The posture that backs the architecture.
No fictional certifications, no security theatre. A concrete read on what the platform commits to, what it does not, and how those commitments map to architecture.
What we commit to in public.
Jurisdiction
Escapra Oy · Espoo, Finland · EU region
Regulatory
GDPR — documented controls and data-subject processes
Data residency
EU
Encryption
TLS in transit · encrypted at rest
Audit posture
Append-only capture of governance, inventory, cancellation, and settlement decisions; queryable per booking
Access model
Tokens bound to authorization scope; cannot exceed what the hotel authorized
PMS partner names
Private until written consent — never published without authorization
Customer references
Disclosed only with written consent
Uptime target
99.9% monthly target on the customer-facing API · planned maintenance announced 48h in advance
Six commitments that hold across every service.
Fail closed by default
When the source of truth degrades, the platform refuses to book rather than book unsafely. Silence under degradation is not a feature — it is the failure mode we exist to eliminate.
Append-only audit
Every governance, inventory, cancellation, and settlement decision is captured. History is never updated. Disputes are answered with a queryable record, not a reconstruction project.
Per-service isolation
Each service owns its own database. Cross-service relationships resolve by id, never by shared writeable surfaces. Blast radius is constrained by design.
Scoped authorization
Partner tokens cannot exceed the scope the hotel granted. The authorization is enforced before any booking decision.
Idempotent contracts
Every write accepts an Idempotency-Key. Same key + same payload → same result. Retries on transient failure are safe and audit-marked.
Sandbox first
Production activation is a joint readiness review with Escapra and an authorizing hotel. There is no public self-serve switch.
Concrete, not aspirational.
What we collect
Operational metadata required to run the platform: hotel and partner identifiers, booking lifecycle events, audit records. We do not store guest payment-card data.
What we do not do
We do not sell, resell, or syndicate data. We do not name PMS or customer references without written consent. We do not silently re-price or re-distribute.
Sub-processors
Cloud infrastructure and operational tooling sub-processors are disclosed under DPA on request. Changes are notified to data controllers.
Data subject rights
GDPR rights (access, rectification, erasure, portability) are handled via support@escapra.com. We respond within statutory deadlines.
Questions about security or compliance?
Security and DPA questionnaires are handled via support@escapra.com. Connectivity-partner due-diligence is confidential by default.