No accounts
The app has no log-in.
Guests scan a QR code and the app is ready. There is no email collection, no password, no profile, no link to a back-end identity store.
For IT, InfoSec & Compliance
Trust & security, designed in from the start.
A short technical brief for the teams that will sign off on Atollux at your resort. No personal data, no resort-specific servers, no GDPR overhead by design. Everything a security review usually asks for is summarised below — and our security questionnaire pack is ready on request.
Four design principles
What Atollux is and isn’t.
No PII at rest
Personal data never leaves the device.
The app does not collect names, contact details, room numbers or activity histories into any database we control. Anything personal stays on the guest’s phone.
No analytics fingerprinting
No SDKs that profile your guests.
No Facebook, Google or third-party tracking pixels. Aggregate usage counts are anonymous and opt-in per resort — never linked to individual stays.
No cloud lock-in
Content delivery via CDN.
Maps, menus and POI content are bundled into the app build and refreshed via standard mobile OS update channels. There is no resort-specific server to be breached.
Architecture in one diagram
Three pieces, no middleman storing your guests.
The guest device runs the app. The app talks to a content CDN for build-time assets and, optionally, to your PMS for booking and folio posting. There is no Atollux-controlled database holding guest profiles.
Guest device
iOS / Android
App, map data, content — all on-device.
Content CDN
Static delivery
Maps, menus, POI data. Anonymous fetches only.
Your PMS
Opera · Protel · IDS
Bookings & folio posting. Your existing tenant.
↑ TLS 1.3
↑ TLS 1.3
↑ TLS 1.3 + OAuth
Not in the diagram: no Atollux user database, no guest profile store, no marketing data lake, no analytics broker.
PMS integration security
Read-only by default. Write access by deliberate choice.
Connection
TLS 1.3 to certified PMS endpoints (Opera OPI, Protel I/O, IDS).
Access model
Read-only by default. Write access (folio posting) opt-in per outlet.
Credentials
OAuth or vendor-certified flows. No shared passwords or static API keys exposed to the app.
Auditability
Every PMS transaction logged with timestamp, outlet, amount and folio reference.
For your IT review
Ready for the questionnaire on day one.
Enterprise vendor onboarding is a process. We arrive with the documents already prepared, so the conversation between your IT and ours stays focused on specifics — not paperwork.
- Security questionnaire on request (SIG, CAIQ, custom)
- Penetration testing on request (quoted separately)
- SOC 2 readiness statement on request
- Vendor onboarding package pre-prepared
- Named technical point of contact for your IT lead
- Source-code review under NDA, if required
Security questionnaire
Send our pack to your IT lead?
A single email with the SIG response, architecture brief, data-flow diagram and named contact, delivered same day.