Booking·Tours

Security & reliability

Security that operators can trust.

Your customer data, payment events, and message history sit on infrastructure built for the financial-services standard.

SA
hosted in the South Africa region
TLS1.3
encryption in transit
40+
tables with row-level security
30-day
backup retention, hourly snapshots

01How your data is protected

Built to the financial-services standard.

POPIA-compliant, encrypted end to end, and hosted in South Africa — the same infrastructure our own dashboard runs on.

Hosting

Supabase, Postgres, and Vercel in the South Africa region — your data stays in the country.

Encryption

TLS 1.3 in transit; pgcrypto AES-GCM at rest for credentials and banking details.

Authentication

Supabase Auth with role-based access — Operator and Main Admin, with per-section permissions.

Database

Row-level security on all 40+ public tables, so a tenant only ever sees its own data.

Webhooks

HMAC-SHA256 signature verification with constant-time compare on every inbound event.

Idempotency

Every webhook write goes through an idempotency key — no double-charges, ever.

Audit logs

Every admin action and edge-function call is logged for a full, reviewable trail.

Backups

Hourly snapshots with 30-day retention, so nothing is ever a keystroke away from gone.

Compliance

POPIA-built. Not POPIA-patched.

You own your data and can export it any time. Data-deletion requests are handled with a mandatory cooling-off period and full audit retention.

Hosted in South Africa · encrypted at rest · you own your data, always