Security.

Data Encryption

Encryption in Transit

All communications between your browser and Hotel Central are encrypted using TLS 1.3 (Transport Layer Security). This ensures that data cannot be intercepted or read by unauthorized parties during transmission.

Encryption at Rest

Your data stored in our databases is encrypted using AES-256 encryption. This industry-standard encryption ensures that even if physical storage media were compromised, the data would remain unreadable.

Authentication & Access Control

Password Security

User passwords are never stored in plain text. We use the Scrypt hashing algorithm, which is specifically designed to be resistant to hardware attacks and provides strong protection against brute-force attempts.

Session Management

Secure session tokens are used to maintain user sessions. Sessions are stored server-side in our PostgreSQL database and are automatically expired after periods of inactivity to minimize the risk of session hijacking.

Role-Based Access Control (RBAC)

Hotel Central implements a comprehensive role-based access control system:

• Super Admin: Platform-wide administration and oversight
• Hotel Admin: Full access to hotel operations and user management
• Staff: Access to assigned features based on hotel admin configuration

Page-level access controls allow hotel administrators to customize which features each staff member can access, following the principle of least privilege.

Data Isolation & Multi-Tenancy

Hotel Central is built with strict multi-tenant data isolation:

• Each hotel's data is logically separated at the database level
• All API requests are validated to ensure users can only access data from their own hotel
• Cross-hotel data contamination is prevented through comprehensive validation at every layer
• Administrative functions include additional verification to prevent unauthorized access

Infrastructure Security

Cloud Infrastructure

Hotel Central is hosted on enterprise-grade cloud infrastructure that provides:

• Redundant systems and automatic failover
• Regular security patches and updates
• DDoS protection
• Network-level firewalls and intrusion detection
• Geographic redundancy for disaster recovery

Database Security

Our PostgreSQL database (powered by Neon) includes:

• Encrypted connections (SSL required)
• Regular automated backups
• Point-in-time recovery capabilities
• Isolated network environments

Monitoring & Incident Response

Activity Monitoring

We maintain comprehensive logs of system activity to detect and respond to potential security threats. This includes:

• Authentication events (successful and failed login attempts)
• Administrative actions
• Data access patterns
• API request logging

Incident Response

In the event of a security incident, we have established procedures to:

• Rapidly identify and contain the threat
• Assess the scope and impact
• Notify affected users in accordance with applicable laws
• Implement remediation measures
• Conduct post-incident analysis to prevent recurrence

Third-Party Security

We carefully vet all third-party services integrated with Hotel Central:

Push Notification Security

Our push notification system (powered by OneSignal) is designed with security in mind:

• Notifications require explicit user opt-in
• Device tokens are securely stored and managed
• Users can opt out at any time, which immediately removes their device registration
• Notification content is appropriate for display and does not include sensitive details

Your Security Responsibilities

To help keep your account secure, we recommend:

• Use strong, unique passwords for your Hotel Central account
• Do not share your login credentials with others
• Log out when using shared or public computers
• Keep your contact information up to date for security notifications
• Report any suspicious activity to our support team immediately
• Regularly review user access and remove accounts for former employees

Security Contact

If you discover a security vulnerability or have security-related concerns, please contact us immediately:

We take all security reports seriously and will respond promptly to investigate and address any concerns.

Last Updated

This Security page was last updated on June 20, 2025. We continuously improve our security practices and will update this page to reflect significant changes.