Schedule 2 —
Technical and Organizational Security Measures

Hotelinking maintains a robust Information Security Management System (ISMS), aligned with SOC 2 and ISO/IEC 27001 frameworks. The following summarizes the key technical and organizational measures implemented to protect Customer Personal Data:

• Role-based access control (RBAC) enforced across all systems.
• Multi-factor authentication (MFA) required for all admin access.
• Least privilege principle applies: only authorized personnel can access data strictly necessary for their duties.
• Joiner-mover-leaver processes ensure timely onboarding and de-provisioning of access rights.
• Access reviews conducted every 180 days.

• In Transit: TLS 1.2+ encryption for all data exchanges between systems, users, and integrations.
• At Rest: AES-256 encryption applied to all stored data within AWS-managed services (RDS, S3, EBS).
• Key Management: AWS Key Management Service (KMS) is used to securely store and rotate encryption keys.

• Hosted on Amazon Web Services (AWS) EU regions (Ireland) with built-in DDoS protection and firewalls.
• Virtual Private Cloud (VPC) used to isolate systems.
• Intrusion Detection and Prevention Systems (IDPS) monitor inbound and outbound traffic.
• 24/7 monitoring and alerting via automated systems.
• Penetration testing conducted at least annually.

• Code reviews required for all production deployments.
• Static and dynamic code analysis integrated into CI/CD pipelines.
• Bug bounty program open to vetted ethical hackers.
• Content Security Policy (CSP) and XSS/CSRF protections enabled on all customer-facing interfaces.
• Secure software development lifecycle (SSDLC) followed by engineering teams.

• Documented Incident Management Procedure aligned with GDPR Article 33 & 34.
• Internal response team on call 24/7.
• Security Breaches reported to affected Customers without undue delay.
• Detailed root cause analysis (RCA) and corrective actions performed post-incident.
• Integrated log management and alerting through centralized SIEM (Security Information and Event Management) system.

• Business Continuity and DR Policy in place and tested at least annually.
• Daily backups with geographically redundant storage.
• Failover mechanisms between availability zones and disaster recovery regions.
• Data restoration time objective (RTO) and recovery point objective (RPO) aligned with criticality of service.

• Data hosted in AWS facilities that comply with ISO 27001, SOC 1/2/3, and PCI-DSS.
• Physical access controls at AWS sites include biometric scanners, CCTV, and 24/7 security staff.
• Hotelinking’s offices have secure access cards, visitor management, and workstation lock policies.

• All employees sign a Confidentiality Agreement upon hire.
• Security awareness training is mandatory during onboarding and renewed annually.
• Dedicated Security Officer and DPO oversee compliance and internal audits.
• Vendor risk assessments conducted before onboarding Sub-processors.
• Regular internal audits to validate security controls and compliance posture.

• Data collected is strictly limited to what is necessary for the Services.
• ID documents (Deskforce) auto-deleted within 48 hours of upload.
• Consent logs and opt-ins managed and time-stamped via the platform.
• Data retention policies enforced based on customer configuration and service type.