Skip to main content
Legal

Security

The administrative, technical, and physical controls Barnhill Revenue Services maintains to protect the confidentiality, integrity, and availability of customer information.

Last updated: June 15, 2026

Introduction

Barnhill Revenue Services, LLC provides hotel revenue management services to hotels, owners, asset managers, and management companies. We take the protection of customer data seriously. This Security overview describes the administrative, technical, and physical controls we maintain to protect the confidentiality, integrity, and availability of customer information.

This page is provided for informational purposes and does not modify or supersede the security commitments contained in our engagement letters.

Governance

Information security at Barnhill Revenue Services is owned by the firm’s leadership. Security policies, controls, and incident-response procedures are reviewed at least annually. Every employee and contractor is required to follow our written information-security policy and to complete security and privacy awareness training upon onboarding.

Data classification

We classify the information we handle into four broad categories: Customer Confidential (customer hotel data shared with us — PMS exports, STR reports, financials, channel data), Personal Data (information that identifies an individual), Internal (firm business information), and Public (marketing content). The controls described below apply to Customer Confidential and Personal Data unless otherwise stated.

Encryption

  • In transit: all traffic between your browser and barnhillrm.org is encrypted using TLS 1.2 or higher with modern cipher suites.
  • At rest: the cloud-hosted services we use to store customer data — including email, file storage, and CRM — encrypt data at rest using industry-standard AES-256 or equivalent.
  • Key management: encryption keys are managed by our cloud providers’ key-management services with restricted, audited access.

Access control

  • Access to customer data is limited to authorized Barnhill Revenue Services personnel with a legitimate business need for the active engagement.
  • We follow the principle of least privilege and review access on a recurring cadence.
  • Single sign-on (SSO) and multi-factor authentication (MFA) are required for the cloud services we use to store, process, or transmit customer data.
  • Where we share workspaces with a customer (for example, a shared cloud folder or board), access is provisioned by named individuals and removed at the end of the engagement.

Application and infrastructure security

  • The website and the cloud services supporting our operations are hosted on reputable U.S. cloud infrastructure with strong, independently audited physical and network security controls.
  • Production and development environments are segregated where applicable.
  • We use modern, peer-reviewed frameworks and apply secure-by-default configurations.
  • Dependencies are monitored for known vulnerabilities and patched on a defined cadence based on severity.
  • Code changes to our public website pass through review and automated checks before being deployed.

Monitoring and logging

We maintain centralized logging for the cloud services we use, including application logs, infrastructure logs, and security-relevant events. Logs are retained for a period appropriate to operational and forensic needs, and access to logs is restricted to authorized personnel.

Vendor and sub-processor management

We use a limited set of sub-processors to host, secure, and support our operations. New sub-processors are subject to security and privacy review before onboarding, and existing sub-processors are reviewed periodically. We require written confidentiality and data-protection commitments from each sub-processor.

Incident response

We maintain a written incident-response plan that defines detection, triage, containment, eradication, recovery, and post-incident review. If we determine that a security incident has resulted in unauthorized access to a customer’s data, we will notify the affected customer without undue delay and in accordance with the customer’s engagement letter and applicable law.

Business continuity

Customer engagement data is stored in cloud services with built-in redundancy and backup. We periodically test our ability to recover working files. Our infrastructure choices are designed to support high availability across multiple availability zones.

Customer-side responsibilities

Strong security is a shared responsibility. Customers are responsible for:

  • configuring shared workspaces and user access appropriately on their side;
  • protecting and rotating credentials for systems they share with us;
  • promptly notifying us when individuals who had visibility into the engagement change roles or leave the organization;
  • configuring integrations and exports in line with their own data-handling obligations;
  • reporting suspected security issues to us at [email protected].

Reporting a vulnerability

If you believe you have discovered a security vulnerability in the Barnhill Revenue Services website, please report it to [email protected] with sufficient detail to reproduce the issue. We ask that you act in good faith, do not access or modify data that does not belong to you, and give us a reasonable opportunity to investigate and remediate before any public disclosure. We appreciate the work of the security research community.

Continuous improvement

Security is not a one-time project. We continuously review our controls, monitor industry threats, and improve as the firm grows. This page will be updated to reflect material changes in our practices.

Contact

For security questions, email [email protected]. For general questions about Barnhill Revenue Services, email [email protected].