................................................................................................................
In the following paragraphs you can find our terms and conditions. When you decide to start an integration with us you will receive a request from checkin.provider@booking.com to sign this agreement.
................................................................................................................
Privacy policies and guidelines
Booking.com is dedicated to protecting your privacy and safeguarding your company’s information. Booking.com may collect and process your Partner Portal account’s personal information for the purposes of such information and may call you and send email advertisements to you about the Connected Stay Partner Program, connectivity products and services. You can opt out from receiving email advertisements by unsubscribing via the email or at any time by sending us an opt-out request.
All information and data related to your account in the Connected Stay Partner Program will be stored on the Booking.com servers.
We may share information related to your account with customers connected to Booking.com for the purpose of helping you gain more exposure.
All information shared with you about the Connected Stay Partner Program, our products and services, and our partners may, without prejudice to your confidentiality requirements under the Agreement, not be shared with any competitors of Booking.com (which includes any online or offline reservation or booking agency or intermediary, any (meta) search engine or price comparison website) and, or with any other (online or offline) third party that is a business partner of, or in any other way related to or connected to, accommodations.
Technical and Organisational Security Measures
This partner shall, as a minimum, implement and adhere to the following baseline technical and organisational security measures to ensure that the confidentiality, integrity and availability of any Data (as defined in the Connectivity Partner Agreement — Connected Stay) is sufficiently protected.
IDENTIFY: Connected Stay partner has an organizational understanding for managing cybersecurity and IT risks to systems, people, assets, data, and capabilities.
- Asset Management
- A basic catalogue of physical devices, software platforms, applications and external systems is in place.
- There is a basic classification of resources based on criticality and business value.
- Organizational communication and data flows are mapped.
- Cybersecurity roles and responsibilities for the workforce and third party stakeholders are established.
- Business Environment
- The organization’s role in the supply chain, critical infrastructure and industry is defined.
- Priorities for organizational mission, objectives and activities are established.
- Dependencies and resilience requirements for the delivery of critical services are defined.
- Governance
- Basic organizational cybersecurity policies, roles and responsibilities are defined.
- Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.
- Governance and risk management processes address cybersecurity, IT, business risks and compliance.
- In case Connected Stay Partner is under periodic external audits focused on IT risks, the resulting assurance reports (SOC1 (e.g. ISAE3402 Type 2), SOC2, or equivalent) shall be provided to Booking.com. In case Connected Stay Partner is not periodically audited by an external independent party, Booking.com reserves the right to audit in case such a need arises.
- Risk Assessment
- Asset vulnerabilities and internal and external threats are identified.
- Risk is determined based on the vulnerabilities and threats and their impact and likelihood.
- Risk response is defined and prioritized accordingly.
- Risk Management Strategy
- Risk management processes are established and managed in line with a defined risk tolerance.
- Supply Chain Risk Management
- Cyber supply chain risk management processes are established and applied to third party partners.
- Contracts with third party partners are utilized for meeting the organization’s cybersecurity program requirements.
PROTECT: Connected Stay partner has developed and implemented appropriate safeguards to ensure delivery of critical services.
- Identity Management & Access Control
- There is a defined process around the issuance, management, revocation and review of identities, (standard and privileged) credentials and their interconnection.
- Physical and remote access to assets is managed and protected.
- Logical and physical access permissions and authorization are managed based on the least privilege principle and through applying segregation of duties as needed.
- Network integrity is protected.
- The authentication level of users, devices and other assets is determined by the risk of the associated transaction.
- Awareness and Training
- All users receive basic security training.
- Senior executives, privileged users, physical and cybersecurity stakeholders and third party stakeholders understand their roles and responsibilities.
- Data Security
- Data-at-rest and Data-in-transit are safeguarded.
- Used certificates and keys are registered and secrets are protected.
- Controls are in place to protect against data leakage and exfiltration and/or accidental data destruction.
- Asset management occurs through removal, transfer and disposition of assets.
- Integrity checking is used for software and information integrity.
- Availability is supported by adequate capacity.
- Technical and organizational security measures are implemented to ensure the pseudonymisation and encryption of personal data where appropriate, to ensure a level of security appropriate to the associated risk, as defined in Article 32 of GDPR.
- Data labelling measures are implemented to ensure that data collected for different purposes can be processed separately.
- Information Protection Processes and Procedures
- Security principles are incorporated in the baseline of IT systems configuration.
- A System Development Life Cycle (SDLC) is implemented for managing systems.
- Configuration and change management processes are established.
- Backups of information are performed and maintained.
- Data is destroyed in accordance with a policy and as per the applicable laws and regulations.
- The effectiveness of protection technologies is being reviewed.
- A data (security) breach management process is established and can be readily applied if needed.
- Response and recovery plans are in place for incident management, business continuity and disaster recovery.
- Personnel screening and user (de-)provisioning are incorporated in HR processes.
- A basic vulnerability management plan is in place.
- Maintenance
- Maintenance of assets is performed with approved tools and is being logged.
- Approved remote maintenance of assets is performed in a way that prevents unauthorized access and is being logged.
- Protective Technology
- Log records are maintained and reviewed.
- Removable media is protected and their use is restricted.
- Systems are configured to provide only essential capabilities as per the principle of least functionality.
- Communications and control records are protected.
- Mechanisms are in place to support resilience under normal and adverse conditions.
DETECT: Connected Stay partner has developed and implemented appropriate activities to identify the occurrence of a cybersecurity event.
- Anomalies and Events
- A baseline of network operations and data flows is established.
- Incident alert thresholds are established.
- Detected events are analyzed for determining the target and the methods utilized.
- Event data are aggregated and correlated for their impact to be determined.
- Security Continuous Monitoring
- The network, physical environment and personnel and external Connected Stay Partner activities are monitored to detect potential cybersecurity events.
- Safeguards are in place to detect malicious and/or unauthorized code.
- Monitoring is performed for unauthorized personnel, connections, devices and software.
- Vulnerability scans are performed.
- Detection Processes
- Roles and responsibilities for detection activities are defined.
- Detection activities comply with basic regulatory requirements and are being tested.
- Event detection information is communicated.
RESPOND: Connected Stay partner has developed and implemented appropriate activities to take action regarding a detected cybersecurity incident.
- Response Planning
- A response plan is defined and executed during or after an incident.
- Communications
- Incident response roles and responsibilities are defined and personnel accountability is clear.
- Criteria for incident reporting are established and followed.
- Information sharing and coordination with stakeholders are consistent with a response plan.
- Analysis
- Notifications from the detection systems are monitored and investigated as needed.
- Forensics are performed when needed.
- The impact of an incident is determined and understood.
- Incident categorization is consistent with the response plan.
- Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization.
- Mitigation
- Identified incidents are contained and mitigated.
- Vulnerabilities are mitigated or their risk acceptance is documented.
- Improvements
- Response strategies are updated based on lessons learned through response plans.
RECOVER: Connected Stay partner has developed and implemented appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
- Recovery Planning
- A recovery plan is defined and is executed during or after a cybersecurity incident.
- Improvements
- Recovery strategies are updated based on lessons learned through recovery plans.
- Communications
- Recovery activities are communicated to internal and external stakeholders.
- Reputation impact is determined and repaired after an incident.