Familiar

Product

ScenariosAudiencesCampaignsSurveysAgentSoon

Solutions

For IndependentsFor GroupsFor Enterprise

Resources

PricingManifestoBlogDocs
Start for free

Security & Compliance

Security and Compliance represent key aspects of any product your team uses. Familiar is committed to securing access to your data, eliminating systems vulnerabilities and ensuring continuity of access.

Last updated: January 2026

1. Introduction

At Familiar, security is not an afterthought — it is a foundational principle embedded in every layer of our platform, from infrastructure design to daily operations. We understand that our clients entrust us with sensitive hospitality data, and we take that responsibility seriously.

This page provides an overview of the technical and organizational measures we implement to protect your data, ensure regulatory compliance, and maintain the availability and integrity of our Services.

2. Security Governance

Familiar maintains a structured security governance framework that includes:

  • A designated security lead responsible for overseeing information security policies, procedures, and incident response
  • Regular internal security reviews and risk assessments to identify, evaluate, and mitigate threats
  • Documented security policies covering access management, data handling, incident response, and business continuity
  • Security awareness training for all team members, including onboarding security briefings and periodic updates
  • Continuous monitoring of industry developments, threat intelligence, and regulatory changes

3. Infrastructure and Hosting

Our infrastructure is designed for security, resilience, and data sovereignty:

  • European Union hosting: all production data is hosted within the EU, ensuring compliance with EU data residency requirements and the GDPR
  • Tier III data centers: our cloud infrastructure providers operate Tier III (or equivalent) data centers, providing redundant power, cooling, and network connectivity with 99.982% availability
  • Network security: production environments are isolated using Virtual Private Clouds (VPCs) with strict firewall rules, security groups, and network access control lists
  • Infrastructure as Code: all infrastructure is managed through code (Terraform), ensuring reproducibility, auditability, and version control of all configurations
  • Automated patching: operating systems and dependencies are regularly updated and patched to address known vulnerabilities

4. Access Control

We enforce strict access control measures following the principle of least privilege:

  • Role-Based Access Control (RBAC): all access to systems, data, and administrative tools is governed by role-based permissions. Users are granted only the minimum access necessary to perform their duties.
  • Least privilege: access rights are reviewed regularly and revoked promptly when no longer needed, including upon role changes or offboarding
  • Multi-factor authentication (MFA): MFA is required for all administrative access to production systems and cloud infrastructure
  • Secrets management: credentials, API keys, and secrets are stored in dedicated secrets management services and are never hardcoded in source code
  • Audit trails: all access to sensitive systems is logged and monitored

5. Data Encryption

We protect your data with strong encryption at every stage:

  • Encryption in transit: all data transmitted between your browser and our servers, and between internal services, is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and HSTS headers to prevent downgrade attacks.
  • Encryption at rest: all data stored in our databases, file storage, and backups is encrypted using AES-256 encryption, managed through cloud-native key management services.
  • Key management: encryption keys are managed through dedicated key management services with automatic rotation, access controls, and audit logging.

6. Application Security

Security is integrated into our software development lifecycle:

  • Secure development practices: our engineering team follows secure coding guidelines, including input validation, output encoding, parameterized queries, and proper error handling
  • Code review: all code changes undergo peer review before being merged into production, with a focus on security implications
  • Dependency scanning: we continuously monitor third-party dependencies for known vulnerabilities using automated tools and promptly apply patches
  • Static analysis: automated static analysis tools are run as part of our CI/CD pipeline to detect potential security issues before deployment
  • Penetration testing: we conduct periodic security assessments and penetration tests to identify and remediate vulnerabilities

7. Monitoring and Logging

Continuous monitoring and comprehensive logging are essential to our security posture:

  • Centralized logging: application, infrastructure, and security logs are aggregated in a centralized logging system for analysis, correlation, and retention
  • Real-time monitoring: we monitor system health, performance, and security events in real time, with automated alerts for anomalous behavior
  • Error tracking: application errors are tracked and triaged using dedicated error monitoring services (e.g., Sentry) to ensure rapid detection and resolution
  • Log retention: security and access logs are retained for 6 to 12 months depending on the type and sensitivity, in accordance with our data retention policy

8. Incident Response

Familiar maintains a documented incident response plan to handle security incidents effectively and transparently:

  • Detection and triage: potential incidents are detected through monitoring, alerts, and reports. Each incident is assessed for severity and impact.
  • Containment and eradication: immediate steps are taken to contain the incident, prevent further damage, and eliminate the root cause.
  • Notification: in the event of a personal data breach, we will notify the relevant supervisory authority (the CNIL) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Affected data subjects will also be notified without undue delay where required by Article 34.
  • Post-incident review: after resolution, we conduct a thorough post-incident review to identify lessons learned and implement measures to prevent recurrence.
  • Client notification: clients whose data may have been affected will be notified promptly with details about the incident, its impact, and the measures taken.

