Guestline Limited: Data Policy

Details regarding Guestlines application hosting provision including disaster recovery, data backup and resilience of services in relation to PCI Compliance and GDPR.

Introduction

For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and the Data Protection Act 2018, Guestline is a ‘processor’ of data collected in the provision of cloud-based property management and distribution technologies for the hospitality industry. Guestline is a Registered Company in England Number 2661520.

Guestline make use of the latest security, processing and storage technologies to run our suite of software products and ensure your data is kept safe and secure.  Access controls employed at multiple points in the data centre infrastructure restrict access to your data as well as protect our own servers and environment from harm, ensuring our services to you are kept available 24/7.

Procedures and policies are implemented in all business workflows in accordance with PCI level 1 service provider ensuring that access control, backup security, network security and general information security is carefully monitored and audited by 3rd party auditors.

All rights, requests, data procedures and policies are implemented and followed in line with GDPR compliance and all staff are trained in line with both PCI compliance and GDPR best practice as outlined by the ICO. 

If you have any queries about this Policy, the way in which we process data, or about exercising any of your rights, you may contact our Privacy Representative by sending an email to gdpr@guestline.com or writing to our Privacy Officer, Guestline House, Shrewsbury Business Park, Shrewsbury, SY2 6LG

GDPR and PCI Service Provider Compliance

Guestline Ltd is a certified Level 1 Service Provider for PCI-DSS and is listed with VISA Europe’s Merchant Agent Registration programme

https://www.visaeurope.com/receiving-payments/security/downloads-and-resources

Click Visa Europe Merchant Agent Weblisting

We undergo an extensive annual on-site audit by 3rd party Qualified Security Assessor’s (QSA), our Level 1 Service Provider (PCI-DSS) accreditation covers all aspects of our business (including, but not limited to, hosting, head office networks, software development processes and staff training).

As a Service Provider, our attestation of compliance (AOC) certificate is available on request from your account manager/sales representative.

Customer as a Merchant and GDPR Compliance

In respect to PCI-DSS Merchant Compliance some responsibilities, for example, those that may call for merchant-premises physical security or merchant-premises anti-virus remain with the customer. To ensure full compliance with all the requirements of the PCI-DSS, you may benefit from consulting a QSA or the merchant acquirer account manager.  Your Guestline account manager can offer some guidance on request.

In respect to GDPR Compliance, we follow all recommendations provided by the ICO and our PCI-DSS certification and good governance policies and processes work to support this compliance. With regard to GDPR relating to PCI-DSS Compliance, our clients as “controllers” have a responsibility to ensure they have followed the GDPR compliance guidelines as outlined by the ICO, please visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

See below for a high-level brief on the Details regarding Guestlines application hosting provision including disaster recovery, data backup and resilience of services in relation to PCI Compliance and GDPR

Data Centre Physical Environments

Guestline make use of industry leading hosting partners to provide racks, cooling and power*

Partners are certified to ISO9001:2008 and ISO/IEC27001 and PCI-DSS compliant

Power

On power failure automatic, electrical generators take the full load of the building with standby uninterruptable power supplies bridging the gap

Physical Protection & Security

ISO27001 and PCI-DSS physical/hosting requirements

24 x 7 x 365 closed circuit security cameras

Full photo based access control with swipe card security entry systems

On-site security staff

VESDA / FM200 systems provide very early fire detection or fire suppression in the event of ignition

Connectivity

Geographically diverse ‘carrier-neutral’ fibre providers in use

Multiple internet providers help ensure minimal disruption in the event of internet backbone problems; Level3, Global Crossing, Tiscali and Cogent

Application Level Security

Application Perimeter Security

Multi-level and multi-manufacturer firewalls with auto failover redundancy at all levels

Regular detailed vulnerability scans and adaptive penetration tests performed by industry certified 3rd parties (PCI-DSS ASV, CREST)

Application Server Security

Carefully controlled RSA 2 factor remote access authentication is required for server access and maintained by our technicians and support staff

Servers are locked down and regularly patched in accordance with manufacturers and PCI-DSS recommendations 

Industry leading and always up to date anti-virus/anti-malware protection secures our entire infrastructure

Customer defined IP address filtering options exist to bar access to customer data/services **

Encryption

HTTPS (2048bit TLS) encryption is used to protect your username and password at logon

HTTPS (2048bit TLS) encryption is used in inter-business communication (distribution, interfacing etc)

Application Performance

Web server load balancing and failover ensures fast service availability 24 x 7 even if hardware fails

100’s of application and infrastructure performance metrics are constantly monitored by our dedicated data centre operations team for service availability and speed

