Project Atrium implements a layered security model spanning authentication, authorisation, data protection, AI governance, and audit logging. The platform is hosted on Emergent Labs infrastructure (Kubernetes, MongoDB, object storage) with all customer data encrypted in transit (TLS 1.3) and at rest. The application layer adds enterprise-grade controls listed below — each designed to satisfy Hyatt's vendor-security policy without sacrificing usability.
Every authenticated request carries a signed JSON Web Token in the Authorization header. Tokens expire on a sliding window and are validated server-side on every API call.
User passwords are stored as bcrypt hashes (industry standard, salted, configurable work factor). Plaintext passwords are never logged or persisted.
Email changes require a 6-digit code delivered via Resend to the new address. Codes expire after 10 minutes; attempt limit triggers a lockout. All collections referencing the old email are updated in a single MongoDB transaction.
Administrators can override the verification flow for emergency account recovery (e.g. departed employee), with the action logged to email_change_log.
Highest Full admin powers PLUS exclusive ability to manage other engineers. Only an engineer can promote/demote another engineer; admins receive a 403 response.
Privileged Full administrative access to the CMS, users, and settings. Ownership and Top Leader roles are silenced from automated outbound communications by default.
Limited Edit access to assigned department(s) only. Subject to per-tile padlocks for non-assigned departments.
Read-only View-only access to assigned content. Cannot trigger any write or AI operation.
All browser-to-server traffic flows over HTTPS with TLS 1.3 at the Emergent Kubernetes ingress. No mixed-content paths exist in the codebase.
Customer data (users, areas, tasks, events, etc.) is stored encrypted at rest by the underlying database tier.
Uploaded photos, videos, CAD drawings, and PDFs are stored in Emergent's object storage layer, encrypted at rest. Persistent URLs survive container restarts and redeployments.
URLs in tile-link attachments reject javascript: and data: schemes server-side. User-submitted HTML is rendered with React's default escape rules (no dangerouslySetInnerHTML on user content).
All AI calls flow through a dedicated ai_governance.py module that enforces four independent controls before any prompt leaves the perimeter.
One administrator toggle disables every AI endpoint platform-wide. Returns HTTP 503 with a clean user-facing message. Use during legal review, incident response, or vendor onboarding.
Independently disable any of: chat, image generation, deep research, CapEx, training creator, avatar generation, photo enhancement, department assistants, transcription (Whisper), text-to-speech.
Regex-based server-side stripping of guest emails, phone numbers, room/suite/villa numbers, credit-card-shaped digit runs, and two-word capitalised names from prompts before they leave the backend. Defence-in-depth on top of provider DPAs. Live paste-test playground in admin.
Each user can register their own OpenAI / Anthropic / Gemini API keys via Profile → AI Credentials. Admins can enforce BYO-required globally — AI calls without a user-provided key are rejected (HTTP 412). Routes Hyatt's AI traffic under Hyatt's own enterprise contracts.
Each user can independently hide their email address and/or phone number from the public "People behind the rebuild" team card. Admins and engineers always see the real values.
Specific high-profile contacts (Pedro Pereira, Dwight Tabales, etc.) have their phone numbers and emails server-side scrubbed from non-privileged API responses. Cannot be unlocked from the frontend.
email_log)Every email sent through the platform (invitations, verification codes, task notifications, password rotations) is logged with timestamp, recipient, status, provider ID, and any error. Default retention: 1 year.
email_change_log)Every email change — self-service or admin force-change — appends an immutable row capturing actor, old email, new email, timestamp, and method.
The Admin → AI Settings page displays the last-changed timestamp and the administrator who made the change, on every load.
Each task in the project-management module carries a chronological activity log of status changes, assignee updates, comments, and attachments.
noreply@project-atrium.com, a Resend-verified domain with SPF and DKIM published in DNS.Emergent's Kubernetes ingress enforces per-IP request limits to mitigate brute-force and scraping attacks. [FILL: Specific rate-limit thresholds — to be confirmed with Emergent support.]
Bulk user-creation (Sync from Team), role changes, and content imports are idempotent — re-running never duplicates records or overwrites existing accounts.
AI endpoints return 503 when disabled and 412 when BYO is required but missing — semantically distinct from generic 4xx/5xx so the frontend can render clear messages instead of dumping raw stack traces.
Backend (Python/Ruff) and frontend (ESLint) checks run on every build; backend startup is gated by import validation. Reduces deploy-time risk of broken endpoints.
The following items depend on Emergent Labs' enterprise compliance package and will be filled in as documentation arrives: