How we protect your hotel and guest data
A plain-English summary of the controls Maghraut PMS applies across the platform. This page is maintained by us; it is not a third-party certification.
Tenant isolation
Every hotel/group is a separate tenant. All property data — reservations, guests, folios, payments, POS orders, events, housekeeping — is scoped by tenant and property identifiers at the database layer.
Database row-level security (RLS) is enabled on every operational table. A signed-in staff member can only read or modify rows belonging to a tenant they are an explicit member of. Cross-tenant access by platform super admins is granted explicitly on each table that allows it, not via a hidden bypass.
Encryption in transit and at rest
All traffic between your devices and the platform uses HTTPS/TLS. The managed Postgres database and object storage are encrypted at rest by the cloud provider.
Secrets such as service-role keys, payment provider keys, and integration tokens are stored on the server side only. They are never bundled into the browser application and never returned to the client.
Access controls
Staff sign in with email and password or Google. Roles inside a tenant (owner, manager, staff) are stored in a dedicated table and checked server-side via row-level security — they cannot be elevated from the browser.
Public surfaces (booking engine, online menu, pre check-in) call narrowly scoped server functions that only expose the fields needed for that flow. Pricing, deposits, and totals are always recomputed on the server.
Auditing and change history
Sensitive operations such as reservation status changes, payment captures and cancellations write audit entries. Audit logs are append-only from the application and readable only by members of the tenant they belong to (and platform super admins).
Backups and availability
The managed Postgres database is backed up daily by the underlying cloud provider with point-in-time recovery available on supported plans. Object storage is replicated for durability.
We rely on a major public cloud for the underlying compute, database, and storage — the same infrastructure used by many regulated SaaS products.
Privacy posture
Maghraut PMS processes guest personal data on behalf of the hotel that subscribes to it. The hotel is the data controller; we are the processor. We do not sell guest data and we do not use it to train external AI models.
Guests submitting pre check-in details share that information only with the specific property they are checking into. Document uploads are stored in private buckets and served via short-lived signed URLs.
Reporting a security issue
If you believe you have found a vulnerability, email sales@maghraut.com. Please include steps to reproduce and avoid accessing data that does not belong to you. We will acknowledge the report and keep you updated on the fix.
This page describes our current controls and may be updated as the platform evolves. It does not constitute a contract or a third-party security certification.