Security Policy
HOSTELELLA applies reasonable technical and organizational measures appropriate to the risk to protect the confidentiality, integrity, availability and resilience of the Service. This policy summarizes the main measures without disclosing details that could weaken security.
1. Governance and access
- Internal access limited by need, role and least privilege.
- Use of individual accounts and permission control for critical systems.
- Strong authentication/MFA for administrative accounts where the provider or system allows.
- Reasonable access reviews and removal of permissions when no longer needed.
- Logical separation between development, testing and production environments where appropriate.
- Change and deployment management with technical review proportionate to risk.
2. Data protection
- Encryption in transit via HTTPS/TLS.
- Encryption at rest where provided by the cloud infrastructure or managed service.
- Secrets management via secure stores and server variables, avoiding client-side exposure.
- Data minimization in telemetry, logs and support processes.
- Logical separation per customer/business via authorization controls and data policies (RLS) where applicable.
- Limited access to production data for support, diagnostics or security when necessary.
3. Application and API
- Authentication via identity provider and tokens.
- Access validation at the gateway/API layer and authorization controls by user, business and role.
- Database policies and logical segmentation to reduce exposure between customers.
- Rate limiting, anti-abuse controls and input validation on sensitive endpoints.
- Protections against automated abuse on sensitive public flows, including captcha where appropriate.
- Reasonable review and remediation of vulnerabilities in dependencies, infrastructure and own code.
4. AI processing and minimization
When AI features are used, HOSTELELLA applies specific controls to reduce the exposure of personal data:
- Minimization of the content sent to the AI provider: only what is necessary for the purpose.
- Pseudonymization where possible (e.g., the shift generator operates with initials and operational data, not full names; the reason/type of absences is not transmitted).
- Selection of providers with contractual security commitments and no-training over commercial data (unless Customer opt-in/specific contract).
- Encrypted transmission and secure management of AI providers' API keys.
5. Operations, monitoring and continuity
- Technical monitoring and activity logs to detect errors, abuse or incidents.
- Backups and recovery mechanisms according to the applicable managed service.
- Reasonable internal recovery and continuity objectives, dependent on the cloud provider and contracted plan.
- Incident response process and assessment of personal data breaches.
- Maintenance and updates for security, stability and compliance.
- Logging of critical security events and retention in accordance with the Retention Policy.
6. Reasonable limitations
This policy summarizes security controls without disclosing details that could weaken the Service. Measures may vary by environment, plan, managed provider and risk. No system is absolutely secure; HOSTELELLA will maintain appropriate and proportionate measures, but the Customer must apply its own internal controls.
7. Sub-processors
HOSTELELLA selects providers that offer adequate security measures for the purpose of the processing. The main sub-processors are published in the Sub-processors Annex.
8. Customer responsibilities
The Customer must protect its devices, accounts and credentials, use strong passwords, limit permissions, review active users, report suspicious access and keep its own copies/exports where required by its operational risk or regulations.