Rovebook/Security
Trust
A back room that does not leak.
Hospitality is the discipline of looking after people. The most fundamental thing a back room owes the front desk is that the data it holds cannot escape.
- 01
Multi-tenant by design
Every query is scoped to your organisation at the authentication layer, not at the application layer. We design the boundary as if a competitor signed up as a tenant.
- 02
No raw card data
Payments clear through Omise, 2C2P, Stripe, PromptPay QR, or bank transfer with manual reconciliation. Rovebook never sees the card number; we hold a token issued by the processor.
- 03
No member directory
Members do not see other members. They do not see other customers, other invoices, other bookings, or other accounts. Not by default, not as an option.
- 04
Recipient-hidden announcements
Broadcast emails deliver one recipient at a time. Nobody on the receiving end sees who else got the message. Bcc is the default; To is not available.
- 05
Audit log on every sensitive change
Refunds, role changes, manual overrides, exports — every action that crosses a privacy or money boundary is logged with a user, a timestamp, and a reason.
- 06
Bangkok edge, regional points of presence
We run on a regional edge, with the primary point of presence in Singapore and a secondary in Bangkok. Pages load in a blink wherever your front desk is in Asia.
- 07
Roles you can write down
Owner, manager, front desk, finance, coach, therapist — pre-built. Custom roles for operators with unusual org charts. Every role names what it can read and what it can write.
- 08
PDPA-conscious by default
When a merchant uses Rovebook, the merchant is the data controller of their members; Rovebook is the data processor. We honour data-subject requests through the merchant and assist with PDPA disclosure when required.
Built in Bangkok, hosted on the edge
Where the data lives, and where it does not.
We run on Cloudflare Workers and D1, with the primary point of presence in Singapore and a secondary in Bangkok. Card data never touches our servers. End customers do not see one another, ever.
- EdgeRegional edge · Singapore + Bangkok PoP
- PaymentsOmise · PromptPay · 2C2P · bank transfer
- CurrencyTHB native · multi-currency on the roadmap
- PrivacyNo member directory · no cross-tenant queries
- MigrationFree during onboarding from any platform
- SupportBangkok hours · founder Slack on Operator tier
Standards & process
We publish what we do. We do what we publish.
- Encryption. TLS 1.3 in transit. AES-256 at rest in D1. Secrets in Cloudflare Workers KV / env, never in source.
- Backups. Daily database snapshots retained for thirty days. Restore tested monthly.
- Access. Role-based access control internally; staff access to customer data is logged, time-boxed, and requires a written reason.
- Incident response. Sixty-minute internal severity classification; affected customers notified within twenty-four hours of confirmation.
- Subprocessors. A short, named list — Omise, 2C2P, Stripe, Cloudflare, AWS SES. Changes are posted in advance.
- Data subject requests. Honoured through the merchant for member data; honoured directly for operator data. Response within thirty days.
A written policy is part of the front desk.
Privacy and Terms are linked below. We re-read them every quarter and date the changes.
Made in Bangkok · Built for Asia.