Security & Trust

Hospitality, travel and experiences operators trust Markoni with Guest conversations, booking workflows, operational data, staff visibility and connected property systems. Security is therefore a core product requirement.

Markoni is built by DeepNav Experiences Private Limited, operating under the brand GydeXP.

This page explains our current security posture, architecture principles and compliance roadmap. We are intentionally transparent: Markoni is an early-stage product, and we do not claim security certifications that we do not yet have.

1. Current security posture

Markoni is designed with security-conscious architecture and SOC 2-aligned operating practices.

Current status:

• SOC 2 readiness work is in progress.
• Formal compliance work is being initiated through Sprinto.
• Security controls are being implemented across access management, infrastructure, data protection, vendors, incident response and secure development.
• We do not currently claim SOC 2 Type II certification unless a valid report is expressly made available.
• We do not currently claim ISO 27001 certification unless a valid certificate is expressly made available.
• We do not currently claim PCI-DSS certification, HIPAA compliance or any other external certification unless explicitly stated on this page.
• We do not use phrases such as 100% secure, zero risk, military-grade security or certified compliant unless supported by formal evidence.

When certifications, attestations or formal audit reports are available, this page will be updated.

For security questionnaires, contact contact@gydexp.com.

2. Security philosophy

Markoni is built around the following security principles.

2.1 Least privilege

Users, employees, vendors, systems and integrations should only receive the minimum access necessary to perform their role.

2.2 Human accountability

AI can assist with Guest workflows, but sensitive, uncertain or high-impact actions should escalate to human staff according to configuration.

2.3 Grounded AI behavior

AI should answer using approved property data, tools and knowledge sources. It should avoid inventing rates, availability, policies or commitments.

2.4 Auditability

Important actions should be logged and reviewable wherever technically feasible.

2.5 Secure by default

Security controls should be built into product workflows, not added as an afterthought.

2.6 No false trust claims

We will not claim certifications or compliance statuses before they are actually achieved.

3. What data Markoni may process

Depending on deployment, Markoni may process:

• Guest names.
• Guest phone numbers.
• Guest emails.
• WhatsApp conversations.
• Voice transcripts.
• Call metadata.
• Email content.
• Booking details.
• Stay dates.
• Travel dates.
• Experience or activity dates.
• Room, unit, package, guide, transport or activity preferences.
• Guest requests.
• Payment link status.
• Property policies.
• Property SOPs.
• Room, rate, unit, package, activity or inventory information.
• Staff names and roles.
• Staff task assignments.
• PMS, booking system, CRM or property workflow data.
• Audit logs and system events.

We aim to minimize access to only what is required for the configured workflow.

4. Access control

Markoni is designed to support:

• Authenticated dashboard access.
• Role-based access controls.
• Separation between owner, manager, staff and internal access.
• Session controls.
• Token-based authentication.
• Scoped service access.
• Restricted administrative access.
• Reviewable access events where available.

Customers are responsible for managing access for their own staff, including removing access when staff leave or roles change.

5. Internal access management

Internal access to production systems should be limited to authorized team members who need access for development, support, deployment, incident response, customer success, compliance or operations.

Our intended internal access practices include:

• Least-privilege access.
• Named accounts where possible.
• Removal of access when no longer required.
• Restricted access to secrets and production credentials.
• Separation between development and production environments where feasible.
• Review of sensitive access as compliance maturity increases.

6. Data encryption

Markoni is designed to use:

• HTTPS/TLS for data in transit.
• Encryption at rest where supported by database, storage and infrastructure providers.
• Secure handling of API keys and credentials.
• Environment-based secret management.
• Restricted access to sensitive configuration values.
• Additional protection for sensitive fields where technically implemented.

No full payment card numbers are intended to be stored by Markoni. Payment processing is handled by third-party payment providers, including Razorpay where applicable.

7. Application security

Markoni's application security practices are intended to include:

• Secure authentication flows.
• Input validation.
• Rate limiting.
• API authorization.
• Webhook validation where applicable.
• Error handling.
• Logging of security-relevant events.
• Protection against unauthorized API access.
• Tenant-aware design where applicable.
• Review of critical workflows before production release.

As the product matures, we intend to strengthen secure SDLC, code review, vulnerability scanning, dependency review, environment hardening and security testing.

8. API and webhook security

Where applicable, Markoni is designed to use:

• API authentication.
• Scoped API keys.
• Customer or tenant-specific identifiers.
• Webhook signature validation.
• Rejection of unauthorized webhook attempts.
• Rate limiting.
• Abuse prevention.
• Request logging.
• Monitoring for abnormal activity.

Customers should not share API keys, tokens or credentials with unauthorized parties.

9. AI safety controls

Because Markoni operates in Guest-facing environments, AI safety is a security and trust issue.

Our intended controls include:

• Property-specific knowledge bases.
• Configured SOPs and policies.
• Real-time tool checks for availability, rates, bookings and payment status where integrated.
• Confidence thresholds.
• Human escalation.
• Conversation history.
• Staff-visible logs.
• Fallback flows.
• Avoiding unsupported answers.
• Avoiding invented prices, policies or availability.
• Clear handoff when AI cannot answer reliably.

Markoni should not be deployed for high-risk use cases without appropriate human review and Customer-side controls.

10. Human escalation

Markoni is designed to escalate when:

• The Guest requests a human.
• The AI is uncertain.
• The request is outside configured policy.
• The request involves a complaint, dispute or exception.
• The request requires manager approval.
• The request involves high-value bookings or group inquiries.
• A connected system fails.
• Payment, availability or booking data cannot be verified.
• The Customer has configured escalation rules for that workflow.

