Skip to main content

Security at Goodstay

Your data — and your clients' data — is sacred. Here's how we protect it.

Encrypted in transit & at rest

All data is encrypted using TLS 1.2+ in transit and AES-256 encryption at rest.

SOC 2 aligned practices

Our security controls are aligned with SOC 2 Type II standards for trust and reliability.

Your data is yours

We never sell, share, or mine your data. You can export or delete it at any time.

Infrastructure & Hosting

  • Hosted on industry-leading cloud infrastructure with 99.9%+ uptime SLAs
  • All servers run in isolated, private network environments
  • Automated backups performed daily with point-in-time recovery
  • Infrastructure is provisioned and managed using infrastructure-as-code for consistency and auditability
  • DDoS protection and web application firewall (WAF) enabled by default

Data Protection

  • All data encrypted in transit using TLS 1.2 or higher
  • Database encryption at rest using AES-256
  • Sensitive credentials stored using Rails encrypted credentials — never in plain text
  • File uploads stored in encrypted cloud storage with signed, time-limited access URLs
  • Regular security dependency audits via automated tooling (Bundler Audit, Brakeman)

Application Security

  • Built on Ruby on Rails, which provides built-in protections against CSRF, XSS, and SQL injection
  • Content Security Policy (CSP) headers enforced across the application
  • Passwords hashed using bcrypt with automatic salting
  • Session tokens are securely generated and rotated on authentication changes
  • Role-based access control ensures users only see data they're authorized to access
  • All user input is validated and sanitized server-side

Authentication & Access

  • Secure session-based authentication with configurable session timeouts
  • Staff accounts are scoped to individual facilities — no cross-tenant data access
  • Owner portal access is token-secured and facility-scoped
  • Admin access is restricted to a dedicated subdomain with separate authentication

Multi-Tenancy & Data Isolation

  • Each facility's data is logically isolated at the application level
  • All database queries are scoped to the current facility — cross-tenant access is architecturally prevented
  • Subdomains provide additional routing-level isolation between facilities

Monitoring & Incident Response

  • Application and infrastructure monitoring with alerting for anomalies
  • Centralized logging for audit trails and forensic analysis
  • Defined incident response procedures for security events
  • Dependency vulnerabilities tracked and patched promptly

Business Continuity

  • Automated daily database backups with geographic redundancy
  • Disaster recovery plan with documented recovery time objectives
  • Zero-downtime deployments ensure availability during updates
  • Data export available on request — your data is always accessible to you

Have a security question?

We take security seriously. If you've found a vulnerability or have questions about our practices, please reach out.

Contact security@goodstay.pet