The client
Hilton Hotels is a global hospitality brand, using digital experiences to keep guests engaged before, during and after their stay. Hilton Premium Club Japan (HPCJ) is its paid loyalty program for Japanese consumers, running on a dedicated platform at hpcj.jp and operating separately from Hilton Honors.
HPCJ serves thousands of members and covers properties mainly in Japan, with some in Korea, so availability and data protection are critical to the program’s reputation.
The challenge
HPCJ was hosted on AWS by an incumbent vendor who was not ISO 27001 certified and unwilling to pursue certification. For a fee-based loyalty program handling member data, this posed a clear security and compliance risk.
Hilton also faced a hard deadline: the platform needed to be fully compliant by 31 December 2025. That meant migrating off the previous provider and into a new, secure AWS environment in the Tokyo region, without impacting members. At the same time, Hilton needed 24/7 cover, clear SLAs and predictable costs, without building its own cloud operations team.
The solution
Just After Midnight was selected as cloud and support partner for HPCJ based on its security-first approach and ISO 27001 certification. ISO 27001 is the globally recognised standard for information security management, and JAM’s certification confirms that its security management system is independently audited and aligned with international best practice, from access control and data handling through to risk management and day-to-day operations.
JAM delivered a clean-slate migration over roughly two months. The team provisioned a brand-new AWS account and VPC in the Tokyo region with a hardened security baseline, including IAM policies, password rules and services such as Security Hub, GuardDuty, cost optimisation and budget alerts.
Using Terraform, JAM built out public and private subnets, NAT gateways and a bastion host, then deployed the serverless stack powering HPCJ: Lambda across DEV, UAT and PROD, Aurora Serverless v2, DynamoDB and S3, fronted by CloudFront and API Gateway.
Security and access were redesigned to meet Hilton’s requirements. JAM implemented an SSO user access portal, least-privilege roles for all stakeholders and tightly controlled access sharing. CI/CD pipelines were reconfigured and tested for each environment, configurations were updated to point at the new account, and DNS was cut over in a managed window so members could continue using HPCJ without interruption.
Post-go-live, JAM provides 24/7/365 infrastructure support with continuous monitoring, structured incident management, regular patching, runbooks, a maintenance manual and monthly reports on performance, incidents and recommended improvements.
Results
HPCJ has moved from a non-compliant vendor to a secure AWS environment managed by an ISO 27001-certified partner, giving Hilton a strong story on security and compliance ahead of the 31 December 2025 deadline.
The new platform gives Hilton clear security boundaries, a modern serverless architecture and confidence that its loyalty members’ data is handled under an audited, globally recognised standard.
Under the new model, Hilton benefits from a 99.95% availability SLA for the HPCJ production environment, backed by 24/7/365 cover and tight incident SLAs: 30-minute response and 4-hour target resolution for Priority 1 issues, and 8-hour targets for Priority 2.
With JAM owning the secure AWS foundation, Hilton can concentrate on growing the HPCJ program, knowing the underlying platform is compliant, resilient and professionally managed around the clock.
