Security and data protection foundation

Kuya-X is built with tenant isolation, role-based access, audit logging and secure operational controls. Each hotel record is scoped by hotel_id, and direct URL access must be blocked server-side.

• Password hashing and reset-token hashing.
• CSRF protection for forms.
• Login rate limiting and failed-login audit records.
• Installer, upgrade and health endpoints protected by secrets.
• Plan and module limits enforced server-side.
• Sensitive guest data access should be restricted to authorised roles.

Production must use HTTPS, daily backups, strong admin passwords and verified SMTP.