What does i-Reserve do to ensure the security and privacy of (personal) data?

Why should you secure customer data?

As a business owner, you know that protecting customer data is essential. Hackers and cybercriminals are always looking for new ways to steal information. That is why it is important to take steps to keep your customer data safe. Within our online reservation system, your customers' data is also protected in accordance with GDPR legislation.

GDPR as a replacement for the DPA

Since 25 May 2018, the GDPR has replaced the Data Protection Act (DPA). The General Data Protection Regulation (GDPR) is a privacy law that applies throughout the EU. And although the GDPR is relatively new, it is based on the fundamental principles of the previous DPA legislation. The aim of the GDPR is to protect the privacy rights and personal data of EU citizens, and it applies to every organisation that collects personal data from EU citizens. Read all about GDPR legislation here.

The security and privacy of (personal) data in the i-Reserve reservation system

Discover how the security and privacy of (personal) data is safeguarded within our reservation system.

Secure connection

As standard, we deliver our reservation system with an SSL certificate by default (privacy by default). SSL (or more precisely TLS) is recognisable by the https:// prefix in the URL. This is a technique that secures the connection between a website visitor and the server hosting the website using very strong encryption. By using an SSL connection, we ensure that information sent to and from the booking dialogue cannot be intercepted or tampered with by unauthorised third parties.

Encryption of information

In addition to encrypting internet data traffic via SSL (also known as data in transit), the i-Reserve reservation system also offers the option of applying encryption to physical data (also known as data at rest).

Passwords are stored in encrypted form within i-Reserve. Furthermore, a password will never be sent in the event of a forgotten password request — only a link to reset your password yourself will be provided.

Firewall

When deploying a firewall, we only allow public IP addresses to connect to the ports that are required. For ports and functions that are critical from a security perspective, we make use of a whitelist. Only IP addresses on that list are granted access to the reservation system.

Web Application Firewall (WAF)

A Web Application Firewall is an application that monitors and inspects incoming and outgoing traffic. All traffic that is abnormal or violates the firewall rules is blocked. In the case of more serious infractions, such as an attempted repeated MySQL injection, the relevant IP address is immediately added to the blacklist, preventing that sender from making any further connection to the reservation system.

IP Whitelisting

It is possible to completely shield an i-Reserve reservation environment from the outside world. This can be achieved by making use of IP whitelisting. This fully blocks the domain on which the reservation system is hosted, allowing the domain to be accessed only from specific IP addresses. This is used, for example, by customers who wish to use i-Reserve as an internal application.

Prepared statements

SQL injection exploits a type of vulnerability in computer applications. Applications that store information in a database often use SQL to communicate with that database. SQL injection can occur when user input is processed into an SQL statement in an insufficiently controlled manner.

Within the i-Reserve reservation system, we make use of prepared statements. This is a mechanism that ensures unwanted code cannot be processed into the SQL queries executed by the application.

Slowdown mechanism

Brute force attacks involve malicious parties using automated tools to try lists of usernames and passwords against the reservation system, continuing until a correct combination is found.

To counter brute force attacks, we make use of a slowdown mechanism. The first time an incorrect username and password combination is entered, a two-second wait is imposed before a new combination can be attempted. The second time it is four seconds, and the third time sixteen seconds. This is a method of rendering brute force attempts ineffective.

Lockdown mechanism

Should an intruder nonetheless gain access and attempt to escalate their own privileges, this is made impossible and they are locked out of the system.

Hosting and data storage

All our data is stored in the Netherlands. The i-Reserve reservation application and its associated database run on a dedicated server. This means that the server is set up exclusively for the i-Reserve reservation system and is used solely by customers of Teqa Webdiensten. The data is only accessible from within the application; no other sources are authorised to connect to the database.

Databases

i-Reserve does not use shared databases. Each customer has their own database with unique login credentials. This minimises the risk in the event of a potential breach.

Daily backups

To ensure that data is not inadvertently lost, we make use of daily automated backups. These backups of the reservation system are carried out every day and include both the database and the file system. The backups are stored on a separate server and retained for 30 days.

Daily scans

We carry out a daily automated scan of the system using McAfee Secure, which tests the security of our servers. We also perform a daily scan for malware and viruses, with proactive monitoring in place.

Segregation of duties

Segregation of duties (or separation of duties) is the concept whereby a particular responsibility is distributed across more than one person. For example, programmers and developers do not have access to customer databases. Only those individuals who require access to production systems and databases for their work are granted that access.

Automatic anonymisation of personal data

In order to comply with legislation regarding the processing of personal data under the GDPR, our reservation system offers the option for relevant personal data to be anonymised automatically. This means that personal data is not retained for longer than necessary and must be anonymised accordingly. This falls under the 'right to be forgotten'.

This functionality is not enabled by default and must be configured (privacy by design) by the administrator.

Open Web Application Security Project

The i-Reserve reservation system complies with the widely recognised OWASP Top 10. From the very start of the application's development, the most recent topics within the OWASP Top 10 are taken into account. Furthermore, the application is periodically and regularly checked — through various testing phases — to ensure it continues to meet these requirements.

How can you ensure the security of your customer data yourself?

Of course, you also bear responsibility for the security and privacy of your customers' data. The use of simple passwords, sharing user accounts, and 'forgetting' to log out are examples we frequently encounter in practice. We therefore offer the option to enforce passwords with a minimum number of characters, digits, uppercase letters, and special characters. The ability to require users to change their password every set number of days is also a feature built into the i-Reserve reservation system.

Naturally, it is up to you as an organisation to ensure that a user account has been created for every individual (this incurs no additional cost) and that permissions based on user groups are correctly configured. By shortening the duration of a logged-in session, it is possible to address the issue of users 'forgetting' to log out.

In short, there are more than enough options available to take responsibility yourself and prevent misuse of (personal) data.

Curious about our reservation system?

Would you like to discover what else the i-Reserve reservation system can do for you? Or would you like more information about securing customer data? Please contact us.