Features · Security and encryption

Federal-grade security: the standard the Technical Manual requires

Handling your guests’ identity demands protecting it to the highest standard. PUIhoteles encrypts everything with AES-256-GCM, SHA3-256 and TLS, authenticates every query with JWT, and works by targeted query — never mass monitoring.

Get started Create your demo

Why PUI demands such strict security

A person’s identity is among the most sensitive data there is. That is why the PUI Technical Manual (v1.0, published January 23, 2026) does not leave security to each hotel’s discretion: it sets a mandatory standard of encryption, authentication and transport that every connection must meet.

For a hotel, implementing that standard on its own is hard and risky: a single misconfiguration leaves your guests’ data exposed and your hotel out of compliance. PUIhoteles brings that standard built in, maintained and updated, so you do not have to be a security expert.

How that data is used matters just as much. PUI is not a system that watches all your guests: it works by targeted query, where the authority asks about a specific person reported missing. You keep control of your registry.

The security standard we meet

Exactly what the PUI Technical Manual requires.

AES-256-GCM encryption

Your guests’ data is stored with AES-256-GCM encryption, the PUI standard for data at rest.

Integrity with SHA3-256

SHA3-256 is used to ensure the information is not altered, per the Technical Manual.

TLS transport

Everything that travels between your hotel and the federal platform goes over TLS, encrypted end to end.

JWT authentication

Every query is authenticated and signed with JWT: only the authority accesses, and only what the law allows.

Targeted query, not surveillance

The PUI model keeps you in control.

The government asks about a person

The authority queries about someone reported missing, via CURP or name — not your whole base.

You keep your registry

PUI does not browse your guests. Your registry stays yours, with access restricted to your hotel.

Only what the law allows

Each access is bound to the legal purpose: finding people. No mass monitoring and no commercial use.

How a data point travels and is protected

From check-in to answering a query.

1. It is captured at the front deskThe guest’s identity enters the system and is encrypted immediately.
2. It is stored encryptedIt rests with AES-256-GCM and SHA3-256 integrity, with access restricted to your hotel.
3. It travels over TLSWhen there is a query, communication with the federal platform is encrypted end to end.
4. It is authenticated with JWTThe query is signed and verified; only the authority accesses, and only what is allowed.

Questions about security and encryption

What encryption does it use exactly?

AES-256-GCM for data at rest, SHA3-256 for integrity and TLS for transport, with JWT authentication on every query. It is the standard defined by the PUI Technical Manual.

Can PUI see all my guests?

No. It is a targeted query about people reported missing. The authority asks about a specific person via CURP or name; there is no mass monitoring of your guest base.

Who has access to the data?

Your hotel, with access you control, and the authority only to answer targeted queries authenticated with JWT. No one else.

Do you sell or share my guests’ data?

No. We never sell or share your hotel’s or guests’ data with third parties for commercial purposes. It is handled in line with the Federal Law on Protection of Personal Data and PUI regulations.

Do I have to configure the encryption myself?

No. The security standard comes included and maintained by PUIhoteles. You need not be a security expert or configure anything.

Put PUIhoteles to work for you

Get started