Security at RMS

Security is built in, not bolted on

Protecting your guests' data and your business isn't a checkbox - it's foundational to everything we build and how we operate. Independently certified and continuously monitored, RMS is enterprise-grade software and security built for hospitality.

Last Reviewed: April 2026

Book a Demo Visit Trust Center

Your Trust Is Our Most Important Asset

RMS has been powering the hospitality industry for over 40 years. In that time, we've earned the trust of 6,000+ properties across 70+ countries - and we don't take that lightly.

Our security program is built on three principles: it must be comprehensive, independently verified, and continuously improving. We don't wait for the annual audit to check if our controls are working. We monitor our environment around the clock, respond to threats as they emerge, and hold ourselves to the same high standards our customers hold us to.

When you choose RMS, you deserve to know exactly how we keep your data safe.

Independently Certified: SOC 2 Type II and PCI DSS v4.0.1 assessed annually at the Service Provider level by independent third-party auditors.

Continuously Monitored: 24/7 automated threat detection and security monitoring across our entire cloud infrastructure.

Zero Security Breaches: No reportable security incidents during our most recent SOC 2 Type II audit period.

Independently verified. Industry certified.

We don't just say we're secure. We prove it - through rigorous independent assessments against the most demanding standards in the industry.

Security shows up in how we build, how we respond to incidents, how we communicate, and how we keep investing in security infrastructure.

Adam Seskis, CEO RMS

SOC 2 Type II Attestation

Our SOC 2 Type II attestation is the gold standard for cloud software security. Unlike a SOC 2 Type I assessment (which is a point-in-time snapshot), Type II evaluates whether our controls operated effectively over a full 12-month period.

RMS achieved SOC 2 Type II attestation across all five Trust Services Criteria:

Security - protection against unauthorized access, use, or modification.
Availability - the system is available for operation as committed.
Processing Integrity - system processing is complete, valid, and accurate.
Confidentiality - information designated as confidential is protected.
Privacy - personal information is collected, used, and retained appropriately.

Most recent assessment period: 1 December 2024 - 30 November 2025

Audited by: Sensiba LLP (San Jose, California)

Report issued: 11 December 2025

PCI DSS v4.0.1

RMS is assessed under the Payment Card Industry Data Security Standard (PCI DSS) - the global standard for protecting cardholder data. We are assessed at the Service Provider level, which carries the most stringent requirements.

Our assessment covers all 12 PCI DSS requirements:

Requirement 1 & 2: Build and maintain a secure network and systems.
Requirement 3 & 4: Protect account data and cardholder data in transit.
Requirement 5 & 6: Maintain a vulnerability management program.
Requirement 7, 8 & 9: Implement strong access control measures.
Requirement 10 & 11: Regularly monitor and test networks.
Requirement 12: Maintain an information security policy.

Standard version: PCI DSS v4.0.1 (most current version)

Assessment type: Report on Compliance (ROC) - the highest level of PCI validation

Assessed by: PCI Consulting Australia (Qualified Security Assessor)

Most recent assessment: November 2025

Six Layers of Protection, Working Together

Security isn't a single control. It's a layered system of people, processes, and technology working in concert. Here's how RMS protects your data at every level.

1. Cloud Infrastructure Security

RMS operates on a resilient multi-cloud architecture, with deployment across multiple availability zones. This means that even if one data center experiences an issue, your operations keep running.

Enterprise-grade security services protect every layer of our infrastructure:

Continuous, intelligent threat detection across accounts and workloads.
Automated vulnerability scanning and exposure management.
Cloud security posture management (CSPM) and workload protection.
Defend against SQL injection, cross-site scripting, and other web attacks.
Centralized network security policy management.
DDoS protection, DNS security, and TLS encryption across all web traffic.

2. Data Encryption

All RMS customer data is encrypted at rest and in transit — no exceptions.

Encryption at rest: all customer data stored within RMS systems is encrypted at rest using AES-256.
Encryption in transit: TLS encryption enforced for all data transmitted between your property and our systems.
Cardholder data: subject to additional encryption and tokenization controls under PCI DSS v4.0.1.
Key management: cryptographic keys are managed through a dedicated key management service, with centralized access controls and a full audit trail.

3. Access Control

Access to RMS systems and data operates on a strict least-privilege model. No employee has access beyond what they need to fulfil their role — and that access is regularly reviewed.

Identity management and single sign-on across all internal systems.
All access requests are subject to approval workflows before being granted.
Access rights are periodically reviewed and immediately revoked when roles change or staff leave.
Multi-factor authentication (MFA) is enforced across our environment.
Enterprise password manager is used to enforce strong credential hygiene.

4. Endpoint Security

Every device used by an RMS employee to access our systems is managed and monitored.

Our endpoint detection and response (EDR) platform is deployed, providing real-time threat detection and automated response.
Mobile device management (MDM) software enforces security policies and enables remote management across all employee workstations.
Employees are required to comply with defined endpoint security standards, covering device encryption, software updates, and access policies.

5. Vulnerability Management

We proactively hunt for weaknesses before bad actors can find them.

Continuous vulnerability scanning across our codebase and infrastructure.
Automated vulnerability scanning across our workloads for software vulnerabilities and unintended network exposure.
Our CI/CD pipeline enforces security checks before every code deployment — changes cannot be promoted to production without passing defined security gates.
Development, test, and production environments are strictly separated to prevent unapproved changes from reaching live systems.
A documented change control process governs all changes to production, including approval, testing, and rollback capability.

