Here at Avvio, we understand that data security is of paramount importance to our customers, especially when we hear of more data breaches and security threats in today’s news.
In today’s connected world, data is everything and securing it needs to be embedded in the culture of the teams that manage data for their customers.
Hoteliers and accommodation providers handle vast amounts of data every day that it could make them a tempting target for cybercriminals. Personal information is required from a guest to effectively book and check into their room, cater to their needs in the lead up to their stay, during their visit and after they check-out. Businesses must ensure that the payments between guests and property are successful, whether they’re made online, over the phone or desk or even through an app or messaging service. Avvio puts data security first – always and with no exceptions.
Our applications and infrastructure are secure by design. In this post, we take a look at just some of the steps that Avvio takes to ensure that our customers’ data is secure at all times.
We look at security from two perspectives, application security and physical security. While application security could be considered as the set of decisions our engineering team takes to leverage the best-in-class technologies and policies to secure information, physical security is more related to the policies in place by our data centre to ensure network access is in line with the highest standards of information security.
Data that isn’t stored doesn’t need to be secured While it may seem very obvious, far too many service providers don’t pay heed to this fundamental principle. Our customer data is stored only for as long as it is required to perform the primary business function of the application. In line with the General Data Protection Regulation (GDPR – EU 2016/679), Avvio only stores personally identifiable information for as long as is required. Once a guest has checked out of your hotel, their personal information is deleted or anonymised.
Avvio doesn’t store credit card details
Avvio is a PCI-certified merchant services provider. Avvio has partnered with DataTrans, a leading financial services provider to act as a gatekeeper for all credit card information. This Level 1 PCI Certified provider ensures that Avvio is relieved of directly storing and securing any
credit card information on our own network.
All traffic between customer browsers and the Avvio booking engine is through HTTPS as standard. When HTTPS is used, you and your guests can be assured that communications are secure. Modern browsers will display icons indicating that a secure connection is in use on the browser window. Support for the ageing Secure Sockets Layer (SSL) protocol is now retired across our platform in favour of the more secure Transport Layer Security (TLS) cryptographic protocol – designed to provide communications security over a computer network. TLS is further augmented with HTTP Strict Transport Security (HSTS) to ensure that all browsers must use HTTPS correctly.
TLS encrypts all details entered, including the purchaser’s name, credit card number and expiry date and makes them impossible to read by any unintended third-party as the data is transmitted across the Internet. This ensures all details are kept confidential while in transit and prevents a cybercriminal touching the details.
Physical & Network Security
All Avvio applications (including our AI booking platform, Allora) run on dedicated server hardware inside an ISO 27001 certified state-of-the-art data centre in Cologne, Germany. We do not use VPS Hosting or other virtualisation and are sole tenants on all hardware. Our data centre employs security measures such as a monitored, hardened perimeter, surveillance, biometric scanners and strictly-controlled server floor access.
All Avvio servers run on a private network with traffic segmentation. Servers are protected by a Fortigate D200 firewall in addition to local network firewalls and active intrusion detection systems on every server.
Our servers are configured to allow minimal access, including:
- No remote root access
- Only HTTP (80) and HTTPS (443) ports open to the public;
- SSH (22) is only accessible to a limited number of Avvio Engineering staff, and only available through a bastion server (not publicly accessible);
- Critical vulnerability lists are monitored daily and patches are applied to all operating system and application software as soon as they are available.
Avvio employs a team of engineers who monitor our application infrastructure around the clock to ensure your booking engine and related data are secure and available at all times.