Platform 24/7 Butler Pricing Case Studies About Contact

Enterprise-Grade Security Architecture

CloudReef is engineered with security at every layer of the stack.

TLS 1.3 AES-256 SOC 2 GDPR Ready RLS Isolation

This document provides a comprehensive overview of the technical security controls, infrastructure hardening, and operational practices that protect property and guest data within the CloudReef Property Management System.

Table of Contents
  1. Infrastructure Security
  2. Data Encryption
  3. Authentication & Session Management
  4. Authorization & Access Control
  5. Multi-Tenant Data Isolation
  6. Database Security
  7. Application Security
  8. Real-Time Security
  9. Payment Security
  10. Monitoring & Incident Response
  11. Access Control for Public Interfaces
  12. Notification Security
  13. Compliance & Certifications
  14. Security Contact

1. Infrastructure Security

1.1 Hosting Architecture

CloudReef operates on a distributed, multi-layer infrastructure:

LayerProviderRoleSecurity Posture
Edge NetworkCloudflareDNS, CDN, DDoS mitigation, WAF, bot managementSOC 2 Type II, ISO 27001, PCI DSS
ApplicationVercelServerless compute, static asset delivery, edge functionsSOC 2 Type II, automatic HTTPS
DatabaseSupabase (AWS)PostgreSQL database, authentication, real-time engine, object storageSOC 2 Type II, AWS eu-central-1
PaymentsStripePayment tokenization and processingPCI DSS Level 1

All infrastructure providers maintain independently audited compliance certifications. CloudReef does not operate bare-metal servers.

1.2 Network Security

1.3 TLS Configuration

All connections to CloudReef services are encrypted in transit:

2. Data Encryption

2.1 Encryption in Transit

All data transmitted between clients, edge network, application servers, and database is encrypted using TLS. This includes:

2.2 Encryption at Rest

3. Authentication & Session Management

3.1 Authentication Architecture

CloudReef uses Supabase Auth, which is built on top of GoTrue, an open-source JWT-based authentication system:

3.2 Session Security Controls

4. Authorization & Access Control

4.1 Role-Based Access Control (RBAC)

CloudReef implements a seven-tier role hierarchy enforced at both application and database layers:

RoleScopeDashboardRoomsBookingsGuestsPOSKitchenInventoryInvoicesReportsSettingsDebug
OwnerFull accessYesYesYesYesYesYesYesYesYesYesYes
ManagerFull operationalYesYesYesYesYesYesYesYesYesYesYes
Front DeskGuest-facing opsYesYesYesYesYes
ServerF&B operationsYesYes
KitchenKitchen opsYesYes
HousekeepingRoom statusYesYes
ViewerRead-only overviewYes

Role assignment is stored at the database level in the users table with a PostgreSQL enum constraint, preventing invalid role values.

4.2 Three-Layer Authorization Enforcement

Layer 1. Middleware (Route Level)

Next.js middleware intercepts every request. Unauthenticated requests to protected routes are redirected to the login page. Public routes (/login, /qr/*) bypass authentication requirements.

Layer 2. Application (Component Level)

Dashboard layout components verify the authenticated user's role against the requested route using the canAccessRoute() permission check. Unauthorized access renders an access-denied screen with appropriate messaging rather than exposing any protected data.

Layer 3. Database (Row Level Security)

PostgreSQL Row Level Security policies enforce data isolation at the query level. Every database query is automatically filtered by the authenticated user's resort_id, derived from their Supabase Auth UID. This ensures that even if application-level checks are bypassed, the database itself prevents cross-tenant data access.

5. Multi-Tenant Data Isolation

5.1 Architecture

CloudReef uses a shared-database, shared-schema multi-tenant architecture with Row Level Security (RLS) enforcing tenant boundaries:

5.2 Row Level Security Policy Pattern

All tenant-scoped tables implement the following RLS policy:

CREATE POLICY "Resort data access" ON [table_name]
  FOR ALL USING (
    resort_id IN (
      SELECT resort_id FROM users WHERE auth_id = auth.uid()
    )
  );

This policy:

5.3 Protected Tables

Row Level Security is enforced on all 17 data tables:

resort_settings, users, rooms, guests, bookings, menu_categories, menu_items, orders, order_items, inventory, activities, activity_bookings, invoices, conversations, messages, notifications, error_logs

5.4 Cascading Data Integrity

Foreign key constraints with ON DELETE CASCADE ensure that when a resort is removed, all associated data is automatically and atomically deleted:

resort_settings (parent)
  ├── users
  ├── rooms
  ├── guests
  ├── bookings
  ├── menu_categories
  ├── inventory
  ├── activities
  ├── invoices
  ├── conversations
  ├── notifications
  └── error_logs

Critical business constraints prevent accidental data loss:

6. Database Security

6.1 Query Safety

6.2 Schema Constraints

Constraint TypeExamples
UniqueOne user per email per resort, one room number per resort, one booking reference per resort, one invoice number per resort, one SKU per resort
Checkcheck_out > check_in on bookings, valid enum values for error log levels and sources
Not NullRequired fields enforced at database level (guest name, booking dates, room number)
Foreign KeyAll cross-table references validated with appropriate cascade/restrict behavior

6.3 Indexes & Performance

Strategic database indexes prevent slow queries from becoming denial-of-service vectors:

6.4 Backups & Recovery

7. Application Security

7.1 Framework Security

7.2 Input Handling

7.3 Error Handling

8. Real-Time Security

CloudReef uses Supabase Realtime for live data updates (new orders, booking changes, notifications). Real-time channels are secured through:

9. Payment Security

CloudReef integrates with Stripe for payment processing:

10. Monitoring & Incident Response

10.1 Real-Time Error Monitoring

CloudReef includes a built-in diagnostic console that provides:

10.2 Error Sources Captured

SourceCapture Method
Client-side JavaScript errorswindow.onerror event listener
Unhandled Promise rejectionsunhandledrejection event listener
Console errorsconsole.error interception (excluding React development warnings)
Database errorslogSupabaseError() wrapper with operation context
HTTP API errorsloggedFetch() wrapper with status code and method

10.3 Incident Response

11. Access Control for Public Interfaces

11.1 QR Code System

CloudReef provides QR code-based ordering for restaurant tables and hotel rooms:

12. Notification Security

13. Compliance & Certifications

13.1 Infrastructure Compliance

ProviderCertifications
Supabase (AWS)SOC 2 Type II, ISO 27001 (AWS), GDPR compliant
VercelSOC 2 Type II, GDPR compliant
CloudflareSOC 2 Type II, ISO 27001, PCI DSS, GDPR compliant
StripePCI DSS Level 1 (highest level)

13.2 Data Protection Practices

14. Security Contact

Report a Vulnerability

Email: [email protected]

Response time: 48 hours for initial acknowledgment


We welcome responsible disclosure from security researchers. All verified vulnerabilities are addressed promptly and reporters are credited (with permission).


General Security Inquiries

Email: [email protected]


Company Address

CloudReef, distributed by SwiftSyncIT Philippines

Marnella Townhouse, Casanta Soong Road

Brgy Mactan

Cebu City, Philippines