9. Business Continuity

We implement measures to ensure continuity of access and rapid recovery in the event of a disruption:

  • Daily backups: all production databases are backed up daily. Backups are encrypted and stored in geographically separate locations within the EU.
  • Point-in-time recovery: our database infrastructure supports point-in-time recovery, allowing restoration to any point within the backup retention window.
  • Disaster recovery: we maintain disaster recovery procedures and test them periodically to ensure that services can be restored within acceptable timeframes.
  • Redundancy: critical components are deployed with redundancy to minimize single points of failure.

10. Data Protection and GDPR

Familiar is committed to compliance with the General Data Protection Regulation (GDPR) and applicable French data protection laws:

  • Lawful processing: we process personal data only with a valid legal basis (contract performance, legitimate interest, consent, or legal obligation)
  • Data minimization: we collect only the personal data that is necessary for the specified purposes
  • Data subject rights: we provide mechanisms for data subjects to exercise their rights, including access, rectification, erasure, portability, and objection
  • Data Processing Agreements: we enter into DPAs with all clients for whom we act as a data processor, defining the scope, purpose, and conditions of processing
  • Privacy by design: data protection considerations are integrated into the design and development of new features and services

11. Sub-Processors

We use a limited number of sub-processors to deliver the Services. Each sub-processor is carefully vetted for its security and data protection practices, and is bound by a data processing agreement that imposes obligations no less protective than those in our own DPA.

We maintain a current list of sub-processors and notify clients of any changes in accordance with the terms of our Data Processing Agreement. Clients may object to the addition of a new sub-processor within the timeframe specified in the DPA.

12. Certifications and Standards

Familiar is committed to meeting and exceeding industry security standards:

  • GDPR compliance:we are fully compliant with the General Data Protection Regulation and the French Loi Informatique et Libertés
  • EU data hosting: all production data is hosted exclusively within the European Union, ensuring data sovereignty and compliance with EU data residency requirements
  • SOC 2 preparation: we are actively preparing for SOC 2 Type II certification, which will provide independent validation of our security, availability, and confidentiality controls
  • ISO 27001 preparation: we are working toward ISO 27001 certification to formalize our information security management system (ISMS) and demonstrate our commitment to internationally recognized security practices

13. Service Availability

Familiar strives to maintain high availability of the Services. While we do not currently publish a formal SLA on this page, our infrastructure is designed for resilience:

  • Auto-scaling to handle variable traffic loads
  • Health checks and automated failover for critical services
  • Scheduled maintenance windows communicated in advance to minimize disruption

For clients with specific uptime requirements, service level commitments may be included in the applicable Order Form.

14. Shared Responsibility

Security is a shared responsibility between Familiar and our clients. While we are responsible for securing the platform and infrastructure, clients are responsible for:

  • Managing user access and permissions within their workspace, including promptly revoking access for departing team members
  • Using strong, unique passwords and enabling multi-factor authentication where available
  • Ensuring that data imported into the platform has been lawfully collected and processed
  • Reporting any suspected security incidents or vulnerabilities to Familiar promptly
  • Complying with applicable laws and regulations in their use of the Services

15. Changes to This Page

We may update this Security & Compliance page from time to time to reflect improvements to our security practices, new certifications, or changes in applicable regulations. When we make material updates, we will revise the “Last updated” date at the top of this page.

16. Contact

If you have questions about our security practices, wish to report a security concern, or need additional information for your security review, please contact us at:

  • Email: security@familiarhq.com
  • Postal mail: Familiar SAS, 1663 rue de Majornas, 01440 Viriat, France

Put your marketing on autopilot

Join leading hotel groups and be ready for an AI-first world.

Start for freeTalk to sales