Data in Transit

All communication between your browser and the Ananas GDS platform — as well as between the platform and any API consumer — uses HTTPS (TLS 1.2 or higher). Unencrypted HTTP connections are not accepted and are automatically redirected.

API responses are transmitted over encrypted channels. Image delivery via CDN is also served exclusively over HTTPS.

Data at Rest & Storage

Structured Data

Image Data

Image URL security
Image URLs in API responses and widget embeds are hashed and access-controlled. Even if someone intercepts an image URL, the platform verifies whether the requesting domain or token has permission to access it before serving the image.

Access Control

Account Level

Partnership Level

API Level

API & Token Security

Best Practices for Token Handling

Domain & IP Restriction

Each token carries a whitelist that is enforced differently per transport. Browser widgets are checked against the embedding page's domain (from the Origin/Referer header), with forgiving normalisation and apex-covers-subdomain matching; a request from a non-authorised domain receives 403 Forbidden. Because widgets serve only already-published public fact-sheet data, a request that arrives with no referrer still renders and is logged rather than blocked, so the widget whitelist acts as a hot-link deterrent.

The server-to-server v1 pull API (which serves contracted, non-public data) is gated on the caller's source IP (REMOTE_ADDR) against exact IP, CIDR, or DNS-resolved domain entries; the spoofable X-Forwarded-For header is ignored, and an empty whitelist fails closed. This prevents unauthorised third parties from embedding or pulling your property data.

Image Security

Account Security

Password Requirements

Two-Factor Authentication

2FA support is currently in development and will be available in an upcoming release. When launched, 2FA will be available via authenticator app (TOTP) and will be optional for all accounts, with mandatory enforcement available for Premium plans.

Session Management

Account Verification

The Ananas GDS team manually verifies company information for new registrations. Accounts flagged as potentially fraudulent or impersonating another company may be suspended pending further review.

GDPR & Data Privacy

Ananas GDS operates under European Union data protection law (GDPR). The platform is designed for B2B use — the primary data handled is accommodation property information, not personal consumer data. However, several GDPR-relevant areas apply:

Data You Store

Data Portability

You can export all your property data (fact sheets, availability history, photos) at any time via the Export Centre in Developer Tools. For a full account data export, contact client@ananas-gds.com.

Data Deletion

To request deletion of your account and all associated data, contact support. Following deletion, data is removed from active databases within 30 days. Anonymised aggregate statistics may be retained.

Data Processing Location

Data is processed and stored on servers within the EU. CDN edge nodes may cache image data globally for performance, but the origin storage remains EU-based.

GDPR Documentation
For our full Privacy Policy and Data Processing Agreement (DPA), please contact client@ananas-gds.com. A DPA is available to all enterprise and contracted partners on request.

Reporting a Vulnerability

If you discover a security vulnerability in the Ananas GDS platform, please report it responsibly:

Please do not publicly disclose the vulnerability until we have had the opportunity to investigate and remediate it. We aim to acknowledge all reports within 48 hours.