Your hotel’s data, protected by design.
Trust is the foundation of every hotel we work with. This page is a transparent overview of how chatlyn protects your data: encryption and access controls, the GDPR framework we operate under, our subprocessors, and how we support your own compliance obligations.
Six commitments we make to every hotel
The shortest version of how chatlyn handles your data and your guests’ data.
GDPR compliant
Built in Vienna under EU data protection law. An external DPO audits our processes.
EU data residency
Guest data is stored on AWS Frankfurt and MongoDB Frankfurt. Never leaves the EU without safeguards.
Encrypted everywhere
TLS 1.2+ in transit. AES-256 at rest. Passwords hashed, access keys rotated and restricted.
DPA ready
A standard Art. 28 GDPR Data Processing Agreement is available on request in EN and DE.
OWASP aligned SDLC
Development follows OWASP Top 10 awareness. Change management, code review and patching are enforced.
DPIA supported
We supply every document a controller needs to run a Data Protection Impact Assessment under Art. 35.
Direct answers on OWASP, DPIA and pen-testing
The three questions procurement and IT teams ask us most often. Click a side card to bring it to the centre.
Security controls, by category
These are the measures documented in Appendix 2 of our Data Processing Agreement. Actively enforced and reviewed regularly.
Logical access control
Access rights are granted strictly according to the need-to-know principle. Privileged access is limited to employees with a documented business need.
Authentication enforced
Personal data is only accessible after successful authentication. Two-factor authentication is available and required for all administrative accounts.
Strong password policy
Passwords require 8+ characters with mixed case, numbers and special characters. Stored encrypted only. Governed by a policy known to all employees.
Network segmentation & firewalls
A firewall separates the internal network from the internet and blocks incoming traffic as far as possible. Production network access is restricted.
Anti-malware on all systems
Anti-virus software is installed on all systems where feasible. All incoming emails are automatically scanned for malicious software.
Vulnerability management SLAs
Automatic security updates enabled where possible. Critical patches within 3 business days, medium within 25, low within 40.
Encryption in transit & at rest
TLS 1.2 or higher for all web traffic. Data at rest encrypted with AES-256. Encryption keys are access-restricted.
Defined security roles
Internal responsibilities for data security are formally defined. Management oversees information security controls.
Employee confidentiality
All employees are bound to confidentiality obligations that extend beyond employment. Data may only be shared with third parties under explicit instruction.
Security awareness training
Employees are trained on data security topics internally or externally and kept informed of new threats.
Orderly offboarding
On termination, all accounts of the leaving employee are immediately disabled and hardware keys collected.
Unique user accounts
Every person has their own user account. Account sharing is prohibited. Administrative accounts are used only in exceptional cases.
Hardware inventory
Records are kept of end devices assigned to specific employees, including PCs, laptops and mobile phones.
Input control
Procedures are in place to control the accuracy of personal data entering the system.
Subprocessor vetting
Service providers are evaluated on their data security level. Processors are only engaged after a processor agreement is in place.
Secure data disposal
Paper is shredded or handed to a secure destruction service. Media are overwritten or physically destroyed before disposal.
Regular malware scans
Anti-virus scans are performed on a scheduled basis to identify malicious software that has compromised a system.
Automated log evaluation
Security log files across systems are collected centrally and automatically evaluated to detect potential breaches.
Manual log review
Log files are reviewed by hand at regular intervals, in particular for unsuccessful authentication attempts.
Security mailing lists
Responsible staff subscribe to relevant vendor and industry security mailing lists to stay aware of current threats.
Incident reporting procedure
All employees are trained to detect and report security incidents. Technical procedures are in place for raising anomalies to responsible staff.
Regular internal audits
Audits verify that critical security updates are installed, access rights are correct, and key assignments are valid.
Access review cycles
Access grants and authorisations are reviewed on a regular cadence to ensure they remain appropriate.
Regular data backups
Backups are created on a regular schedule and stored securely by our cloud providers.
Documented recovery concept
A concept for the rapid restoration of backups is in place to allow timely return to regular operation after a security event.
Automatic malware removal
The anti-virus software in use automatically removes malicious software it detects.
Mandatory breach reporting
Every employee is instructed to report security violations immediately to a defined internal contact.
72-hour breach notification
Security breaches can be reported to the supervisory authority within 72 hours as required by Art. 33 GDPR. Emergency contacts are distributed to all staff.
Service provider incident channel
All service providers are given contact details they can use to report security breaches to us.
Automatic risk alerts
Users receive automatic warnings about risk-entailing IT use, for example invalid SSL/TLS certificates flagged by the web browser.
Insider-attack sanctions
All employees are informed that attacks on company IT systems are not tolerated and may carry serious consequences under employment law, including dismissal.
Physical access control
Access to business premises is only permitted to non-employees when accompanied by a member of the company.
Burglary protection
Entry points to business premises are fitted with adequate burglary protection such as security doors of higher safety classes.
