How we protect your data.
Tenant Isolation
Every hotel company is a fully isolated tenant. All queries are scoped to company_id at the data layer — no cross-tenant data leakage is architecturally possible.
Role-Based Access Control
Admin, Manager, Supervisor, Housekeeper — each role sees and can do exactly what their job requires. Laravel Policies enforce every permission server-side.
Full Audit Trails
Every significant action — pay overrides, key checkouts, approvals, admin changes — is logged with user, timestamp, and before/after values. Nothing is silently editable.
Two-Factor Authentication
TOTP-based 2FA available for all web sessions. Enforced for admin users. Mobile API uses token-based authentication with per-device revocation.
Encrypted in Transit
All traffic between your browser, mobile app, and KireiOps servers is encrypted via TLS 1.2+. All file attachments are stored privately, not publicly accessible via URL.
Data Portability & Deletion
Request a full data export (JSON) or deletion of any staff member's personal data at any time. Soft-delete with a 30-day recovery window, then permanent purge.
Technical security details.
Application Security
Authentication
Data Protection
Infrastructure
Responsible Disclosure
If you believe you've found a security vulnerability in KireiOps, please email us at security@kireiops.com. We'll respond within 24 hours, work with you to understand the issue, and ship a fix before any public disclosure.
We do not operate a formal bug bounty program at this time, but we're grateful for responsible researchers and will acknowledge your contribution publicly if you'd like.