Security your IT team
will sign off on.
HotelDispatch is built on a defense-in-depth security model. Every layer — authentication, authorization, data storage, transport, and audit — is hardened by design, not patched in after the sale.
How the platform
is built.
Six foundational security controls enforced on every request, on every endpoint, in every environment.
Bcrypt Password Hashing
All user passwords are hashed with bcrypt. Plain-text passwords are never logged, never stored, and never transmitted after login. Password resets generate cryptographically random tokens with short expiration windows.
CSRF Protection
Every state-changing form on the platform is protected by a per-session CSRF token verified server-side. Forged cross-site requests fail closed. Required on every POST endpoint, without exception.
Prepared Statements
Every database query uses parameterized prepared statements via PDO. No raw string concatenation is used in query construction. This approach eliminates the most common class of SQL injection vulnerabilities by design.
Encrypted Credential Storage
Third-party API keys (SMS providers, AI providers, integrations) are encrypted at rest using AES-256 before being written to the database. Decryption requires a server-side key managed independently from the database.
Role-Based Access Control
Five-tier permission model enforced server-side on every request. Authorization is checked at the endpoint, not just the UI. Viewers cannot write. Staff cannot manage. Property admins cannot escalate to superadmin.
Rate-Limited Authentication
Login attempts are rate-limited per IP and per user account. Brute force attempts are blocked automatically with exponential back-off. Failed login patterns are logged with source IP for security review.
Your data,
your control.
HotelDispatch runs in the InnCue enterprise cloud with per-organization data isolation. Your operational data is never commingled with another customer's, never used for training, and never locked inside a format you can't extract.
Per-Organization Data Isolation
Every customer organization receives an isolated database. Your data is never commingled with another customer's. Enterprise agreements can specify hosting region and compliance envelope as part of the commercial engagement.
Data Portability
Your operational data is yours. Export to CSV anytime from the admin UI. Database dumps are available on request for Enterprise customers. No vendor lock-in, no exit penalty, no escape-clause drama.
Data Deletion
Customers can delete their data on demand. Cancellation triggers a full data export followed by purge from primary and backup systems within 30 days, with written confirmation of completion.
Complete Audit Trail
Every state-changing action is logged with user, timestamp, and IP. Audit logs are immutable and exportable. Compliance reviews, insurance claims, and incident investigations have a clear paper trail.
Engineered for the standards
your buyers require.
HotelDispatch is built to align with the security frameworks hotel ownership groups, brand operators, and management companies require from their software vendors. Formal certifications are available for Enterprise deployments on a customer-specific basis.
HotelDispatch supports the security and compliance documentation typically required by enterprise procurement — vendor security questionnaires, data processing addenda, BAAs where applicable, and incident response commitments. Reach out to begin the conversation.
security@hoteldispatch.comIf you've found a security issue in HotelDispatch, please report it directly to security@hoteldispatch.com. We'll acknowledge your report within 24 hours and keep you informed throughout the remediation process. Responsible disclosure is appreciated and credited.
We have the documentation
your procurement team needs.
Enterprise security reviews move at the speed of the vendor's answers. We move fast. Start the conversation and we'll walk your IT, procurement, and legal teams through the answers they need.