Trust
Security
Security isn’t a feature we add at the end — it’s how CORE is built. The platform carries confidential net rates, client details, and private conversations between hotels and travel professionals every day. Here is how we protect them.
Last updated: June 2026
Encrypted in transit
Every connection to CORE runs over HTTPS with TLS 1.2 or higher. Data moving between your browser, our servers, and our database is encrypted the whole way.
Encrypted at rest
All data in our database and file storage is encrypted at rest using AES-256, so it stays protected even on the underlying disks.
Row-level security
Access rules in the database itself ensure every account reads and writes only its own data — enforced on every query, not just hidden in the interface.
Trusted infrastructure
CORE runs on infrastructure from established providers (Supabase and Vercel) with physical security, network isolation, and continuous monitoring.
Authentication & access control
Accounts are protected by Supabase Auth. Signing in uses your email with a one-time verification code, and sessions are kept through signed, HTTP-only tokens rather than passwords stored in the browser. Every account carries a role — guest, travel agent, hotel representative, corporate hotel account, or administrator — and the platform grants access strictly by that role. Agent accounts are activated only through a verified invite key or manual approval; hotel representative and corporate accounts are created manually by CORE. Confidential net rates and commissions are visible only to verified agents, enforced at the database level.
Infrastructure
CORE runs on Vercel for application delivery and Supabase (on Amazon Web Services) for authentication, database, and storage. Both providers maintain SOC 2 Type II and ISO 27001 compliance, and the underlying infrastructure benefits from physical security, network isolation, and continuous monitoring at the provider level. Because these providers operate internationally, your data may be processed in more than one country, always under safeguards designed to protect it.
Data privacy
We collect only the data needed to run the platform, and we never sell it. AI requests are processed through OpenRouter solely to answer your queries. Your records — bookings, contacts, saved places, and conversations — are tied to your account and governed by row-level security. You can request access to, or deletion of, your personal data at any time.
Operational practices
Sensitive credentials and service keys are held on the server only and are never exposed to the browser. We follow the principle of least privilege across our systems, keep development and production environments separate, and rely on our infrastructure providers for automated, encrypted backups and high availability.
Compliance
We process personal data in line with applicable data-protection law, including the EU General Data Protection Regulation (GDPR) where it applies. Our hosting providers hold independent SOC 2 Type II and ISO 27001 certifications, and our use of cookies is described in our Cookie Policy.
Reporting a vulnerability
If you believe you’ve found a security issue, we want to hear about it. Email us the details and steps to reproduce, and please give us reasonable time to investigate and respond before disclosing it publicly. We don’t pursue legal action against good-faith security research.
Contact
Questions about security or data protection? Reach us at hello@corehotels.io.