Enterprise-Grade Security.
Audited. Certified. Transparent.
EscapeLife OS is built for operators who carry real responsibility — guest data, payment records, and operational continuity. Our compliance posture covers SOC 1, SOC 2, cybersecurity frameworks, and global data privacy regulations.
Certifications
SOC 1, SOC 2 & Cyber
Independent third-party audits and certifications across financial controls, security operations, and cybersecurity posture.
SOC 2 Type II
In ProgressSystem and Organization Controls 2 — Trust Service Criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Independent auditor examination of controls over a defined observation period.
Scope
SOC 1 Type II
In ProgressSystem and Organization Controls 1 — Financial reporting controls relevant to payment processing, folio management, and revenue accounting modules used by hospitality operators.
Scope
Cyber Essentials
PlannedGovernment-backed cybersecurity certification covering five core technical controls. Demonstrates protection against the most common internet-based cyber threats.
Scope
Security Architecture
Controls Across Every Layer
Encryption, access control, audit logging, and vulnerability management built into every component of the EscapeLife OS infrastructure.
Encryption at Rest & In Transit
AES-256 encryption for all data at rest. TLS 1.3 enforced for all data in transit. Encryption keys managed via dedicated KMS with automatic rotation and full audit logs.
Role-Based Access Control (RBAC)
Granular permission model down to object and action level. Staff roles — front desk, housekeeping, management, revenue — have scoped access with no lateral movement between modules.
Multi-Tenant Isolation
Each property operates in a fully isolated data plane. Dedicated schema separation, network segmentation, and independent encryption keys prevent cross-tenant data access regardless of shared infrastructure.
Immutable Audit Logs
Every user action, API call, AI response, and configuration change is written to an immutable, append-only audit log. Logs are tamper-evident and retained for a minimum of 7 years.
Vulnerability Management
Continuous automated scanning of infrastructure and application code. Critical vulnerabilities patched within 24 hours. Quarterly penetration testing by independent third-party security firm.
Incident Response
Documented incident response plan with defined SLAs for detection, containment, and notification. Security events trigger automated alerts to the on-call team within minutes.
SSO & MFA
SAML 2.0 and OIDC-based SSO integration for enterprise identity providers. MFA enforced for all administrative access. Phishing-resistant hardware key support for privileged accounts.
Background Checks & Training
All employees with access to production systems undergo background screening. Annual security awareness training and phishing simulation mandatory for all staff.
Secure SDLC
Security reviewed at every stage of the development lifecycle — threat modeling, static analysis, dependency scanning, and mandatory security sign-off before production deployment.
Zero Trust Architecture
Every request authenticated, every action logged, every tenant fully isolated.
Cybersecurity Framework
NIST CSF Aligned Controls
EscapeLife OS security operations are structured around the NIST Cybersecurity Framework — covering Identify, Protect, Detect, Respond, and Recover across all hospitality workloads.
| Function | Description | Key Controls |
|---|---|---|
| Identify | Asset inventory, risk assessment, and governance framework covering all systems processing guest and financial data. | Asset ManagementRisk RegisterSupply Chain Risk |
| Protect | Technical and administrative controls preventing unauthorized access and protecting data confidentiality and integrity. | Access ControlEncryptionSecure ConfigAwareness Training |
| Detect | Continuous monitoring, anomaly detection, and security event logging across all infrastructure and application layers. | SIEMIDS/IPSAnomaly DetectionLog Analysis |
| Respond | Incident response playbooks, breach notification procedures, and containment workflows tested via tabletop exercises. | IR PlanBreach NotificationForensicsComms Protocol |
| Recover | Business continuity planning, disaster recovery runbooks, and RTO/RPO commitments for all critical hospitality workloads. | DR PlanBackupsRTO < 4hrRPO < 1hr |
Data Privacy
GDPR, CCPA, PCI DSS & Beyond
EscapeLife OS is built to operate in regulated environments. Guest data, payment records, and operational data are handled under documented legal bases with full subject rights support.
GDPR Compliance
Data processing agreements available for EU properties. Guest data subject rights (access, erasure, portability) supported via self-service and API. DPA available on request.
CCPA / CPRA
California Consumer Privacy Act compliance for US properties. Do-not-sell controls, data deletion workflows, and opt-out mechanisms built into the guest profile system.
PCI DSS
Payment card data handled via PCI DSS compliant payment processors. EscapeLife OS does not store raw card data — tokenization used for all payment references.
Data Residency Options
Enterprise customers may specify regional data residency (US, EU, APAC) for guest PII and financial records. Enforced at the infrastructure layer with documented data flow mapping.
Data Retention & Deletion
Configurable retention policies per data category. Guest PII purged on request within 30 days. Audit logs retained per regulatory requirements with automated expiry.
Sub-Processor Transparency
Full list of sub-processors published and maintained. Customers notified of sub-processor changes with 30-day opt-out period before new processors are activated.
Shared Responsibility
Security Is a Partnership
EscapeLife OS secures the platform layer. We provide documentation, controls, and audit support to help your security team complete vendor assessments, due diligence reviews, and enterprise procurement requirements.
Security Documentation
SOC 2 reports, penetration test summaries, and security architecture overviews available under NDA for enterprise prospects
Vendor Questionnaires
CAIQ, SIG Lite, and custom security questionnaires completed by our security team within 5 business days
DPA & Data Agreements
Standard Data Processing Agreement available. Custom DPA terms negotiated for enterprise contracts with specific regulatory requirements
Security Questions? Talk to Our Team.
Our security team is available to answer technical questions, complete vendor assessments, and support your procurement process.
No credit card required · Setup in 48 hours · Cancel anytime