Schedule 2 —
Technical and Organizational Security Measures
Go up
Annex II: Security Controls Overview
Hotelinking maintains a robust Information Security Management System (ISMS), aligned with SOC 2 and ISO/IEC 27001 frameworks. The following summarizes the key technical and organizational measures implemented to protect Customer Personal Data:
1. Access Control
- Role-based access control (RBAC) enforced across all systems.
- Multi-factor authentication (MFA) required for all admin access.
- Least privilege principle applies: only authorized personnel can access data strictly necessary for their duties.
- Joiner-mover-leaver processes ensure timely onboarding and de-provisioning of access rights.
- Access reviews conducted every 180 days.
2. Data Encryption
- In Transit: TLS 1.2+ encryption for all data exchanges between systems, users, and integrations.
- At Rest: AES-256 encryption applied to all stored data within AWS-managed services (RDS, S3, EBS).
- Key Management: AWS Key Management Service (KMS) is used to securely store and rotate encryption keys.
3. Network and Infrastructure Security
- Hosted on Amazon Web Services (AWS) EU regions (Ireland) with built-in DDoS protection and firewalls.
- Virtual Private Cloud (VPC) used to isolate systems.
- Intrusion Detection and Prevention Systems (IDPS) monitor inbound and outbound traffic.
- 24/7 monitoring and alerting via automated systems.
- Penetration testing conducted at least annually.
4. Application Security
- Code reviews required for all production deployments.
- Static and dynamic code analysis integrated into CI/CD pipelines.
- Bug bounty program open to vetted ethical hackers.
- Content Security Policy (CSP) and XSS/CSRF protections enabled on all customer-facing interfaces.
- Secure software development lifecycle (SSDLC) followed by engineering teams.
5. Incident Response and Breach Notification
- Documented Incident Management Procedure aligned with GDPR Article 33 & 34.
- Internal response team on call 24/7.
- Security Breaches reported to affected Customers without undue delay.
- Detailed root cause analysis (RCA) and corrective actions performed post-incident.
- Integrated log management and alerting through centralized SIEM (Security Information and Event Management) system.
6. Business Continuity and Disaster Recovery
- Business Continuity and DR Policy in place and tested at least annually.
- Daily backups with geographically redundant storage.
- Failover mechanisms between availability zones and disaster recovery regions.
- Data restoration time objective (RTO) and recovery point objective (RPO) aligned with criticality of service.
7. Physical Security
- Data hosted in AWS facilities that comply with ISO 27001, SOC 1/2/3, and PCI-DSS.
- Physical access controls at AWS sites include biometric scanners, CCTV, and 24/7 security staff.
- Hotelinking’s offices have secure access cards, visitor management, and workstation lock policies.
8. Organizational and Administrative Measures
- All employees sign a Confidentiality Agreement upon hire.
- Security awareness training is mandatory during onboarding and renewed annually.
- Dedicated Security Officer and DPO oversee compliance and internal audits.
- Vendor risk assessments conducted before onboarding Sub-processors.
- Regular internal audits to validate security controls and compliance posture.
9. Data Minimization and Retention Controls
- Data collected is strictly limited to what is necessary for the Services.
- ID documents (Deskforce) auto-deleted within 48 hours of upload.
- Consent logs and opt-ins managed and time-stamped via the platform.
- Data retention policies enforced based on customer configuration and service type.