Application/Network Resilience

A secondary hosting facility in a separate geographical location is maintained for both active/non-active processing of traffic as well as disaster recovery (DR)

The Rezlynx Browser contains a smart lookup feature allowing automatic redirection of customers to an alternate hosting facility where data is continually replicated in the event of a disaster **

Disaster Recovery/Dual Redundancy

Guestline operates a multi data-centre hosting model where multiple data centres are considered to be ‘Active’ – the Rezlynx Browser chooses the optimal data centre for accessing customer data when it connects to a Rezlynx logon server

A failure to reach the preferred data centre results in a client-side redirect performed by the Rezlynx browser to a secondary data centre logon

Customer data is continuously duplicated and synchronised between two or more geographical facilities **

In the event of a major failure at one facility the alternate storage facility is promoted to become the data master – at which point the Rezlynx Browser, unable to reach its data at the normal location, instead connects to a secondary facility

Data Protection

All expired media and storage devices utilised within our hosting environment are industry standard software wiped (where achievable) and then physically destroyed by certified data-destruction partners

Guestline uphold the role and responsibilities of a ‘Data Processor’ under the UK Data Protection Act 2018 and GDPR, all data remains the property of the customer as the ‘Data Controller’

All data storage remains inside Europe (UK) and will not be shared with any 3rd parties except;

1. under the explicit written instruction of the customer (the Data Controller) – for example to enable integration with 3rd party systems through our open platform API under our Data Transfer policies

2. when we are legally required to do so by local law enforcement

Data Storage

Gartner industry leading Relational Database Management System (RDBMS) 

SAN based disk storage provides the best database performance available

Use of RAID disk redundancy in all mission critical areas means disk failures don’t take services offline

N+1 clustered database servers ensure highly available data access in the event of hardware failures

Off-site continuous data replication to secondary facility **

Data Backup

Full back up archives are taken daily to multiple destinations (on-site disk and tape)

Tape backup archives are securely rotated, securely transported and then stored offsite in a custom media housing facility.  This work is undertaken by industry leading media transport and secure storage experts Iron Mountain

* Further details of our Data Storage partners can be provided on request

** May not be standard/available to all customers/all software services – check with your representative

Management of your guests’ rights Under the GDPR

Our Clients have various obligations under the GDPR and Data Protection Act of 2018 with respect to their use of guest's personal data. As your processor of Data, we commit to the support of those obligations as is directed by the GDPR and Data Protection Act of 2018 as follows; 

In the first instance Subject Data Rights can be directly managed by you the controller with the available tools in the product. For information on the functionality available please visit https://www.guestline.com/about-us/about-guestline/gdpr.html 

Right to Access

A right to access request that is provided to Guestline will be responded to within 1 month of that request being received. Please note that there are exceptions to this right. We may be unable to make all information available to you if, for example, making the information available to you would reveal personal data about another person, if we are legally prevented from disclosing such information, or if there is no basis for your request, or if it is overly excessive.

Right to rectification

We aim to keep all data accurate and complete. If there is an input error by a Guest or User, we provide the tools for you as controller to self-serve and amend any data as required. You can otherwise raise a support request through the existing channels.

Right to erasure

It you receive a request for the deletion of personal data where, for example, the personal data is no longer necessary for the purposes for which they were collected, you as the controller can delete the record directly though the available tools. 

Right to object

In certain circumstances, we may receive an objection directly. Any right to object will be communicated to you, our clients and we will manage as appropriate / per your instructions. No action will be taken on your data without direct instruction by you, our clients unless we are under a legal obligation to provide access.

Right to restrict processing

Guestline gives you the ability for Guests to opt in or out of marketing and for you, our clients to update a record to opt guests out of marketing directly.

Right to data portability

In certain circumstances, Guests have the right to request a copy of their personal data provided to you, in a commonly used, machine-readable format. This can be easily downloaded and provided to the Guest through the available functionality. 

Please note that the GDPR sets out exceptions to these rights. If we are unable to comply with your request due to an exception (these are usually legal in nature) we will explain this to you in our response.

Guestline Internal People, Processes and Technology

If you have any questions about Guestline's internal process and policies for the management of data and training of staff in relation to GDPR that is not covered in the above, please contact our Data Compliance Team on gdpr@guestline.com. Please note that all communication is managed as per our data privacy policy, to review this please click here

Key Solutions

Tell me more...

Leave some details below and a representative will be in touch:

Your data is important to us and as such we will only contact you in relation to your enquiry and will not use your contact details for any further activity without you direct permission. 

By clicking “Send Enquiry”, you agree that you've read our general terms of use.  Our privacy policy can be also be viewed here.