Isolation by design. Not by policy.
Reservory is a multi-tenant platform. We treat tenant data isolation as a structural guarantee enforced at the database, not just an application-layer convention.
Every tenant is a hard boundary.
Row-level security policies on every tenant-scoped Postgres table mean that even a bug in application code cannot return one tenant's data to another. Policies enforce two independent checks: the row's tenant_id must match the caller's tenant, and the caller must be an active member of that tenant. An automated cross-tenant isolation test runs on every pull request.
A full security checklist.
tenant_id and tenant membershipHow the hard parts work.
Stripe handles PCI scope
Reservory uses Stripe Connect Standard. Card data is collected by Stripe Elements and never touches our servers. Each operator keeps their own Stripe account — payouts go directly to them.
AES-256-GCM encrypted config
OAuth tokens and API keys for integrations (Mailchimp, Klaviyo, HubSpot, QuickBooks) are stored encrypted at rest. The encryption key never lives in the database — only in environment secrets.
HMAC-signed access tokens
Customer payment and waiver flows use short-lived HMAC tokens with domain separators. A waiver token cannot be substituted for a payment token. Booking UUIDs are never exposed in URLs or referrer headers.
Safe retries everywhere
Every mutating POST is wrapped in HTTP idempotency middleware. Browser retries and network blips don't create duplicate bookings or double charges. Transient failures are not cached — retries re-run cleanly.
Append-only operator ledger
Every operator action — refund, cancellation, bulk re-book, gift card anomaly — is logged with the operator's identity, timestamp, and the action taken. The log is append-only: no UPDATE or DELETE policies exist on it.
SSRF defense at every step
Outbound webhook URLs are validated against an allowlist at registration. The URL is re-resolved immediately before each delivery to defend against DNS rebinding attacks. Internal and private IP ranges are blocked.
Where we stand today.
Stripe handles card scope
Reservory is not a card processor. Stripe, our payment provider, maintains PCI DSS compliance. Our scope is limited to transmitting tokenized payment intents — we never store, process, or transmit raw card data.
Available to Scale customers
A SOC 2 audit is on our compliance roadmap. Security evidence packages — architecture documentation, access control policies, and penetration test results — are available to Scale-tier customers on request.
Right-to-be-forgotten queue
Guest deletion requests are processed within 30 days. The anonymizer scrubs PII from customer records, cancels pending email and SMS queues, and marks the record as anonymized. Operators submit requests from the dashboard.
Bug bounty program
We run a private responsible disclosure program with a published bounty table. Researchers are acknowledged publicly unless they prefer anonymity. Full program details at Security Policy →
Questions about our security posture?
Email our security team directly or review the full responsible disclosure policy, including in-scope targets and bounty tiers.