Vivy

Security

A short, plain-language description of how Vivy handles your data. Updated as our posture evolves.

Read-only by design

Vivy connects to your property management system through OAuth 2.0 and only ever issues read requests. We do not create, update, or delete anything in your PMS. This is enforced at three layers: a runtime guard that raises before any non-GET request leaves our servers, a unit test that asserts the guard is wired into our HTTP client, and a repo-level CI check that fails the build if the guard is removed. Write-capable tooling for our own development lives in a physically separate repository that has no path to your data. The same architecture applies to every PMS we integrate with — currently OwnerRez, with Hospitable on the roadmap.

Encryption

Your PMS OAuth token is encrypted at rest with AES-128 (Fernet) before being written to our database. The encryption key lives only in our hosting provider's managed environment and is never checked into source control. All traffic between you and Vivy, and between Vivy and your PMS, is over HTTPS.

Tenant isolation

Each host account gets its own PostgreSQL schema. Cross-tenant data access is impossible at the SQL layer, not just at the application layer. Internal admin tools that touch tenant schemas are gated behind explicit role checks and logged.

Data minimization

We pull only the property and booking data we need to build reports and operational views. Guest PII is reduced to coarse location (city / state / country) before storage. Charge data and revenue figures stay full-fidelity because reports require them.

Access controls

Authentication uses HttpOnly cookies, not browser-readable tokens, to limit XSS exposure. Refresh tokens are bcrypt-hashed in our database. Phone OTPs are single-use and short-lived. Production secrets live only in our hosting provider's environment dashboard.

Incident response

We maintain an internal runbook for incident response: detection, customer notification, post-incident write-up. If you believe you've found a security issue, email security@vivy.rentals and we'll respond within one business day.

Contact

Privacy questions: privacy@vivy.rentals. Security disclosures: security@vivy.rentals. Everything else: hello@vivy.rentals.