Details regarding Guestlines application hosting provision including disaster recovery, data backup and resilience of services in relation to PCI Compliance and GDPR.
For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and the Data Protection Act 2018, Guestline is a ‘processor’ of data collected in the provision of cloud-based property management and distribution technologies for the hospitality industry. Guestline is a Registered Company in England Number 2661520.
Guestline make use of the latest security, processing and storage technologies to run our suite of software products and ensure your data is kept safe and secure. Access controls employed at multiple points in the data centre infrastructure restrict access to your data as well as protect our own servers and environment from harm, ensuring our services to you are kept available 24/7.
Procedures and policies are implemented in all business workflows in accordance with PCI level 1 service provider ensuring that access control, backup security, network security and general information security is carefully monitored and audited by 3rd party auditors.
All rights, requests, data procedures and policies are implemented and followed in line with GDPR compliance and all staff are trained in line with both PCI compliance and GDPR best practice as outlined by the ICO.
If you have any queries about this Policy, the way in which we process data, or about exercising any of your rights, you may contact our Privacy Representative by sending an email to firstname.lastname@example.org or writing to our Privacy Officer, Guestline House, Shrewsbury Business Park, Shrewsbury, SY2 6LG
GDPR and PCI Service Provider Compliance
Guestline Ltd is a certified Level 1 Service Provider for PCI-DSS and is listed with VISA Europe’s Merchant Agent Registration programme
Click Visa Europe Merchant Agent Weblisting
We undergo an extensive annual on-site audit by 3rd party Qualified Security Assessor’s (QSA), our Level 1 Service Provider (PCI-DSS) accreditation covers all aspects of our business (including, but not limited to, hosting, head office networks, software development processes and staff training).
As a Service Provider, our attestation of compliance (AOC) certificate is available on request from your account manager/sales representative.
Customer as a Merchant and GDPR Compliance
In respect to PCI-DSS Merchant Compliance some responsibilities, for example, those that may call for merchant-premises physical security or merchant-premises anti-virus remain with the customer. To ensure full compliance with all the requirements of the PCI-DSS, you may benefit from consulting a QSA or the merchant acquirer account manager. Your Guestline account manager can offer some guidance on request.
In respect to GDPR Compliance, we follow all recommendations provided by the ICO and our PCI-DSS certification and good governance policies and processes work to support this compliance. With regard to GDPR relating to PCI-DSS Compliance, our clients as “controllers” have a responsibility to ensure they have followed the GDPR compliance guidelines as outlined by the ICO, please visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
See below for a high-level brief on the Details regarding Guestlines application hosting provision including disaster recovery, data backup and resilience of services in relation to PCI Compliance and GDPR
Data Centre Physical Environments
Guestline make use of industry leading hosting partners to provide racks, cooling and power*
Partners are certified to ISO9001:2008 and ISO/IEC27001 and PCI-DSS compliant
On power failure automatic, electrical generators take the full load of the building with standby uninterruptable power supplies bridging the gap
Physical Protection & Security
ISO27001 and PCI-DSS physical/hosting requirements
24 x 7 x 365 closed circuit security cameras
Full photo based access control with swipe card security entry systems
On-site security staff
VESDA / FM200 systems provide very early fire detection or fire suppression in the event of ignition
Geographically diverse ‘carrier-neutral’ fibre providers in use
Multiple internet providers help ensure minimal disruption in the event of internet backbone problems; Level3, Global Crossing, Tiscali and Cogent
Application Level Security
Application Perimeter Security
Multi-level and multi-manufacturer firewalls with auto failover redundancy at all levels
Regular detailed vulnerability scans and adaptive penetration tests performed by industry certified 3rd parties (PCI-DSS ASV, CREST)
Application Server Security
Carefully controlled RSA 2 factor remote access authentication is required for server access and maintained by our technicians and support staff
Servers are locked down and regularly patched in accordance with manufacturers and PCI-DSS recommendations
Industry leading and always up to date anti-virus/anti-malware protection secures our entire infrastructure
Customer defined IP address filtering options exist to bar access to customer data/services **
HTTPS (2048bit TLS) encryption is used to protect your username and password at logon
HTTPS (2048bit TLS) encryption is used in inter-business communication (distribution, interfacing etc)
Web server load balancing and failover ensures fast service availability 24 x 7 even if hardware fails
100’s of application and infrastructure performance metrics are constantly monitored by our dedicated data centre operations team for service availability and speed
