What does i-Reserve do regarding the security and privacy of (personal) data?

Why should you protect customer data?

As a business owner, you know that protecting customer data is essential. Hackers and cybercriminals are always looking for new ways to steal information. That's why it's important to take steps to keep your customer data safe. Within our online booking system, your customers' data is also protected in accordance with GDPR regulations.

GDPR as a replacement for Wbp

Since May 25, 2018, the GDPR has replaced the Dutch Personal Data Protection Act (Wbp). The General Data Protection Regulation (GDPR) is a privacy law that applies throughout the EU. Although the GDPR is new, it is based on the fundamental principles of the Wbp legislation. The GDPR aims to protect privacy regulations and the personal data of EU citizens, and it applies to any company that collects personal data of EU citizens. Read all about the GDPR legislation here.

The security and privacy of (personal) data in the i-Reserve reservation system

See how the security and privacy of (personal) data is guaranteed in our reservation system.

Secure connection

As a service, we provide our reservation system with an SSL certificate as standard (privacy by default). SSL (or more accurately, TLS) is recognizable by the https:// prefix in the URL. This technology secures the connection between a website visitor and the server hosting the website with very strong encryption. With an SSL connection, we ensure that information sent to and from the booking dialog cannot be read or modified by third parties.

Encryption of information

In addition to encrypting data traffic on the internet via SSL (also called data in transit), the -Reserve reservation system also offers the option of applying encryption to physical data (also called data at rest).

Passwords are stored encrypted within i-Reserve . In addition, we will never send a password if you forget it, but only a link to reset your password yourself.

Firewall

When deploying a firewall, we only allow public IP addresses to connect to the necessary ports. For security-critical ports and functions, we use a whitelist. Only IP addresses on this list have access to the reservation system.

Web Application Firewall (WAF)

A Web Application Firewall is an application that monitors incoming and outgoing traffic. Any traffic that deviates from the firewall or violates its rules is blocked. For more serious violations, such as an attempted repeated MySQL injection, the IP address is immediately blacklisted, preventing the sender from connecting to the reservation system.

IP Whitelisting

It's possible to completely shield an i-Reserve reservation environment from the outside world. This can be achieved through IP whitelisting. This completely blocks the domain hosting the reservation system, making it accessible only from specific IP addresses. This is used, for example, by customers who want to use i-Reserve as an internal application.

Prepared statements

SQL injection is a type of vulnerability in computer applications. Applications that store information in a database often use SQL to communicate with the database. SQL injection can occur when user input is not properly processed in an SQL statement.

Within the i-Reserve reservation system, we use prepared statements. This mechanism prevents unwanted code from being processed in the SQL queries executed by the application.

Slowdown mechanic

Brute force attacks involve malicious actors attempting to automate logins to the reservation system using a list of passwords and usernames, until a correct combination is found.

To prevent brute force attacks, we use a slowdown mechanism. The first time a username and password combination is incorrect, a two-second delay is required before a new combination can be attempted. The second time, four seconds, and the third time, sixteen seconds. This is a way to make brute force attacks unusable.

Lockdown mechanism

If an intruder does gain access and tries to gain more rights, he will be prevented from doing so and locked out.

Hosting and storage of data

All our data is stored in the Netherlands. The i-Reserve reservation application and its associated database run on a dedicated server. This means the server is configured for the i-Reserve reservation system and is used exclusively by Teqa Web Services customers. The data is only accessible from within the application; no other sources are permitted to connect to the database.

Databases

i-Reserve doesn't use shared databases. Each customer has their own database with unique login credentials. This minimizes the risk in the event of a breach.

Daily backups

To ensure data isn't accidentally lost, we use daily automated backups. These backups of the reservation system are performed daily, including both the database and the file system. The backups are stored on a separate server and retained for 30 days.

Daily scans

We perform a daily automated system scan with McAfee Secure, which tests the security of our servers. We also perform a daily scan for malware and viruses and proactively monitor these.

Segregation of duties

Segregation of duties (or splitting of functions) is the concept of sharing a specific responsibility among more than one person. For example, programmers and developers don't have access to customer databases. Only those who need access to production systems and databases for their work have that access.

Automatically anonymize personal data

To comply with legislation regarding the processing of personal data under the GDPR, our reservation system allows for the automated anonymization of relevant personal data. This means that personal data will not be retained longer than necessary or must be anonymized. This falls under the "right to be forgotten.".

This functionality is not enabled by default and will need to be enabled (privacy by design) by the administrator.

Open Web Application Security Project

The i-Reserve reservation system meets the widely used OWASP top 10. The latest topics in the OWASP top 10 are considered during the application's development. Furthermore, the application is periodically and regularly checked – through various test phases – to ensure its continued compliance with these requirements.

How can you guarantee the security of your customer data yourself?

Naturally, you are also responsible for the security and privacy of your customer's data. Using simple passwords, sharing user accounts, and forgetting to log out are common examples of this. Therefore, we offer the option to require passwords to contain a minimum number of characters, numbers, capital letters, and special characters. The mandatory password change every certain number of days is also a feature we've built into the i-Reserve reservation system.

Of course, it's up to you as an organization to ensure that a user has been created for everyone (this doesn't incur any additional costs) and that permissions based on user groups are configured correctly. Shortening the length of a logged-in session can help address the issue of forgetting to log out.

In short, sufficient opportunities to take responsibility yourself and prevent misuse of (personal) data.

Curious about our reservation system?

Want to discover what else the i-Reserve reservation system can do for you? Or would you like more information about securing customer data? Then contact us.