Risk & mitigation policy

Mitigation clauses

• ·All payments processed through a PCI-DSS compliant gateway (WiPay / Stripe) with 3-D Secure where supported.
• ·Host payouts released only after check-in plus the policy-defined hold period to allow dispute window to begin.
• ·Booking ledger, messaging history, ID verification, and check-in confirmation retained for at least 18 months as chargeback evidence.
• ·Stahus reserves the right to debit a host's future payouts to recover a confirmed chargeback caused by host non-performance.

Mitigation clauses

• ·Automated detection of phone numbers, emails, payment app handles, and bank details in messages with an in-app warning.
• ·Stahus Cover, refunds, and dispute support are void for any booking transacted off-platform.
• ·Repeat off-platform solicitation results in listing suspension and forfeiture of pending payouts.

Mitigation clauses

• ·Bookings priced and charged in the host's listing currency; FX shown to guest at checkout is final.
• ·Stahus absorbs intra-day FX movement up to 2%; movements beyond that are reconciled at the gateway's settlement rate.
• ·Daily settlement reports reconciled against gateway statements; variances investigated within 5 business days.

Mitigation clauses

• ·Risk-scoring at checkout (device fingerprint, velocity, BIN/country mismatch, disposable-email checks).
• ·Mandatory government-ID verification for new guests and any booking over $1,500.
• ·Manual review queue for high-risk bookings before host confirmation; host notified only after risk clearance.

Mitigation clauses

• ·Up to $1,000,000 Host Damage Protection per stay (see Reimbursement Policy).
• ·Mandatory guest ID and payment-method verification before first booking.
• ·Security deposit hold available for listings flagged high-value.
• ·Claim window of 14 days from checkout with photo, repair-quote, and timestamp evidence.

Mitigation clauses

• ·Up to $1,000,000 Host Liability Insurance per stay.
• ·Hosts must disclose pools, hot tubs, stairs, balconies, and waterfront access in the listing.
• ·Mandatory smoke detector, CO detector, and first-aid kit attestation during listing creation.
• ·Annual safety re-attestation required to keep a listing active.

Mitigation clauses

• ·Non-discrimination policy required at signup; violations result in permanent removal.
• ·In-app messaging scanned for slurs and abusive language with real-time warnings.
• ·Reports triaged by Trust & Safety within 24 hours; emergency reports within 1 hour.
• ·Affected guests rebooked at Stahus's expense up to the original booking value.

Mitigation clauses

• ·Booking agreement caps occupancy at the number selected at checkout; overages void coverage.
• ·Hosts may require guest acknowledgement of a no-party clause before key release.
• ·Stahus may cancel a stay without refund on credible evidence of an unauthorized event.
• ·Damage from unauthorized guests covered under Host Damage Protection.

Mitigation clauses

• ·Get-What-You-Booked guarantee: full refund or comparable rebooking within 72 hours.
• ·Periodic photo and amenity audits; repeated misrepresentation results in delisting.
• ·Hosts attest at publishing that photos are current and accurate within the last 12 months.

Mitigation clauses

• ·Cancellation penalty (10% of booking value, min $50) charged to host for cancellations within 30 days of check-in.
• ·Stahus rebooks the guest at a comparable home and covers any rate difference up to 20%.
• ·Repeat offenders (3+ within 12 months) face listing suspension and search-ranking penalties.

Mitigation clauses

• ·Major Disruptive Events policy: full refund to guest and waived cancellation fee to host when a Category-1+ storm or government evacuation order is issued.
• ·Real-time NOAA/CDEMA monitoring during hurricane season (Jun–Nov) with proactive guest notifications.
• ·24/7 emergency rebooking line with priority hotel placement.

Mitigation clauses

• ·Status-page monitoring with auto-failover for email (primary + secondary SMTP) and CDN.
• ·Booking requests queued and retried during gateway outages; guests notified within 5 minutes.
• ·RPO 1 hour / RTO 4 hours documented in the incident runbook.

Mitigation clauses

• ·Tiered SLAs: emergency 1 hour, urgent 4 hours, standard 24 hours.
• ·Seasonal surge staffing contracted ahead of Dec–Mar and Jul–Aug peaks.
• ·Self-service knowledge base and AI triage for tier-1 queries.

Mitigation clauses

• ·Hosts warrant they have all required permits, HOA/strata consents, and landlord permission.
• ·Stahus removes listings on receipt of a valid government takedown notice.
• ·Country-specific compliance pages link to local STR rules; updated quarterly.

Mitigation clauses

• ·Configurable tax collection per jurisdiction; remittance handled by Stahus where required by law.
• ·Year-end tax summary (Form 1099-K / equivalent) issued to hosts crossing reporting thresholds.
• ·Hosts remain responsible for declaring income; Stahus reports payouts to relevant authorities on request.

Mitigation clauses

• ·Data minimization: only fields needed for booking, payout, and safety are collected.
• ·All PII encrypted at rest (AES-256) and in transit (TLS 1.2+).
• ·Subject Access Requests fulfilled within 30 days via in-app data export.
• ·Sub-processors listed publicly with DPAs signed.

Mitigation clauses

• ·Host KYC (government ID + proof of bank ownership) before first payout above $1,000 cumulative.
• ·Sanctions screening (OFAC, UN, EU, UK) at signup and on each payout.
• ·Suspicious activity reports filed via the payment processor when thresholds are met.

Mitigation clauses

• ·Upload terms grant Stahus a license only to content the host warrants they own.
• ·DMCA-style takedown process with a designated agent; repeat infringers banned.

Mitigation clauses

• ·Password breach-list checks (HIBP) at signup and password change.
• ·Optional 2FA for guests; required 2FA for hosts before first payout.
• ·Anomalous-login alerts (new device/country) with one-tap session revocation.
• ·Bank-detail changes require email + 2FA confirmation and a 24-hour cool-off.

Mitigation clauses

• ·Row-Level Security enforced on every public table; service-role key restricted to server functions.
• ·Quarterly penetration tests and continuous dependency scanning.
• ·Incident response plan with 72-hour regulator notification commitment.
• ·Encrypted, geographically replicated backups with quarterly restore drills.

Mitigation clauses

• ·Per-IP and per-account rate limiting on search, booking, and message endpoints.
• ·Bot detection on signup and high-risk endpoints; CAPTCHA on anomalies.
• ·robots.txt + Terms prohibit unauthorized scraping; legal action reserved for severe cases.

Mitigation clauses

• ·Reviews only allowed from guests with a completed, paid stay.
• ·Two-way blind review window (14 days) — neither side sees the other's review until both submit or the window closes.
• ·Pattern detection flags reciprocal reviews and review-bombing; offending content removed.

Mitigation clauses

• ·Crisis-comms playbook with a 2-hour first-response SLA.
• ·Designated spokesperson; legal review of public statements.
• ·Post-incident review published within 30 days for material events.

Mitigation clauses

• ·No single host may exceed 5% of GMV in a given market without commercial review.
• ·Active supply-acquisition pipeline targeting independent and boutique operators.

Mitigation clauses

• ·Differentiate on curation, design quality, and Caribbean-native support rather than price.
• ·Optional paid host upgrades (pro photography, featured placement) diversify revenue.

Mitigation clauses

• ·Abstraction layers around payment, email, and storage to enable provider swaps within 30 days.
• ·Data portability: full database export available to operations team at any time.