A secondary hosting facility in a separate geographical location is maintained for both active/non-active processing of traffic as well as disaster recovery (DR)
The Rezlynx Browser contains a smart lookup feature allowing automatic redirection of customers to an alternate hosting facility where data is continually replicated in the event of a disaster **
Disaster Recovery/Dual Redundancy
Guestline operates a multi data-centre hosting model where multiple data centres are considered to be ‘Active’ – the Rezlynx Browser chooses the optimal data centre for accessing customer data when it connects to a Rezlynx logon server
A failure to reach the preferred data centre results in a client-side redirect performed by the Rezlynx browser to a secondary data centre logon
Customer data is continuously duplicated and synchronised between two or more geographical facilities **
In the event of a major failure at one facility the alternate storage facility is promoted to become the data master – at which point the Rezlynx Browser, unable to reach its data at the normal location, instead connects to a secondary facility
All expired media and storage devices utilised within our hosting environment are industry standard software wiped (where achievable) and then physically destroyed by certified data-destruction partners
Guestline uphold the role and responsibilities of a ‘Data Processor’ under the UK Data Protection Act 2018 and GDPR, all data remains the property of the customer as the ‘Data Controller’
All data storage remains inside Europe (UK) and will not be shared with any 3rd parties except;
1. under the explicit written instruction of the customer (the Data Controller) – for example to enable integration with 3rd party systems through our open platform API under our Data Transfer policies
2. when we are legally required to do so by local law enforcement
Gartner industry leading Relational Database Management System (RDBMS)
SAN based disk storage provides the best database performance available
Use of RAID disk redundancy in all mission critical areas means disk failures don’t take services offline
N+1 clustered database servers ensure highly available data access in the event of hardware failures
Off-site continuous data replication to secondary facility **
Full back up archives are taken daily to multiple destinations (on-site disk and tape)
Tape backup archives are securely rotated, securely transported and then stored offsite in a custom media housing facility. This work is undertaken by industry leading media transport and secure storage experts Iron Mountain
* Further details of our Data Storage partners can be provided on request
** May not be standard/available to all customers/all software services – check with your representative
Management of your guests’ rights Under the GDPR
Our Clients have various obligations under the GDPR and Data Protection Act of 2018 with respect to their use of guest's personal data. As your processor of Data, we commit to the support of those obligations as is directed by the GDPR and Data Protection Act of 2018 as follows;
In the first instance Subject Data Rights can be directly managed by you the controller with the available tools in the product. For information on the functionality available please visit https://www.guestline.com/about-us/about-guestline/gdpr.html
Right to Access
A right to access request that is provided to Guestline will be responded to within 1 month of that request being received. Please note that there are exceptions to this right. We may be unable to make all information available to you if, for example, making the information available to you would reveal personal data about another person, if we are legally prevented from disclosing such information, or if there is no basis for your request, or if it is overly excessive.
Right to rectification
We aim to keep all data accurate and complete. If there is an input error by a Guest or User, we provide the tools for you as controller to self-serve and amend any data as required. You can otherwise raise a support request through the existing channels.
Right to erasure
It you receive a request for the deletion of personal data where, for example, the personal data is no longer necessary for the purposes for which they were collected, you as the controller can delete the record directly though the available tools.
Right to object
In certain circumstances, we may receive an objection directly. Any right to object will be communicated to you, our clients and we will manage as appropriate / per your instructions. No action will be taken on your data without direct instruction by you, our clients unless we are under a legal obligation to provide access.
Right to restrict processing
Guestline gives you the ability for Guests to opt in or out of marketing and for you, our clients to update a record to opt guests out of marketing directly.
Right to data portability
In certain circumstances, Guests have the right to request a copy of their personal data provided to you, in a commonly used, machine-readable format. This can be easily downloaded and provided to the Guest through the available functionality.
Please note that the GDPR sets out exceptions to these rights. If we are unable to comply with your request due to an exception (these are usually legal in nature) we will explain this to you in our response.
Guestline Internal People, Processes and Technology