Trust · Security · Compliance

How Hostella protects your data.

We handle bookings, guest messages, payment records, and OTA credentials for villa operators across the EU and APAC. Here's everything our compliance teams want to know — published openly.

SOC 2 Type II

In progress

Auditor engaged · target Q3 2026

GDPR

Compliant

DPA available on request

Encryption

AES-256

TLS 1.3 in transit · GCM at rest

Uptime

99.95%

Trailing 90 days

Sub-processors

Who we trust with your data

We publish every third-party service that processes customer data on our behalf. Sub-processor changes are announced 30 days in advance via this page and email to billing contacts.

Vercel Inc.

Global (EU/US POPs)

SOC 2 Type IIISO 27001

Application hosting, edge CDN, serverless compute

Data shared: Application requests, IP addresses, browser metadata

Supabase Inc.

EU (Frankfurt) by default · Tokyo for APAC customers

SOC 2 Type IIHIPAA-readyGDPR DPA

Primary PostgreSQL database, authentication, storage

Data shared: All customer data (org records, reservations, guests, messages)

Anthropic PBC

US (regional routing available)

SOC 2 Type IIZero data retention enabled

AI agent inference (Claude models)

Data shared: Guest messages, property knowledge base (only at inference time)

Google LLC

US (regional routing available)

SOC 2 Type IIISO 27001

Optional: Gemini AI for analytics insights

Data shared: Anonymized portfolio metrics (no PII)

Paddle.com Market Ltd.

EU (UK)

PCI-DSS Level 1SOC 1 + SOC 2

Subscription billing, payment processing

Data shared: Billing email, payment method (PCI-DSS tokenized)

Security controls

What we actually do

Encryption in transit

Always on

TLS 1.3 enforced on all endpoints. HSTS preloaded with 2-year max-age. No mixed-content possible.

Encryption at rest

AES-256-GCM

AES-256-GCM for all customer secrets (BYO API keys, OTA OAuth tokens, webhook secrets). Database disk encryption via Supabase.

Access control

RBAC

Role-based permissions (owner, operator, admin, viewer) enforced at the route layer. Super-admin bypass requires platform-level credentials and is logged.

Audit logging

Tamper-evident

All write actions (reservation changes, settings updates, member access) are logged with actor identity, IP, and timestamp. Logs retained 1 year.

Backups

7d PITR

Point-in-time recovery (PITR) on the primary database with 7-day rolling window. Daily logical snapshots retained 30 days. Tested restore procedure.

Secret management

Vault pattern

Customer API keys (BYO Anthropic, OTA credentials) encrypted with AES-256-GCM using a derived key. The platform never logs raw secret values.

Vulnerability management

Automated

Automated dependency scanning on every commit. CVEs in production dependencies are patched within 7 days of disclosure (critical: 48h).

Incident response

72h disclosure

24/7 paging on database health, error rate, and webhook failures. Customer-impacting incidents disclosed within 72 hours via status.hostellagent.com.

Data residency & GDPR

Your data, your jurisdiction.

Where your data lives

Primary database is hosted in Frankfurt (EU) for European customers, or Tokyo (APAC) for villas in Thailand, Bali, Vietnam, and surrounding markets. Customer data is not cross-replicated outside the chosen region.

GDPR rights

Right to access: request a full data export
Right to erasure: account deletion within 30 days
Right to portability: JSON + CSV export of all bookings, conversations, properties
Right to object: opt out of any non-essential processing

Documents & contact

Resources for your legal team

Data Processing Agreement (DPA)

Standard EU SCCs · GDPR Article 28 compliant · countersigned copy available on request.

Request DPA →Report a vulnerability

Page last reviewed: 2026-05-20 · For changes to sub-processor list, watch this page or email trust@hostellagent.com.