Our approach to data protection
Who we are
ResRequest provides a hosted Business Management software application that caters for Central Reservation, Property Management, Customer Relationship, Financial Management and Online Bookings. Our customer’s system is provided as a hosted solution, with the option to install at client-specified offline locations, which are logistically managed by our customer. Our customers capture and maintain their own data into their system. Our customers can opt to integrate their data to third party systems such as Point-Of-Sale or Financial Accounting systems. In addition to our application and connection services, our customers can make use of our training, data capture and consulting services.
ResRequest’s interview procedure is a rigorous selection process. Our new staffer induction includes training and awareness of our security policies and regular notices are released in our internal communication and via our management team.
Our team are provided safe and secure methods to perform their operational responsibilities, while keeping our customers systems and data safe. Our staff are required to review safety protocols and implement secure processes in accordance with our signed NDA which protects customer data from being distributed. Staff are required to install antivirus software and resinstall terminals after any suspicious activity. We have a technical support team available to our staff to assist them in implementing and maintaining security standards on their workstations.
Who our clients are
Our customers are hotel owners and travel agents. Our users include our customers and additional users who are enquiring about or booking accommodation in our customer’s ResRequest system. Our software gives our customers the ability to collect information about their clients. We do not own or manage our customers bookings, we provide the software platform for our customers to process bookings and manage related business functions.
Protection of our customer data
Offline server protection
We assist with the setup of licensed copies of ResRequest on an offline server owned and hosted by our customer. We do not accept responsibility for data breaches at the offline environment as we have no control of the server and server access at these locations. We recommend that customers seek assistance from security specialists to maintain secure infrastructures and processes at these offline locations.
Our subscriber policy
During our implementation we sign up users to our subscription services. We also take directives from the system administrator such as adding their users to our subscriber list.
We want our customers to feel like they’re receiving information that gives their business great value. To do this, each mailer includes an article that will promote better business practises or inform users about learning opportunities and new features. Email addresses and personal data that individuals consent to provide us with, is only used for contacting the individual with business related information. We do not port private information to other data collectors.
Should an individual wish to no longer receive this correspondence, they can unsubscribe at any time.
Our web services
ResRequest has a dedicated SAAS team. We host servers with recognised service providers. Our SAAS and development teams are constantly monitoring online platforms to ensure that our services are running security upgrades and to detect security breaches. This team is tasked with determining the companies defence systems and security, building the security infrastructure and implementing our web server security policies.
Our team also meet regularly with our senior development strategist and external consultant specialist to source ideas, discuss strategies and review any gaps in our security processes.
We will continue to promptly inform you of incidents involving your customer data. Please follow our Technical Twitter Support feed which is used to publish and provide updates of any incidents.
Incident notifications may also be sent by email, telephone, Skype or WhatsApp to you directly when / if they are directly relevant to you or your data.
Customer responsible usage
We ask our customers to implement secure and transparent data protection policies that meet data protection regulatory obligations. Should customers be in breach of this and be deemed to use personal data unlawfully, we reserve the right to suspend their license with immediate effect.
Does data protection legislation involve you?
Yes, ResRequest is the processor of data and you are a collector of data. As a data collector you are required to be compliant in respect of data protection acts such as the GDPR, which governs data collection on EU citizens and POPIA (pending data protection on RSA citizens) and others.
Implementing data protection strategies ensures that your business partners and customers feel comfortable doing business with you. It is important to understand the requirements of the GDPR and put policies and procedures in place that adhere to these data protection acts. Using search engines like Google and Bing, will point you to information about GDPR and legal teams / compliance companies that will ensure you are able to comply with global data protection standards.
What can you do?
If you work with international guests and partners you’ll need to store their data which means you need to understand and have strategies in place to comply with international data protection regulations. Here are some guidelines that can help you with compliance:
1.Understand the global market you work with and find out the specifics of the respective data protection acts, e.g. working with EU citizens requires referencing to the GDPR. When you review these regulations, consider if / how they differ from your current data protection strategies. A few practical examples of areas to review include:
1.1. Review how you seek, record, manage consent and whether you need to make any changes to that process. There may be many areas in your business to review, making an inventory list of those areas is a good idea.
1.2. Review your consent form, you will need to explain your lawful purpose for collecting the information you are asking guests for at sign in, e.g. regulatory information for medical emergencies.
1.3. Check your procedures to ensure they cover all the rights that individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. The GDPR includes the following rights for individuals:
– the right to be informed
– the right of access
– the right to rectification
– the right to erasure
– the right to restrict processing
– the right to data portability
– the right to object
– the right not to be subject to automated decision-making including profiling.
1.4. Consider how you will manage the right of erasure especially considering the lawful basis of this such as a contact being linked to a valid invoice.
1.5. Consider how you will present profile data to the contact should they request right of access.
2. Consider the areas you curate and store personal data. Review your policies and processes in each of these areas.
3. Check for regular updates to regulatory information and review any gaps in your current processes.
4. Consult a lawyer or a qualified Data Protection Consultant to obtain data protection advice applicable to your business.
Our assistance to customers
Should you require any guidance or clarification from our team, our management and supervisory team are available to explain our best practise. Contact them direct or via our support team.
Disaster Recovery and Business Continuity
This section details the various possible disaster scenarios, the likely impact, and the actions to be taken for recovery. It, furthermore, details the backups and redundancies procedure in place to ensure data integrity.
We provide multiple backup and disaster recovery options to ensure there is almost zero data loss. This has been achieved by the following:
- Production servers, based in a central location, are replicated in real-time to identical replicated servers in a secondary location (providing data centre and geographic redundancy).
- Production servers are backed up in full nightly (one year retention).
- Production server nightly backups are stored in archived server location (two year retention and independent geographic location to data centre).