Escalations may be routed through dashboard, WhatsApp, email, staff task systems or other configured channels.

11. Audit logs and visibility

Markoni is designed to support auditability for important events, such as:

• User logins.
• Configuration changes.
• Conversation events.
• AI responses.
• Human handoffs.
• Booking actions.
• Payment link status changes.
• Staff task creation.
• Staff task updates.
• Integration errors.
• Failed authorization attempts.
• Security-relevant system events.

Logging depth may vary depending on product stage, plan, integration and deployment configuration.

12. Vendor and subprocessor management

Markoni may rely on third-party vendors for:

• Cloud hosting.
• Databases.
• File storage.
• Voice infrastructure.
• WhatsApp or messaging infrastructure.
• Email delivery.
• AI models.
• Speech-to-text.
• Text-to-speech.
• Payment processing, including Razorpay.
• Analytics.
• Error monitoring.
• Security tooling.
• Compliance tooling.
• Customer support tooling.

Our vendor management process is being formalized as part of compliance readiness.

We intend to review vendors based on:

• Security posture.
• Data handling practices.
• Reliability.
• Compliance readiness.
• Business necessity.
• Access to Customer, Guest or staff data.
• Ability to support contractual requirements.

A formal subprocessor list will be published as our enterprise compliance program matures.

13. Infrastructure security

Markoni's infrastructure may include cloud hosting, managed databases, storage, serverless services, queues, APIs and third-party communication providers.

Our intended infrastructure controls include:

• Restricted administrative access.
• Environment-based separation where feasible.
• Secure secret handling.
• Backup and recovery processes.
• Monitoring and logging.
• Deployment controls.
• Least-privilege service access.
• Vendor security review.
• Periodic review as compliance maturity increases.

14. Payment security

Markoni may generate or send payment links through third-party payment providers, including Razorpay.

We do not intend to store full card numbers or sensitive card authentication data on Markoni systems.

Payment providers are responsible for processing card or payment credentials according to their own security and compliance standards.

Customers remain responsible for Customer-side payment policies, refunds, cancellations, disputes, taxes and Guest-facing payment terms unless agreed otherwise.

15. Data retention and deletion

Retention depends on the Customer agreement, deployment configuration, legal requirements and operational needs.

Indicative retention categories include:

• Guest conversations.
• Voice transcripts.
• Booking-related events.
• Payment link status.
• Staff task records.
• Audit logs.
• Security logs.
• Support tickets.
• Billing records.

Customers may request deletion or export according to contractual terms and applicable law.

Some data may be retained where necessary for security, legal, tax, audit, dispute resolution or compliance purposes.

16. Incident response

If we identify a security incident, our intended response process includes:

1. 1. Detect and triage the issue.
2. 2. Contain affected systems where required.
3. 3. Investigate scope and impact.
4. 4. Preserve relevant logs and evidence.
5. 5. Remediate the issue.
6. 6. Notify affected Customers where legally or contractually required.
7. 7. Document findings.
8. 8. Improve controls based on lessons learned.

Notification timing may depend on applicable law, contractual obligations, incident severity and investigation requirements.

17. Business continuity and resilience

Our resilience practices are being built as the product matures. They may include:

• Cloud-based infrastructure.
• Managed database services.
• Backups where supported.
• Monitoring of critical systems.
• Error tracking.
• Incident response process.
• Vendor redundancy where commercially and technically feasible.
• Fallback flows for AI or provider failures.

Specific uptime commitments, support commitments or service credits apply only if agreed in a signed contract.

18. Customer responsibilities

Security is shared between Markoni and the Customer.

Customers are responsible for:

• Maintaining accurate user access.
• Removing access for former employees.
• Keeping passwords and credentials secure.
• Securing their PMS, booking system, email, WhatsApp, telephony, payment, CRM and operations systems.
• Reviewing AI configuration.
• Monitoring escalations.
• Ensuring Guest-facing workflows comply with law.
• Reviewing outputs before enabling high-impact automation.
• Reporting suspicious activity.

19. Responsible disclosure

If you believe you have found a vulnerability, report it responsibly.

Email: contact@gydexp.com

Please include:

• Description of the issue.
• Steps to reproduce.
• Affected URL, endpoint or workflow.
• Potential impact.
• Screenshots or logs if safe to share.
• Your contact details.

Please do not:

• Access data that does not belong to you.
• Modify or delete data.
• Exfiltrate data.
• Perform denial-of-service testing.
• Conduct social engineering.
• Send spam.
• Publicly disclose the issue before we have had a reasonable opportunity to investigate.

We do not currently operate a paid bug bounty program unless explicitly announced.

20. Compliance roadmap

Our near-term compliance roadmap includes:

• Formal information security policy.
• Access control policy.
• Incident response policy.
• Vendor management process.
• Data retention process.
• Secure development practices.
• Internal access review.
• Asset inventory.
• Risk register.
• Security awareness practices.
• Logging and monitoring improvements.
• Backup and recovery documentation.
• Privacy and data request workflows.
• SOC 2 readiness through Sprinto.

We will update this page as our program matures.

21. Security contact

For security questionnaires, vendor reviews, responsible disclosure, compliance questions or suspected vulnerabilities, contact us at:

DeepNav Experiences Private Limited

Product: Markoni by GydeXP

Email: contact@gydexp.com

Address: Site 128 Kno 340/302/128, 2nd Floor, Tharabanahalli, Bettahalsur, Bangalore North, Karnataka, 562157

Please include enough detail for us to investigate the issue, including affected URLs, endpoints, workflows, screenshots, logs and steps to reproduce where safe to share.