logos, sponsor activations, tip suggestions, legal footers.

6.0· Security & compliance

Compliance posture your finance & security teams sign off on.

PCI-DSS

EMV-certified readers tokenize at capture. Card data never lives on the iOS device or in the mesh. Merchant inherits a simplified compliance posture.

SOC 2-aligned

Internal controls aligned to SOC 2 Type II. Annual review with a third-party auditor. Reports available under NDA.

Data residency

US-resident infrastructure by default. EU residency option for organizations with regional requirements.

Encryption

TLS 1.3 in transit. AES-256 at rest. Hardware-backed key storage. Secrets rotate on a schedule, not on a postmortem.

Backups & recovery

Point-in-time recovery up to 30 days. Cross-region replication. Tested restore drills, not aspirational ones.

Vulnerability program

Responsible disclosure with a published policy. Critical fixes ship inside SLA. Annual penetration test by an external firm.

7.0 · FAQ

What enterprise buyers ask first.

Which identity providers do you support?

Anything that speaks SAML 2.0 or OIDC. Tested at customers running Okta, Azure AD, OneLogin, JumpCloud, Google Workspace, and Auth0. SCIM 2.0 inbound provisioning is optional but supported by the same set.

Do you offer SLAs?

Yes. Standard SLA is 99.9% uptime measured against the operator console. The mesh keeps cashier-side operations running through cloud outages by design, so the cashier impact of any given platform incident is typically zero.

How does multi-site billing work?

One organization, one billing relationship. Sites roll up to the org for invoicing. Per-site cost lines available on the invoice for internal allocation. Optional per-event invoicing for one-off venue partners.

Can we run a private API integration?

Yes. Standard REST API with scoped tokens. Webhooks for every domain event. If you need a private endpoint or a custom event surface, talk to us — we'll build it inside the standard contract.

Do you sign DPAs and BAAs?

We sign DPAs as a matter of course. BAAs are case-by-case depending on the data flow — most live-event deployments don't require HIPAA coverage. Talk to us if you're in a regulated vertical.

What about the audit log retention?

Audit log retains for the lifetime of your subscription. Records are immutable and tamper-evident. Export to your SIEM via webhook subscription or CSV at any time.

Can we white-label the operator portal under our brand?

Yes. White-label package replaces logos, copy, colors, and the favicon across the operator UIs. Receipts, emails, and the customer-facing surfaces white-label too. Per-organization themes for multi-brand portfolios.

Do you offer dedicated infrastructure?

For organizations large enough to need it, yes — dedicated database tenancy with isolated compute. Talk to us about the volume that triggers it.