LOCK
Security & Compliance

Enterprise-grade security
for the world's most trusted hospitality brands.

Hotels handle sensitive guest data every hour of every day. FlowStay was built with that responsibility embedded into every architectural decision. Not bolted on afterward.

SOC 2 Type II: In Progress
PCI DSS Scope Isolation
GDPR Compliant
CCPA Compliant

Access Control

Role-based access with full audit trails. Every action in FlowStay HQ is logged, timestamped, and attributable.

  • RBAC: GM, Supervisor, Front Desk roles
  • Full audit log, who did what and when
  • SSO support (SAML 2.0, OAuth 2.0)
  • Immutable audit trail for compliance

Guest Data Rights

Full GDPR and CCPA compliance. Guests can access, correct, or delete their data at any time.

  • GDPR Article 17, right to deletion
  • CCPA compliant for California guests
  • SMS opt-out honored permanently
  • Signal sheet available to guest on request

Data Residency

Data residency controls for properties with regulatory requirements. EU data stays in EU.

  • Regional deployment on Fly.io edge
  • EU-only routing for European properties
  • Data processing agreements included
  • Sub-processors list maintained and disclosed

Penetration Testing

Independent security audits before every major release. Vulnerability disclosure program open to all researchers.

  • Annual third-party penetration tests
  • OWASP Top 10 coverage
  • Bug bounty program, responsible disclosure
  • Incident response, 1hr notification SLA
Compliance

Built for enterprise.
Trusted by independent hotels.

Whether you are a 28-room boutique or a 500-room resort, FlowStay meets enterprise security requirements from day one. Our compliance posture is not a roadmap item. It is a founding principle.

Fly.io Infrastructure
ISO 27001 certified global edge network
LiveKit
SOC 2 Type II real-time infrastructure
Anthropic
Enterprise data processing agreement
Tenex
Communications infrastructure
Uptime & SLA

We don't sleep.
Your front desk never should either.

FlowStay is available every minute of every day. Our infrastructure is distributed across multiple regions with automatic failover. When one node goes down, another takes over invisibly and instantly, before any call is dropped.

99.99%
Guaranteed Uptime SLA
<4 min
Recovery time
1 hr
Incident notice
180+
Global PoPs
Responsible AI

Act on what guests told us.
Never reveal how we figured it out.

FlowSense builds rich guest profiles from conversational signals. Our principle: use that intelligence to serve guests better, never to expose them to the feeling of being profiled. The magic is invisible. The benefit is real.

Purpose limitation
Guest signals are used exclusively to improve their stay. Never sold, never shared with third parties, never used for advertising.
Data minimization
We extract only signals relevant to hospitality. Financial data, browsing history, and location outside the hotel are outside our scope.
Transparency on request
Guests can request their full signal sheet at any time. Nothing is hidden from the guest about what we know.
Questions?

Security questions
get direct answers.

Talk to our team about your property's specific requirements. We will walk you through our architecture, our sub-processors, and our DPA.

Contact security team