Enterprise-grade protection

Security built into
every layer.

Your hotel's operational data — payroll records, staff documents, inspection logs — is sensitive. KireiOps is designed from the ground up to protect it.

How we protect your data.

Tenant Isolation

Every hotel company is a fully isolated tenant. All queries are scoped to company_id at the data layer — no cross-tenant data leakage is architecturally possible.

Role-Based Access Control

Admin, Manager, Supervisor, Housekeeper — each role sees and can do exactly what their job requires. Laravel Policies enforce every permission server-side.

Full Audit Trails

Every significant action — pay overrides, key checkouts, approvals, admin changes — is logged with user, timestamp, and before/after values. Nothing is silently editable.

Two-Factor Authentication

TOTP-based 2FA available for all web sessions. Enforced for admin users. Mobile API uses token-based authentication with per-device revocation.

Encrypted in Transit

All traffic between your browser, mobile app, and KireiOps servers is encrypted via TLS 1.2+. All file attachments are stored privately, not publicly accessible via URL.

Data Portability & Deletion

Request a full data export (JSON) or deletion of any staff member's personal data at any time. Soft-delete with a 30-day recovery window, then permanent purge.

Technical security details.

Application Security

Laravel 12 with all security defaults enabled
CSRF protection on all state-changing requests
SQL injection prevention via parameterized queries (Eloquent)
XSS protection via Blade auto-escaping
Rate limiting on authentication + API endpoints
Security headers: CSP, X-Frame-Options, HSTS, etc.

Authentication

Bcrypt password hashing (cost factor 12)
Laravel Sanctum for API token authentication
TOTP two-factor authentication (RFC 6238)
Session invalidation on password change
Per-device API token revocation
Suspicious login detection and alerts

Data Protection

Multi-tenant data isolation enforced at query layer
Soft deletes with 30-day recovery window
File attachments stored privately (no public URLs)
Audit log for all admin and supervisor actions
Rate snapshots are immutable after creation
Staff data export and deletion on request

Infrastructure

TLS 1.2+ enforced on all endpoints
Regular automated security patches
Database backups with point-in-time recovery
Isolated production / staging environments
Dependency vulnerability scanning
No third-party analytics scripts on payroll pages

Responsible Disclosure

If you believe you've found a security vulnerability in KireiOps, please email us at security@kireiops.com. We'll respond within 24 hours, work with you to understand the issue, and ship a fix before any public disclosure.

We do not operate a formal bug bounty program at this time, but we're grateful for responsible researchers and will acknowledge your contribution publicly if you'd like.

Enterprise ready

Security questions before you sign up?

Talk to our team — we're happy to go through our security setup in detail for enterprise evaluations.

Start free trial Contact us →