The security of your information is critical.
Here is how we keep it safe.
Your Airbnb account
Your password is not stored.
Your Airbnb account password is never stored by us. As a matter of fact, it would be useless to us, since we connect to Airbnb using their API. This is, for example, how we obtain the profile of a user. As you will notice, there is no form to enter a password.
Instead of using your password, your account is authenticated using a token that is requested to Airbnb the first time you connect your account to Hospitable.
Only this token is stored in our database in a secure fashion, not your password.
Airbnb’s API helps us secure your account.
Airbnb’s API offers a system of authentication with a disposable token. Using this method of identification helps secure your Airbnb credentials:
- It is impossible to change the account’s password with the token. We couldn’t change the password if we wanted to.
- If the password is changed by the account’s owner, all tokens generated previously are immediately rendered useless by Airbnb.
This means the account’s owner retains full control over their Airbnb account.
Your token is heavily encrypted and secured.
A token is a sequence of letters and numbers that looks something like
OrybQmOWQw2KiWyT94j80bwAU. However, for security considerations, the token cannot be stored in that form and has to be securely encrypted.
We encrypt your token using the same encryption standard that is used to secure the Internet (RSA-2048 bits). There is no master password: each token is encrypted using their own key pairs. The (private) key is itself encrypted using AES-256. In addition, the encrypted token, and the keys, are not accessible from the public Internet.
The token would be useless without the keys. As a result, a data thief would not be able to make use of the token.
What it means
All communications between Hospitable and your browser are transmitted over TLS (HTTPS). This allows us to protect your security details against any eavesdropping. HSTS is also implemented to ensure browsers interact with Hospitable only over HTTPS.
HTTPS is also enforced when our servers exchange information with Airbnb’s API.
All communication by email from us will identify you by name, or will be cryptographically signed for [email protected]. We will never ask you for any personal information by email.
To securely contact Hospitable by email, we advise you to use the PGP key.
Hospitable is PCI Level 2 compliant. An AOC is available by request.
We do not process or store credit card details from our customers when paying for Hospitable services. No payment method information ever hits our servers. For this, we hand off credit card and PayPal processing to Braintree. They power online transactions for thousands of businesses and comply with PCI standards in the storage and handling of credit card information.
We do not process or store credit card details from Airbnb and Vrbo guests. We store tokenised credit card details in compliance with PCI-DSS requirements for Booking.com guests, and hand off payment processing to Stripe.
We follow industry standards practices to secure our servers. They are located in premium data centers with restricted access, strong authentication, firewall protection, and identification required.
We run an automated infrastructure vulnerability scanning on ports and SSL once a month.
We periodically engage a third party for black box and grey box penetration testing. The latest was performed in November 2020.
In addition to our own efforts, the security scans and penetration testing help ensure that no vulnerability is putting your data at risk.
We use Sqreen for account takeover attempt detection and vulnerability discovery prevention. On top of that, we perform frequent internal code reviews focusing on potential security issues.
Report a security issue
Security vulnerabilities are an unfortunate but common issue in software. We take them very seriously and we appreciate your help in notifying us of vulnerabilities in a responsible manner. We will respond to any security issue within a maximum of 24 hours.
Responsible Disclosure: We would like to keep Hospitable safe and secure for everyone. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner.
Publicly disclosing a vulnerability can put the entire Hospitable community at risk. If you have discovered a possible vulnerability, we would greatly appreciate you emailing us at [email protected]. We will work with you to assess and understand the scope of the issue and fully address any concerns. We will ensure that issues are addressed rapidly. Any security emails are treated with the highest priority as the safety and security of our service is our primary concern.