6. Security Monitoring & Incident Response

We don't wait to find out something went wrong. We monitor for it continuously.

A complete, tamper-evident audit log of all API activity across our cloud environment.
Real-time alerting on infrastructure, application, and security events.
Continuous threat intelligence and automated detection of malicious activity.
Annual penetration testing with certified vendors.
Our documented incident response procedures define roles, escalation paths, and resolution timelines for any security event.

Payments Your Guests Can Trust

RMS Pay, our integrated payment gateway, is built on a PCI DSS v4.0.1 compliant infrastructure — assessed at the Service Provider level, the most rigorous classification. We take responsibility for securing guest payment data throughout its lifecycle in our systems.

Here's how we protect cardholder data:

Tokenization: raw payment card numbers are never stored in our system. Card data is immediately tokenized, replacing sensitive numbers with a secure token that is useless to an attacker.
Encryption: all cardholder data transmitted through our platform is encrypted using strong cryptography, meeting PCI DSS v4.0.1 requirements.
Scoped environment: our cardholder data environment (CDE) is strictly scoped and segmented from other systems, minimizing the attack surface.
Independent validation: our PCI DSS compliance is verified annually by PCI Consulting Australia, a Qualified Security Assessor (QSA) — not a self-assessment.

Data Residency

Your data lives on AWS and Azure infrastructure — hosted within their certified, enterprise-grade data centre environments. We don't run local office networks that could introduce risk into the chain.

As a Data Processor, we handle your data on your behalf. Your organisation retains full Data Controller responsibilities — you decide how it's collected, how long it's kept, and when it's disposed of.

We support properties across all continents, and our data governance program defines how every data type is classified, handled, retained, and deleted. For available residency regions and jurisdiction-specific commitments, visit the RMS Trust Centre.

Your Data, handled responsibly.

RMS acts as a Data Processor for the personal and business data that flows through our platform. We collect and process data only as necessary to deliver our services, in strict accordance with our Privacy Notice.

Our SOC 2 Type II report includes the Privacy Trust Services Criterion, providing independent assurance that our privacy controls are suitably designed and operating effectively. This goes beyond a simple privacy policy — it's a verified commitment.

Data We Process on Your Behalf

On behalf of your property, RMS processes:

Guest personal information: names, email addresses, and contact details.
Financial account information: account balances and transaction records.
Payment information: processed through our PCI DSS compliant payment infrastructure.
Business information: operational and proprietary data of your property.
Sensitive personal information: where relevant to service delivery.

How We Govern Your Data

Data classification and handling procedures define how each data type is stored, accessed, and retained.
Data flow documentation maps the movement and dependencies of data across our system.
Automated validation controls verify data completeness and accuracy throughout processing.
Our Privacy program manages privacy requests and regulatory obligations globally.

The RMS Office of Cybersecurity (ROCS)

Our dedicated security function, ROCS, is responsible for maintaining the confidentiality, integrity, and availability of our systems. Ensuring we stay ahead of the evolving threat landscape.

Working alongside our Risk and Compliance team, they work on identifying, evaluating, and treating operational, strategic, compliance, and financial risks on an ongoing basis.

RMS enabling customers to stay secure

We not only maintain robust controls across our infrastructure, software, and operations; effective security requires collaboration. As your technology partner, we provide you with the ability to administer user access rights for your staff, enable multi-factor authentication, provide security documentation for compliance assessments and work with you on integration security reviews when connecting to third-party systems via our API.

Frequently Asked Questions

Hear directly from our CEO and CTO

Hospitality Operators sit on a uniquely rich pool of sensitive data; payment card information, guest PII, loyalty credentials, and operational systems like check-in, door locks, and point-of-sale, all increasingly connected. That combination makes hospitality one of the most attractive targets for bad actors. A breach doesn't just cost money; it costs guest trust. And in hospitality, trust is the product.
RMS made a deliberate architectural decision from day one: we do not host or store any credit card information directly. RMS holds secure tokens while best-of-breed, certified payment partners handle card storage. All payment flows are routed through certified, tokenised channels — keeping card data out of the PMS environment entirely. This isn't a compliance workaround; it's how we chose to build from the start.
RMS holds both SOC 2 Type II and PCI DSS Level 1 attestation — the highest tier for payment security. Type II evaluates whether our controls operated effectively across the full audit period, rather than at a single point in time.
RMS runs a 24/7 Security Operations Centre fed by endpoint detection across all staff and customer environments. A dedicated security team monitors that data in real time — and stays ahead of emerging threats by tracking security news, industry alerts, and government advisories. When something does happen, we execute a plan rather than scramble: we can isolate systems or remove bad actors quickly. And we commit to communicating with customers throughout any incident in real time, in plain language. Going silent is not something we do.
RMS serves more than 6,000 properties across 70 countries. When a property chooses RMS, they're putting their guest data, payment flows, and operational reputation in our hands — and we take that seriously in ways that go beyond compliance documentation. Security shows up in how we build, how we respond to incidents, how we communicate, and how we keep investing in infrastructure. Our Trust Centre gives customers a clear view of our certifications, policies, and data handling practices at any time, without having to chase anyone down. Your trust is something we have to earn every day, and we're committed to earning it.

Dedicated. Expert. Always On.

Security at RMS isn't a part-time responsibility. It's a dedicated function. The RMS Office of Cybersecurity is dedicated to maintaining the confidentiality, integrity, and availability of our systems, and for ensuring we stay ahead of the evolving threat landscape.

For more information on security at RMS, you can visit our Trust and Help centers using the links below.

Trust Center

Help Center