Hotelinking Security Policy

Last Updated: 11 August 2025

At Hotelinking, S.L., we take the security of our systems, infrastructure, and customer data with the utmost seriousness. This Security Policy outlines the organizational and technical measures we implement across our platform—GuestMaker, WiFiBot, and Deskforce—to prevent unauthorized access, use, alteration, or disclosure of customer data. Our platform is hosted entirely in Amazon Web Services (AWS) EU regions (Ireland), benefiting from industry-leading infrastructure compliance.

This policy should be read alongside our Privacy Policy, Terms and Conditions, and Service Level Agreement.

2.1 Security Leadership

Hotelinking maintains an Information Security Management System (ISMS) in alignment with ISO 27001, managed by a designated Information Security Officer (ISO) who reports directly to the CEO. We maintain clear roles and responsibilities across engineering, infrastructure, product, and compliance teams.

Hotelinking is committed to ensuring:

• Confidentiality: Only authorized individuals access data.
• Integrity: Data remains accurate and unaltered.
• Availability: Services remain resilient and accessible to customers.

4.1 Cloud Environment

All Hotelinking services operate exclusively in Amazon Web Services (AWS) EU regions (Ireland). Our infrastructure benefits from the redundancy, scalability, and compliance certifications of AWS including SOC 2, ISO 27001/27018, and GDPR.

4.2 Network Security

• Hotelinking operates within isolated Virtual Private Clouds (VPCs).
• All external-facing services are protected by TLS 1.2 or higher.
• Internal-only services are accessible via VPN with role-based access.
• AWS GuardDuty, CloudTrail, and JOOPbox are used for real-time threat detection, auditing, and monitoring.

5.1 Data Encryption

• In transit: TLS (HTTPS) is enforced for all communications.
• At rest: All data is encrypted using AES-256, with KMS-managed keys and automatic key rotation.

5.2 Access Control

• Role-based access following the Principle of Least Privilege.
• Strong password policies and MFA are enforced across systems.
• All privileged access requires explicit approval and logging.

• Continuous deployment pipelines with automated testing and peer-reviewed code.
• Frequent vulnerability scanning and periodic third-party penetration testing.
• Security updates and patches are deployed in priority order under tracked SLAs.

• Audit logs are captured for all application and infrastructure-level events.
• Logs are retained in AWS S3/Glacier with tamper-resistant controls.
• Anomalies are automatically escalated to the engineering and security teams.

• Daily encrypted backups for all production data (RDS, S3).
• Backups are retained for 30 days, with full monthly snapshots stored for 12 months.
• Regular disaster recovery testing is performed to validate RTO/RPO metrics.

We follow a formal Incident Management Procedure:

• Security events are triaged by severity (low → critical).
• Critical events trigger immediate escalation to ISO and Engineering.
• Affected Customers are notified promptly in case of breach, following GDPR Article 33/34 timelines.
• Post-incident reviews are conducted with action plans and root cause analysis.

In the event of a confirmed personal data breach, Hotelinking will:

• Notify the Customer without undue delay.
• Provide breach details: nature, scope, consequences, and mitigation.
• Assist in regulatory reporting (e.g., AEPD) within 72 hours where required.

• All code is version-controlled via Git.
• Changes are peer-reviewed through Pull Requests and tracked in a ticketing system.
• Developers follow secure coding practices and undergo security awareness training annually.

Hotelinking engages select subprocessors (e.g., AWS, payment processors, ID verification services). All subprocessors:

• Must commit to data protection obligations aligned with GDPR.
• Are assessed periodically for compliance and security practices.
• Are disclosed to Customers via our Subprocessor List.

To ensure mutual security, Customers are expected to:

• Use strong credentials and enable 2FA on all accounts.
• Limit access to authorized users.
• Inform Hotelinking of suspected unauthorized access.
• Not conduct penetration tests on Hotelinking systems without prior written approval.

This Security Policy is reviewed at least annually, or upon:

• Introduction of new products or features.
• Major infrastructure changes.
• Regulatory updates.
• Security incidents or audits.

Changes are published at Hotelinking Legal Page and Customers are notified via email at least 30 days in advance when changes are material.

If you have questions or require further security-related details, please contact:

Information Security Officer:

Hotelinking, S.L.
Parc Bit – Edificio Disset, 3rd floor, D9
Palma de Mallorca, Illes Balears, España
Email: security@hotelinking.com