Legal

Security Policy

The technical and organisational measures that protect the Digibeds platform and customer data.

Effective date: July 19, 2026

Company: Digibeds Technologies Private Limited (“Digibeds”, “we”, “us”), India

1. Overview

Security is engineered into the Digibeds platform. This page summarises our technical and organisational measures (“TOMs”); it also forms the security annex referenced by the Data Processing Agreement.

2. Encryption and Network Security

  • All traffic is encrypted in transit with TLS; plain-HTTP access to the platform and Open API is rejected outright;
  • Firewalled, segmented environments; production access restricted to authorised personnel over secured channels;
  • Web-layer protections against injection, XSS, path traversal and scanner traffic; strict per-endpoint allow-lists on the API edge.

3. Access Control and Authentication

  • Role-based access control in the product (front office, housekeeping, POS, management roles);
  • Credentials and API refresh tokens are stored only as salted hashes; API tokens have sliding expiry and can be revoked at any time;
  • Least-privilege and need-to-know access for Digibeds staff, with logging of administrative actions.

4. Secure Development

  • OWASP-aligned engineering: parameterised queries, input validation, output encoding, dependency review;
  • Separation of development, testing and production; code review for changes to sensitive areas;
  • Rate limiting and lockouts against brute-force and abuse.

5. Data Protection, Backups and Continuity

  • Tenant isolation for customer data; payment card processing delegated to PCI-DSS-compliant gateways — full card numbers are never stored by Digibeds;
  • Scheduled backups with restoration procedures tested periodically;
  • Capacity monitoring and redundancy appropriate to a cloud SaaS platform; practices aligned with ISO/IEC 27001 principles.

6. Incident Response

  • Monitoring and alerting for anomalies and attacks;
  • A documented incident-response process: triage, containment, eradication, recovery and post-incident review;
  • Customer and regulator notification of notifiable personal-data breaches without undue delay, as required by the GDPR, India’s DPDP Act and other applicable laws.

7. Shared Responsibility

Customers are responsible for: safeguarding their user credentials and API tokens, assigning appropriate staff roles, securing their own devices and networks, and the lawfulness of data they upload. Digibeds is responsible for the security of the platform itself.

8. Reporting a Vulnerability

Security researchers and customers should report suspected vulnerabilities via the Responsible Disclosure Policy. Please do not test against production systems without authorisation.

Contact

Questions about this document: email [email protected] or call 08040265786. This document is part of the Digibeds legal framework — see the Legal Center for all policies.