Your reservations. Locked down.

All traffic to Aura is served over TLS 1.2+ with HSTS enforced. Internal traffic between application servers and the database runs over private networks with TLS termination at the edge. Backups and database storage are encrypted at rest using AES-256.

User passwords are hashed with bcrypt (cost factor 12). API tokens are hashed with SHA-256 before storage — we never persist them in plaintext. Session cookies use the standard httpOnly, sameSite=lax, and secure flags.

Aura is a multi-tenant SaaS, but every business table carries a tenantId column and every database query is scoped to the requesting tenant by a Prisma client extension that injects the filter at the ORM layer. Cross-tenant data leaks are blocked at the data access layer, not just at the route handler.

Aura platform staff (us) operate from a separate /platform route tree with explicit impersonation flows. Every impersonation session is recorded in the audit log with the staff member's identity, target tenant, and timestamp.

Production runs on Hetzner dedicated infrastructure in the EU (Helsinki). Data stays within the EU unless your tenant explicitly opts into a region closer to your operations.

We use Hetzner because we wanted full control over the database, the backup schedule, and the network perimeter — not a black-box managed cloud. OS-level security patches are applied within 7 days of release; critical CVEs within 24 hours.

Every state-changing action — login, reservation create/edit/cancel, payment recorded, rate change, user invited, permissions modified, statement generated — writes a row to a tamper-evident audit log with the actor, the timestamp, the before/after state, and any metadata about the request context.

Tenant operators see their own audit log at /[tenant]/audit. Aura platform staff see a separate cross-tenant view at /platform/audit.

Aura never stores raw card numbers. Direct booking payments are tokenised via Stripe Elements (cards never touch our servers). OTA-channel virtual credit cards (Booking.com VCCs) are tokenised by the channel manager's PCI vault and passed to Stripe as PaymentMethod tokens. We hold pm_xxx identifiers, not PAN data.

This keeps Aura within PCI DSS SAQ-A scope: the simplest tier that applies to merchants who fully outsource cardholder data handling. We do not run a card vault.

Postgres is backed up nightly with on-site retention for 7 days and off-site retention for 30 days, both encrypted. Point-in-time recovery is available within the retention window. We test restore from backup quarterly.

If a backup needs to be restored to a tenant's account (e.g. operator accidentally deletes data), we can isolate that tenant's tables and restore without affecting other tenants.