Last updated: July 9, 2026
Security is foundational to CleverStay. Hosts trust us with their property information and their guests’ questions, and we design the service to protect that data at every layer. This page summarizes the technical and organizational measures we use.
Encryption
- In transit. All traffic between your browser, our applications, and our infrastructure is encrypted with TLS.
- At rest. Data stored in our databases and file storage is encrypted at rest by our cloud provider.
- Sensitive credentials. Credentials for connected integrations, such as channel-manager access tokens, are encrypted with AES-256-GCM before they are stored, using keys held in a managed key-management service. We never store these credentials in plaintext.
Infrastructure
- CleverStay runs on Google Cloud Platform, which maintains its own comprehensive security and compliance program.
- Application secrets are stored in a managed secret store, not in code or configuration.
- We run in a hardened, least-privilege configuration and keep our platform and dependencies patched.
Tenant isolation
- CleverStay is multi-tenant, and each host organization’s data is logically isolated.
- Access to organization data is enforced at the database layer with row-level security, so a request can only reach the data belonging to the organization it is scoped to.
- Members of an organization see only what their assigned role permits.
Access controls
- Access to production systems is restricted to authorized personnel on a need-to-know basis.
- Administrative access uses strong authentication.
- We follow the principle of least privilege for both people and services.
Data privacy and AI
- We do not sell personal information.
- We do not permit our AI or translation providers to use your or your guests’ content to train their general-purpose models.
- Guest questions and guide content are sent to these providers only to generate a response.
For details on what we collect and how we use it, see our Privacy Policy and the list of vendors on our Subprocessors page.
Compliance
- We are actively working toward SOC 2 Type II, and we design our controls with that framework in mind.
- We support hosts’ compliance with privacy regulations such as GDPR and CCPA, including data-access and deletion requests.
- A data-processing agreement is available to hosts who require one.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@cleverstay.ai with the details and steps to reproduce. We will acknowledge your report, investigate promptly, and keep you informed as we work on a fix. Please give us a reasonable opportunity to remediate before any public disclosure, and do not access or modify data that is not yours while testing.
Contact us
Questions about our security practices? Contact us at security@cleverstay.ai.