What does i-Reserve do about the security and privacy of (personal) data?

Why do you need to protect customer data?

As an entrepreneur you know that the protection of customer data is essential. Hackers and cybercriminals are always looking for new ways to steal information. That's why it's important to take steps to keep your customer data safe. Within our online reservation system, your customers' customer data is also protected according to GDPR legislation.

GDPR as a replacement for Wbp

Since May 25, 2018, the GDPR has replaced the Personal Data Protection Act (Wbp). The General Data Protection Regulation (GDPR) is a privacy law that applies throughout the EU. And although the GDPR is new, it is based on the basic principles of the Wbp legislation. The purpose of the GDPR is to protect the privacy regulations and personal data of EU citizens and it applies to any company that collects personal data of EU citizens. Read everything about the GDPR legislation here.

The security and privacy of (personal) data in the i-Reserve reservation system

See how the security and privacy of (personal) data is guaranteed in our reservation system.

Secure connection

As a service, we supply our reservation system with an SSL certificate as standard (privacy by default). SSL (or actually TLS) is recognizable by https:// before the URL. This is a technique with which the connection between the visitor of a website and the server where the website is housed is secured with very strong encryption. With an SSL connection we ensure that the information sent to and from the booking dialogue cannot be 'read' or 'adjusted' unintentionally by third parties.

Encryption of information

In addition to encrypting data traffic on the internet via SSL (we also call this data in transit), the -Reserve reservation system also offers the option of applying encryption to physical data (also called data at rest).

Passwords are stored encrypted within i-Reserve . In case of a forgotten password, a password will never be sent, but only a link to reset your password yourself.

Firewall

When using a firewall, we only allow public IP addresses to connect to the ports that are necessary. We use a whitelist for ports and functions that are critical from a security point of view. Only IP addresses on that list have access to the reservation system.

Web Application Firewall (WAF)

A Web Application Firewall is an application that views and monitors incoming and outgoing traffic. All traffic that is deviant or goes against the rules of the firewall is blocked. In the case of more serious 'violations' such as an attempt at repeated MySQL injection, this IP address will immediately be placed on the blacklist so that this sender can no longer connect to the reservation system.

IP Whitelisting

It is possible to completely shield an i-Reserve reservation environment from the outside world. This can be done by using IP whitelisting. This completely blocks the domain on which the reservation system is located and the domain can only be accessed from specific IP addresses. This is used, for example, by customers who want to use i-Reserve as an internal application.

Prepared statements

SQL injection is used for a type of computer application vulnerability. Applications that store information in a database often use SQL to communicate with the database. SQL injection can happen if user input is processed in an SQL statement in an insufficiently controlled manner.

Within the i-Reserve reservation system we use prepared statements. This is a mechanism that ensures that unwanted code cannot be processed in the SQL queries executed by the application.

Slowdown mechanism

Brute force attacks mean that malicious parties attempt to automatically log in to the reservation system with a list of passwords and usernames until a correct combination is found.

To repel brute force attacks, we use a slowdown mechanism. The first time there is an incorrect combination of username and password, you must wait two seconds before a new combination can be tried. The second time four seconds, the third time sixteen seconds. This is a way to make the use of brute forcing useless.

Lockdown mechanism

If an intruder has gained access and tries to give himself more rights, this is made impossible and locked out.

Hosting and storage of data

All our data is stored in the Netherlands. The i-Reserve reservation application and the associated database run on a dedicated server. This means that the server is set up for the i-Reserve reservation system and is only used by customers of Teqa Webdiensten. The data can only be accessed from the application, no other sources are allowed to connect to the database.

Databases

i-Reserve does not use shared databases. Each customer has its own database with unique login details. This minimizes the risk in the event of a leak.

Daily backups

To ensure that data is not simply lost, we use daily automated backups. These backups of the reservation system are done every day and include both the database and the file system. The backups are stored on a separate server and kept for 30 days.

Daily scans

We perform an automated scan of the system every day with McAfee Secure, which tests the security of our servers. We also perform a daily scan for malware and viruses and have proactive control over this.

Segregation of duties

Segregation of duties (or job splitting) is the concept of spreading a certain responsibility among more than one person. For example, programmers and developers do not have access to customer databases. Only those people who need access to production systems and databases for their work have that access.

Automatically anonymize personal data

In order to comply with the legislation regarding the processing of personal data according to GDPR, it is possible for relevant personal data to be anonymized automatically in our reservation system. This means that personal data is not kept longer than necessary or must be anonymized. This falls under 'the right to be forgotten'.

This functionality is not enabled by default and will have to be set (privacy by design) by the administrator.

Open Web Application Security Project

The i-Reserve reservation system complies with the commonly used OWASP top 10. During the development of the application, the most recent topics in the OWASP top 10 are taken into account. Furthermore, it is periodically and regularly checked - through various test phases - whether the application permanently meets these requirements.

How can you guarantee the security of your customer data?

Of course, you are also responsible for the security and privacy of your customer's data. Using simple passwords, sharing user accounts and 'forgetting' to log out are examples that we see frequently in practice. We therefore offer the option to make passwords mandatory with a minimum number of characters, numbers, capital letters and special characters. The mandatory change of the user password every x number of days is also a possibility that we have built into the i-Reserve reservation system.

Naturally, it is up to you as an organization to ensure that a user has been created for everyone (this does not entail additional costs) and that the rights based on user groups are set correctly. By shortening the length of a logged in session, it is possible to tackle 'forgetting' to log out.

In short, sufficient opportunities to take responsibility and prevent misuse of (personal) data.

Curious about our reservation system?

Would you like to discover what else i-Reserve Or would you like more information about securing customer data? Please contact us.