Security

Last Updated: January 2025

Our Commitment to Security

At Resbit, we take security seriously. We implement industry-standard security practices and continuously monitor and improve our security posture to protect your data and ensure the integrity of our reservation management platform.

Authentication & Access Control

Secure Authentication

We use NextAuth.js, a robust authentication framework, to secure user access:

  • Password Security: All passwords are hashed using bcrypt with industry-standard salt rounds (10 rounds) before storage. We never store passwords in plain text.
  • Session Management: We use JWT (JSON Web Tokens) for secure session management. Sessions are cryptographically signed and include user identity, tenant association, and role information.
  • OAuth Integration: We support secure OAuth authentication with Google, allowing users to sign in without creating a separate password.
  • Password Requirements: Passwords must be at least 8 characters long to ensure adequate security.

Role-Based Access Control (RBAC)

We implement a comprehensive role-based access control system with five distinct roles, each with appropriate permissions:

  • System Administrator: Full system access for platform administration
  • Administrator: Full access within their organization
  • Owner: Full access to their business operations and settings
  • Manager: Access to manage bookings, customers, schedules, and team members
  • Employee: Limited access to view and manage assigned bookings and customers

All API endpoints enforce role-based permissions, ensuring users can only access data and perform actions appropriate to their role.

Multi-Tenant Isolation

Our platform uses a multi-tenant architecture where each business operates in complete isolation. Every API request is validated to ensure users can only access data belonging to their tenant. This isolation is enforced at both the application and database levels.

Data Protection

Encryption

  • Data in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS (Transport Layer Security). This protects your data from interception during transmission.
  • Database Security: We use PostgreSQL, a robust and secure database system. Database connections are secured and access is restricted to authorized application servers only.
  • Environment Variables: All sensitive configuration data, including API keys and secrets, are stored as environment variables and never committed to version control.

Input Validation

We use Zod, a TypeScript-first schema validation library, to validate all user inputs before processing. This prevents:

  • SQL injection attacks
  • Cross-site scripting (XSS) attacks
  • Data type mismatches
  • Malformed data submissions

All API endpoints validate request bodies, query parameters, and path parameters against strict schemas before processing.

Payment Security

Payment processing is handled entirely through Stripe, a PCI DSS Level 1 certified payment processor. This means:

  • No Card Storage: We never store credit card numbers, CVV codes, or full payment card details on our servers. All payment data is handled directly by Stripe.
  • PCI DSS Compliance: By using Stripe, we ensure that all payment card data handling meets the Payment Card Industry Data Security Standard (PCI DSS) requirements.
  • Secure Payment Methods: We support secure payment methods including credit cards, debit cards, and saved payment methods (tokenized and stored securely by Stripe).
  • Pay on arrival: For pay-on-arrival online bookings, payment methods are tokenized and stored with Stripe; we do not place a pre-service authorization hold on the card.

API Security

Endpoint Protection

All API endpoints are protected with authentication middleware:

  • Every API request requires a valid authenticated session. Unauthenticated requests are immediately rejected.
  • Role-based permission checks ensure users can only access endpoints appropriate to their role level.
  • Tenant isolation is enforced on every request, preventing cross-tenant data access.
  • Resource ownership is verified before allowing modifications or deletions.

Error Handling

Our error handling is designed to protect sensitive information. Error messages provide enough detail for legitimate debugging while avoiding exposure of:

  • Database structure or schema information
  • Internal system paths or file locations
  • Stack traces in production environments
  • Sensitive configuration details

Cron Job Protection

Automated background jobs (cron jobs) are protected with secret token authentication, ensuring only authorized services can trigger these operations.

Infrastructure Security

Database Security

  • Database connections use secure protocols and are restricted to application servers.
  • Connection pooling is implemented to prevent connection exhaustion attacks.
  • Database queries use parameterized statements through Prisma ORM, preventing SQL injection.
  • Regular database backups ensure data recovery capabilities.

Secret Management

All sensitive credentials and API keys are stored as environment variables, including:

  • Authentication secrets (AUTH_SECRET)
  • Database connection strings (DATABASE_URL)
  • Payment processor keys (STRIPE_SECRET_KEY)
  • SMS service credentials (TWILIO credentials)
  • OAuth provider credentials

These secrets are never exposed in client-side code or version control systems.

SMS Security

SMS communications are handled through Twilio, a trusted telecommunications provider:

  • Opt-In Required: Users must explicitly opt in to receive SMS notifications. Opt-out is available at any time by replying STOP.
  • Secure Transmission: SMS messages are sent through Twilio's secure infrastructure.
  • Phone Number Protection: Phone numbers are stored securely and only used for authorized communications.

Security Monitoring & Updates

We maintain security through:

  • Regular Updates: We keep all dependencies and frameworks up to date with the latest security patches.
  • Security Assessments: We regularly review our security practices and update them as needed.
  • Logging: We maintain security logs for authentication attempts, API access, and system events.
  • Incident Response: We have procedures in place to respond to security incidents promptly and effectively.

Your Role in Security

While we implement strong security measures, you also play an important role:

  • Strong Passwords: Use a unique, strong password for your account. Consider using a password manager.
  • Account Protection: Never share your login credentials with others. If you suspect unauthorized access, change your password immediately.
  • Team Management: Regularly review team member access and remove access for users who no longer need it.
  • Stay Updated: Keep your browser and devices updated with the latest security patches.

Reporting Security Issues

If you discover a security vulnerability, please report it to us immediately through the support channels provided in your account dashboard. We take security vulnerabilities seriously and will investigate and address them promptly.

Please do not publicly disclose security vulnerabilities until we have had an opportunity to address them.

Compliance

Our security practices are designed to help us comply with relevant data protection regulations, including:

  • General Data Protection Regulation (GDPR) for EU users
  • California Consumer Privacy Act (CCPA) for California residents
  • Payment Card Industry Data Security Standard (PCI DSS) for payment processing

Contact Us

If you have questions about our security practices or wish to report a security concern, please contact us through the support channels provided in your account dashboard.

Privacy PolicyTerms of ServiceBack to Home