Strict key management
Physical keys are only issued to trustworthy persons, for the extent and duration they require separate access.
Address visitors on premises
All employees are instructed to address any non-employee they encounter unaccompanied on the premises.
Fire safety equipment
A suitable number of fire extinguishers is present on the premises and all employees know their location.
How chatlyn keeps WhatsApp GDPR-compliant
One of the most frequent questions from EU hotels. Here is exactly what happens to a guest message.
Guest sends a message
The guest sends a message to a number linked to a WhatsApp business account connected to chatlyn.
Encrypted to 360dialog
The message is transmitted end-to-end encrypted to 360dialog, the official WhatsApp Business Solution Provider.
Handed to chatlyn
360dialog forwards the message and stores it only temporarily, exclusively on EU servers, for the duration of the transmission.
Stored in Frankfurt
The message lands on chatlyn servers in Germany (AWS Frankfurt). Your staff read and respond inside the chatlyn app.
The key point: because your staff never install the WhatsApp app on their devices, no contact or customer data is transmitted to Meta by chatlyn. 360dialog stores data only temporarily and only on EU servers. Meta remains the sole controller for WhatsApp metadata only. This setup meets all GDPR requirements for EU hotels.
Every third party we share data with
The full list from Appendix 3 of our DPA. We notify controllers of any changes and give a 14-day objection window.
EU / EEA based
Data stays in EU
Amazon Web Services EMEA SARL
Hosting of chatlyn internet services.
Germany (Frankfurt)
MongoDB Deutsche GmbH
Database hosting.
Germany (Frankfurt)
360dialog GmbH
WhatsApp Business Solution Provider interface.
Germany
ims media gmbh (my-bookings)
Processing of Airbnb messages.
Austria
Vonage B.V.
Outbound SMS (fallback channel only).
NetherlandsOutside EU, with GDPR safeguards
Standard Contractual Clauses
OpenAI, LLC
Providing AI-powered functionality within chatlyn.
United States
Zapier, Inc.
Connection of interfaces between chatlyn and third-party systems.
United StatesReady-to-sign and ready-to-review
The documents procurement and legal teams most commonly ask for. Available in English and German.
Data Processing Agreement (DPA)
Standard Art. 28 GDPR agreement, including full TOM appendix and subprocessor list. Ready to execute.
Privacy Policy
How chatlyn processes data of customers, contacts and service providers as a controller.
Terms & Conditions
Our standard service terms governing the use of the chatlyn platform.
Security questionnaire support
We complete vendor security and privacy questionnaires (SIG, CAIQ, bespoke formats) on request.
Questions we are asked most often
chatlyn’s production environment runs on AWS Frankfurt, Germany. Our database is hosted on MongoDB in Frankfurt, Germany. Your guest data does not leave the EU for core processing.
Yes. All web traffic uses TLS 1.2 or higher. Data at rest is encrypted with AES-256. Encryption keys are access-restricted to authorised personnel only.
Two-factor authentication, a strong password policy, role-based user permissions, and granular access control for administrative actions. Admin access uses unique per-user credentials.
Yes. chatlyn GmbH is headquartered in Vienna, Austria, and operates under GDPR (EU 2016/679) as a data processor on behalf of its customers. We sign a standard Data Processing Agreement under Art. 28 and support data subject rights under Chapter III of the GDPR.
Yes. chatlyn works with an external GDPR consultant and auditor to review and audit our data protection processes.
chatlyn uses 360dialog as an official WhatsApp Business Solution Provider. Because your staff never install the WhatsApp mobile app on their devices, no contact data is transmitted to Meta by chatlyn. 360dialog stores messages only temporarily, on EU-based servers. Meta acts as sole controller only for metadata of the WhatsApp communication layer itself. Full flow is in the WhatsApp compliance section above.
Our development process is designed with awareness of the OWASP Top 10 web application risks. See the “For your security team” section above for the category-by-category mapping of our controls.
Yes. We provide all documentation a controller needs for a DPIA under Art. 35 GDPR: the DPA, technical and organisational measures, the subprocessor list, data flow documentation, and assistance responding to data subject rights requests. See the “For your security team” section above.
Your data is stored for the duration of our service agreement. On contract end, chatlyn will, at your choice, either return or delete all personal data, including existing copies, unless Union or Member State law requires continued storage.
Yes. Under our DPA, you or an independent third party may conduct a pre-announced audit of our processes during business hours. The audit must be carried out in a manner that does not disrupt operations.
All employees are required to immediately report security incidents to a defined internal contact. We have procedures in place to notify the supervisory authority and affected customers within the 72-hour window required by Art. 33 GDPR.
Internal code reviews, dependency scanning and configuration audits are performed regularly. Formal third-party penetration testing can be shared with qualified prospects under NDA. Contact us at .
Want a deeper conversation with our team?
We are happy to walk your security, IT or procurement team through anything on this page, complete vendor questionnaires, or share our DPA and supporting documentation.