"Security is infrastructure,
not an afterthought."

Personnel Controls

• Background verification for all employees with production data access
• Reference checks and identity verification at onboarding
• Security clauses in all employment contracts and NDAs
• Immediate access revocation on termination (within 1 hour)
• Exit interviews include security checklist completion

Training & Awareness

• Mandatory annual security awareness training for all staff
• Role-specific training: developers complete OWASP secure coding modules
• Quarterly phishing simulation exercises
• Incident response tabletop exercises (bi-annual)
• Security digest distributed monthly to all staff

Principle of Least Privilege

• All access is denied by default; explicit grants required
• Role definitions reviewed quarterly by CISO
• Production access restricted to Infrastructure team + CISO
• Developers work in isolated staging environments only
• Just-in-time (JIT) access for all privileged operations

Vendor Risk Management

• All sub-processors assessed before onboarding (security questionnaire)
• Annual vendor risk re-assessment for critical sub-processors
• Contractual security requirements in all vendor agreements
• DPA (Data Processing Agreement) in place with all data sub-processors
• Sub-processor list published and kept current

Network Architecture

• Production, staging, and development environments in fully isolated VPCs
• All database instances in private subnets (no public internet exposure)
• NAT Gateways for outbound-only internet access from private subnets
• Security Groups with deny-by-default, minimum required port allowlists
• VPC Flow Logs enabled and shipped to centralised SIEM

Edge Protection

• AWS WAF on all public endpoints — OWASP Core Rule Set enabled
• AWS Shield Standard — DDoS protection at network and transport layers
• AWS CloudFront CDN with geo-restriction capability
• Rate limiting at WAF layer: 1,000 requests / 5 minutes per IP (configurable)
• Bot detection and CAPTCHA challenge for suspicious traffic patterns

Threat Detection

• AWS GuardDuty: continuous ML-based threat detection across all accounts
• AWS Security Hub: aggregated security findings with severity scoring
• AWS CloudTrail: full API audit trail, tamper-protected, 365-day retention
• Custom SIEM rules for Propeter-specific threat patterns
• PagerDuty integration: P1 alerts page on-call engineer within 60 seconds

Vulnerability Management

• Weekly automated vulnerability scanning (AWS Inspector + Snyk)
• Quarterly manual penetration testing by CREST-accredited third party
• Critical patches (CVSS 9.0+): deployed within 24 hours
• High patches (CVSS 7.0–8.9): deployed within 7 days
• Penetration test reports available to Enterprise clients under NDA

Design Phase

• Threat modelling (STRIDE methodology) for all new features
• Security requirements documented in feature specification
• CISO review gate for features handling PII or payment-adjacent data

Development Phase

• Secure coding guidelines enforced via ESLint security plugins
• Mandatory peer code review; two approvals required for production merge
• Snyk SAST scanning on every pull request; blocking on critical findings

Deployment Phase

• DAST (dynamic analysis) run against staging before every release
• Container image vulnerability scan before ECR push
• Deployment requires Security Engineer sign-off for major releases

API Security

• Rate limiting: 100 req/min per API key (configurable per plan)
• Input validation via Zod on all request bodies and query params
• JWT authentication with 24h access token + 30-day rotating refresh token
• API versioning; deprecated versions retired with 90-day notice

Multi-Factor Authentication

• MFA enforced for all staff accessing any production system
• MFA enforced for all hotel admin accounts (Starter and above)
• Supported factors: TOTP authenticator apps, hardware security keys (FIDO2/WebAuthn)
• SMS OTP available as fallback (non-primary factor)
• MFA bypass is not permitted; no exceptions policy

Role-Based Access Control

• Documented permission matrix: roles × resources × actions
• Default roles: Viewer, Revenue Manager, Property Manager, Account Admin, Super Admin
• Custom roles available on Enterprise plan
• Role assignments require two-person authorisation for elevated roles
• All role changes logged with approver identity

Privileged Access Management

• Just-in-Time (JIT) access for all production system access
• Access requests require documented justification + peer approval
• Sessions are time-limited (maximum 4 hours) and monitored in real-time
• Privileged session recordings retained for 90 days
• AWS SSO with SAML 2.0 for staff authentication

Session Management

• 30-minute idle timeout for inactive sessions (configurable by property admin)
• Device-bound sessions: token invalidated on new device login (with notification)
• Concurrent session limit: 3 active sessions per user (configurable)
• Session tokens cryptographically signed; tamper detection built in
• Forced re-authentication for sensitive operations (rate rule changes, user management)

Vulnerability Reports

Report suspected security vulnerabilities, bugs, or potential exploits. We commit to a 5-business-day acknowledgement. Please do not publicly disclose until we have had 90 days to remediate.

security@propeter.com

Data Protection & Privacy

Data subject rights requests, GDPR/DPDP Act enquiries, and DPA negotiations. Our Data Protection Officer will respond within the statutory timeframe.

dpo@propeter.com

Enterprise Security Reviews

Procurement teams, vendor risk managers, and information security teams requesting Propeter's security documentation, penetration test reports, or custom security questionnaire responses.

enterprise@propeter.com

Emergency & Incidents

If you are a client and believe you have experienced a security incident related to your Propeter account, contact your Customer Success Manager immediately or raise a P1 ticket via the support portal.

Support Portal →