CYBERSECURITY

Built for operators who take security seriously.

ParkLiveMap handles sensitive guest data: plates, identities, stays. Here are our concrete commitments — not marketing.

Sovereignty & hosting

Exclusively hosted in France, on OVHcloud infrastructure (Roubaix / Gravelines).
No data transfer outside the EU. No US third-party CDN. No third-party analytics.
Cloud Act exposure avoided by design: no provider subject to non-EU jurisdiction.

End-to-end encryption

TLS 1.3 for all network traffic, auto-renewed Let's Encrypt certificates.
Encryption at rest: PostgreSQL volumes and backups encrypted AES-256.
Secrets managed via encrypted env vars, never plaintext in source.

Authentication & authorization

Short-lived JWT + rotating refresh tokens.
MFA (2FA via email code) for admin accounts.
Fine-grained roles: Editor, Viewer, per plan. Audited permissions.

Secure PMS integration

All PMS webhooks signed HMAC-SHA256.
Timestamp anti-replay check (5-min window).
Rejected calls logged and alerted on signature anomaly.

GDPR & data processing

DPA (Data Processing Agreement) available on request.
Processing register maintained and accessible.
Automated access, rectification, erasure within 30 days.
Minimization: only required data is stored (plates, dates, never guest photos without explicit consent).

Audit logs & traceability

Every critical action (plan edit, assignment, move, admin login) is tracked.
Immutable logs over at least 12 months, JSON-exportable.
Audit webhook available for SIEM integration (Datadog, Splunk, Elastic).

Backups & continuity

Encrypted daily backups, 30-day retention.
Standby database replica.
RPO < 24h, RTO < 4h.

Web best practices

Strict HTTP headers: CSP, HSTS preload, X-Frame-Options DENY, Referrer-Policy.
No non-essential cookies. No third-party trackers.
Self-hosted analytics (Plausible), DNT respected.

Security question?

Our team answers security questionnaires and provides compliance docs on request.