Security

Last updated: June 7, 2026

Owner: Security Team

Introduction

InnSight AI, Inc. provides a hotel revenue intelligence platform to hotels, owners, asset managers, and management companies. We take the protection of customer data seriously. This Security overview describes the administrative, technical, and physical controls we maintain to protect the confidentiality, integrity, and availability of customer information and the InnSight AI platform.

This page is provided for informational purposes and does not modify or supersede the security commitments contained in our subscription agreements.

Governance

Information security at InnSight AI is owned by the company's leadership. Security policies, controls, and incident-response procedures are reviewed at least annually. Every employee and contractor is required to follow our written information-security policy and to complete security and privacy training upon onboarding.

Data classification

We classify the information we handle into four broad categories: Customer Confidential (customer hotel data uploaded to the platform), Personal Data (information that identifies an individual), Internal (company business information), and Public (marketing content). The controls described below apply to Customer Confidential and Personal Data unless otherwise stated.

Encryption

  • In transit: all traffic between your browser and the InnSight AI platform is encrypted using TLS 1.2 or higher with modern cipher suites.
  • At rest: production data stores, including object storage and managed databases, are encrypted at rest using industry-standard AES-256 or equivalent.
  • Key management: encryption keys are managed by our cloud provider's key-management service with restricted, audited access.

Access control

  • Access to production systems and customer data is limited to authorized personnel with a legitimate business need.
  • We follow the principle of least privilege and review access on a recurring cadence.
  • Single sign-on (SSO) and multi-factor authentication (MFA) are required for production access.
  • Customer-facing accounts support strong passwords; SSO is available for enterprise customers.

Application and infrastructure security

  • The platform is hosted on reputable U.S. cloud infrastructure with strong, independently audited physical and network security controls.
  • Production environments are segregated from development and staging environments.
  • We use modern, peer-reviewed frameworks and apply secure-by-default configurations.
  • Dependencies are monitored for known vulnerabilities and patched on a defined cadence based on severity.
  • Code changes pass through code review and automated tests before being deployed.

Monitoring and logging

We maintain centralized logging for production systems, including application logs, infrastructure logs, and security-relevant events. Logs are retained for a period appropriate to operational and forensic needs, and access to logs is restricted to authorized personnel.

Vendor and sub-processor management

We use a limited set of sub-processors to host, secure, and support the platform. New sub-processors are subject to security and privacy review before onboarding, and existing sub-processors are reviewed periodically. We require written confidentiality and data-protection commitments from each sub-processor.

Incident response

We maintain a written incident-response plan that defines detection, triage, containment, eradication, recovery, and post-incident review. If we determine that a security incident has resulted in unauthorized access to a customer's data, we will notify the affected customer without undue delay and in accordance with the customer's subscription agreement and applicable law.

Business continuity

We back up production data on a regular schedule and periodically test our ability to restore from backups. Our infrastructure choices are designed to support high availability across multiple availability zones.

Customer-side responsibilities

Strong security is a shared responsibility. Customers are responsible for:

  • configuring accounts and user roles appropriately;
  • protecting and rotating credentials;
  • promptly deprovisioning users who change roles or leave the organization;
  • configuring integrations and exports in line with their own data-handling obligations;
  • reporting suspected security issues to us at security@innsightai.org.

Reporting a vulnerability

If you believe you have discovered a security vulnerability in the Site or the InnSight AI platform, please report it to security@innsightai.org with sufficient detail to reproduce the issue. We ask that you act in good faith, do not access or modify data that does not belong to you, and give us a reasonable opportunity to investigate and remediate before any public disclosure. We appreciate the work of the security research community.

Continuous improvement

Security is not a one-time project. We continuously review our controls, monitor industry threats, and improve as the company grows. This page will be updated to reflect material changes in our practices.

Contact

For security questions, email security@innsightai.org. For general questions about the platform, email hello@innsightai.org.

Demo request received
A specialist will reach out within one business day.