Security & Trust

Built for the data hotels can’t afford to get wrong.

Hotel operations run on sensitive information: guest identities, reservation history, preferences, spending patterns, and the quiet observations staff capture day to day. This page summarizes how Abra protects that data. A full security package, Data Processing Addendum, and vendor questionnaires are available on request.

Compliance posture

  • SOC 2 Type I in progress. Type II to follow.
  • GDPR- and CCPA-aligned data handling, consent, and deletion workflows.
  • US data residency. All guest and operational data is stored and processed in United States data centers.
  • 7-year audit log retention across application, database, and infrastructure access events.

Infrastructure

Abra runs on Google Cloud Platform in a purpose-built landing zone with production, staging, and development fully separated. Application and data workloads live in distinct projects; databases and internal services run on private IPs only, with no public internet exposure. Webhook and API traffic terminates at managed load balancers with Google-managed TLS certificates. Production runs multi-zone with regional failover for the operational database.

Encryption

All data is encrypted at rest with AES-256 (Google-managed keys, rotated on a 90-day cadence) and in transit with TLS 1.2 or higher, with TLS 1.3 preferred where supported. Secrets are stored in Google Secret Manager with granular IAM bindings and are never committed to code or plain environment variables.

Multi-tenancy and data isolation

Every record at every layer of the platform is qualified by property. Queries, indexes, access controls, and AI prompts are scoped on property by construction; there is no path that implicitly crosses properties. Application-level row filtering enforces the same boundary on top of the database-level controls.

Access control

Role-based access control limits who can see and act on guest PII. Enterprise single sign-on is supported via WorkOS (SAML/OIDC with Microsoft, Google, Okta, and others). Access tokens are short-lived, sessions time out after 30 minutes of inactivity, and access to production data is reviewed quarterly. Database activity is fully audited.

AI and LLM data handling

Abra uses large language models to turn unstructured guest notes into structured, attributed knowledge. That pipeline is deliberately narrow:

  • No model training on customer data. All AI provider agreements prohibit training on data sent from the platform.
  • Minimized payloads. Only the contextual fields an agent needs — typically first-name tokens, stay dates, preference categories, and note text — are sent to model providers.
  • Never sent: credit card numbers, passport numbers, government identifiers, or full postal addresses.
  • Provenance preserved. Every AI-extracted fact carries a confidence score and a link back to its source note; low-confidence extractions are routed to human review rather than written straight to production.

Guest data rights

Guests can request access, correction, or deletion of their data through the hotel they stayed with, which is the data controller for that guest’s records. Abra honors deletion requests within 30 days across the operational database, analytical warehouse, context graph, and caches, with a deletion audit trail preserved for compliance.

Subprocessors

Abra engages a small set of vetted third parties to deliver the platform — cloud infrastructure, identity, communications, observability, and AI inference. Each is governed by a Data Processing Addendum or equivalent terms, with US data residency where the service offers it. A current list is available at /subprocessors and detailed in the security package.

Secure development

Every change ships through a formal review pipeline: peer code review, automated checks for hardcoded credentials and PII exposure, parameterized queries by default, and security-focused review for any change touching authentication, authorization, or guest data. AI agents are gated on eval datasets with hard regression tests (allergy recall, for example, must remain at 100% in CI before a release can ship).

Incident response and continuity

Abra operates a documented incident response process with clear severity tiers, on-call rotation, and customer notification timelines defined in the DPA. Automated encrypted backups run daily for the operational database with point-in-time recovery, and the analytical warehouse preserves an append-only history of every source event for reproducibility.

Requesting more

Hotel IT and security teams evaluating Abra can request the full security and privacy overview, our DPA, a completed vendor security questionnaire, or a technical architecture walkthrough. Email hello@abrahospitality.com and we’ll respond within two business days.

Last updated: April 2026. This page summarizes practices in place at the time of publication and is updated as the platform evolves.