Security and Privacy Overview

At Greenstone our mission is to help you manage and grow your business with best-in-class reservation and logistics tools. We value security and privacy as one of our most important responsibilities when it comes to achieving that mission. Each section below discusses our approach to meeting or exceeding compliance requirements with regards to your business’ data and security.


The GDPR – General Data Protection Regulation – is the data privacy standard in the European Union (EU) governing the protection of personal data of EU residents. To help you comply with the GDPR, we offer the following support:

The right to be informed.

Please note that you, as the activity provider, qualify as the data controller of your customer’s data and are therefore legally required to provide customers with information about which personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed by you. ‘Processed’ is a very broad definition under the GDPR and entails, amongst others, the collection, recording, structuring, storage, adaptation, use, erasure or destruction of personal data. Upon request, we shall make available information requested by you if this information can only be reproduced by us and this would be necessary to meet your GDPR obligations.

Data access, portability, rectification and erasure.

After booking, your customers can request their stored data to be provided and, if need be, deleted. If you submit a form through, you can similarly request that your stored data be provided and, if need be, deleted. Data requests can be made via our Data Request Form.

All data requests are reviewed and authenticated by security. Data is deleted within 30 days for authenticated requests. Once removed, a notification is sent to you, as the activity provider, to confirm that the data removal has been completed. Deleted contact information, such as the customer’s name, email, and phone number, will appear as [Removed] inside of Greenstone.


CCPA is a Californian law securing the right of Californians to know what personal information is being collected about them, to know whether their personal information is sold or disclosed and to whom, to say “no” to the sale of personal information, to access their personal information, and to equal service and price, even if they exercise their privacy rights.

For more information on how we comply with the CCPA and how you can exercise your rights, please read our Privacy Statement.

PCI Compliance

Every business involved in processing, storing, or transmitting credit card data must adhere to the Payment Card Industry Data Security Standards. At Greenstone, we take payment card security extremely seriously. Greenstone is PCI compliant and that extends to all payments processed via our systems. In addition, no cardholder data is stored by Greenstone. All payments collected through Greenstone are processed by PCI Level 1-certified service providers, such as Stripe, PayPal or Adyen.

Greenstone reports yearly on a PCI SAQ-D (the most stringent way to report PCI compliance). These requirements include, but are not limited to:

  • Undergoing quarterly security scans by a PCI Approved Scanning Vendor and constantly monitoring for vulnerabilities.
  • Adhering to rigorous industry standards regarding data encryption and storage.
  • All data is encrypted in transit using TLS1.1 or greater.
  • Equipping our systems with best-in-class security tools like intrusion detection and file integrity monitoring along with isolating our networks from the internet.
  • Training our engineers and employees about all modern best practices regarding cybersecurity.
Your Business’s PCI Compliance

Every business that’s involved with the processing of credit cards must comply with the PCI DSS requirements, though many of them will be satisfied solely because you use Greenstone. However, your bank may still require certification that you are adhering to the PCI security standard. If Greenstone is your sole point of sale system and you don’t accept EMV payments, this can usually be done easily by completing a PCI SAQ-A and providing that document to your bank.

If you accept EMV payments and/or Greenstone is not your primary point of sale, you may need to report on different guidelines. Please reach out to to schedule a PCI discovery session or with any PCI compliance questions.

Organizational Security & Infrastructure

All Greenstone employees are trained about the importance of privacy and security and must adhere to an inflexible, comprehensive internal security and data use policy.

Greenstone runs in Amazon Web Services’ highly secure data centers. The Greenstone application runs inside a Virtual Private Cloud, with individual hosts protected by firewalls configured with the most stringent rules. All communication with Greenstone is protected at the network level using industrial-strength, secure protocols. A secured architecture, internal best practices, and third-party audits are all important components of our security program.