We are committed to processing your data responsibly at every stage of your journey with TravelPerk. Our products put your privacy first.
Your data. Your rights.
Compliance with data protection laws
Security
Privacy by Design
You have control
Transparency
Compliance with data protection laws
We believe in the importance of protecting your privacy and adhering to EU and UK GDPR, CCPA and other applicable privacy regulations.
Our data center is located in the EU (AWS Ireland – EU-West-1).
Our sub-processors located outside the EU/EEA and UK adhere to the latest Standard Contractual Clauses (EU and UK SCCs) for the transfer of personal data outside of Europe.
We put additional safeguards in place when we deem the SCCs insufficient to ensure safe international data transfers.
We have Data Processing Agreements with all suppliers who access personal data processed by TravelPerk.
We support you in performing your privacy obligations as data controllers.
We apply world-class technical and organizational measures to protect and secure your personal information.
Security
We have a comprehensive security program designed to keep your personal data safe.
ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, PCI DSS Level 1, and BSI’s C5 certified data center (AWS).
Encryption in transit and at rest with both the platform and at the TravelPerk endpoint.
Technical, Organizational and Physical Security (Art. 32 GDPR)
Data Transfer
Data subject requests
What information do you collect?
We process the following information to provide you with our product and services:
Identification information such as full name, ID or passport details, contact details, date of birth, professional address, nationality/citizenship, country of residence, and email address, including work emails containing full names.
Travel affiliation cards.
Special meals, special needs if any.
Means of payment.
Information on bookings and trips and related requests.
Are you a Processor or a Controller of the personal data provided by us, the customer, in the course of the services provided by your company?
TravelPerk is a data processor when processing personal data of our customers as we arrange travel on their behalf.
For admins, visitors, and prospective customers, where we are processing your data directly, we are data controllers.
Where do you store our personal data?
Our platform is hosted within Amazon Web Services (“AWS”, located in Ireland, EU). AWS comes with extremely high availability/uptime, a range of security features and tools, and it is certified to a number of standards including ISO 27001, ISO 27017 and ISO 27018, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and BSI’s C5.
How can I get a signed copy of the Data Processing Agreement?
Please contact your account manager to ask for an executed version of the Data Processing Agreement.
Is your organization registered with the Information Commissioner's Office (ICO) and other relevant Data Protection Authorities for data protection law purposes?
We are registered with the Supervisory Authorities in the UK (ICO) and Spain (AEPD), where we are legally required to do so.
Do you have a designated Data Protection Officer?
Yes. Contact details are as follows: Tiffanie Horsfall; dpo@travelperk.com; Avinguda Catedral 6-8 1ª Planta, 08002 Barcelona (Spain).
What technical, organizational and physical security measures do you have in place?
The main appropriate technical, organizational and physical measures TravelPerk have in place are:
Data Encryption at rest
Data Encryption during transit
Frequent vulnerability scanning
Bi-annual penetration testing
Bug bounty program
Advanced threat detection via AWS GuardDuty
SAML based SSO support
Training and awareness programs
Data protection related policies and procedures
Access control and risk management
CCTV
Building and room access control
For the complete and updated information on TravelPerk’s security measures please refer to the following:
The data we process is encrypted in transit and at rest with both the platform and at the endpoint within TravelPerk. This includes our website, workspace, email encryption, backups and use of TravelPerk’s company-provided VPN for remote access.
Is the data pseudonymised?
Pseudonymisation is practiced where deemed necessary for instances such as minimising data processing and reducing duplication of personal data.
We have a formal procedure in place which works alongside the Incident Response Plan but is specific to breaches containing personal data.
We investigate, risk assess and evaluate each situation with key stakeholders to resolve and mitigate risks of further occurrence. The procedure, breaches and risk assessments are documented and reviewed every 6 months.
How do you ensure our customers’ data are kept confidential with those it is shared with?
Individuals who process personal data on behalf of TravelPerk are required to sign contracts with confidentiality clauses.
Third parties who process personal data on our behalf have data protection agreements in place before personal data is shared with them. In addition, due diligence questionnaires and security assessments are undertaken.
We have a Intercompany Data Processing Agreement with all our entities outside of the EEA, to ensure adequate privacy and security are upheld when processing personal data.
What is your data retention policy?
Our data retention policy outlines all the legal retention rules to which we at TravelPerk adhere to such as customer data under contractual law. We additionally have schedules for each team which outlines retention periods for personal data processed for business activities outlined in our privacy policy.
Once this retention period expires, the relevant personal data is deleted.
Do you transfer personal data provided by us, the customer, outside of the EEA and in which countries?
We have some trusted third parties we use to provide our services to you where in the course of business personal data is processed outside of the EEA. This is the US, Philippines and India. Please see our sub-processors list which contains more information.
Data may also be accessed by our employees in countries outside of the EEA. We have confidentiality agreements and intercompany data sharing agreements in place to facilitate secure transfers in such circumstances.
What is the transfer mechanism you rely on in relation to Chapter V of the GDPR?
We rely primarily on having Standard Contractual Clauses in our contracts with our sub-processors.
What, if any transfer impact assessments have you carried out to assess the risk of the third country transfer?
We send Data Protection Questionnaires to all our suppliers in order to do a first assessment of the risk of the transfer and determine the effectiveness of the transfer mechanisms we put in place (SCCs).
Which supplementary measures have you implemented as provided for in Recommendations 01/2022 of the EDPB?
Based on the responses received from the supplier to our Data Protection Questionnaire, as well as on the risk of the legislation and practices of the third country for potential disclosure requests of personal data, we put additional safeguards in place, including both technical and organisational measures and contractual safeguards.
If the third country does not provide essentially equivalent protection, even with the implementation of supplementary measures, do you have procedures in place to stop or suspend such transfers?
Our DPA have a contractual remedy of contract termination where there is an inability to provide us with adequate international data transfer measures. The process of deleting /returning data takes place as if the natural end of the contract. In other cases, there are clauses to suspend the services/transfers.
How do you perform privacy by design?
We embed privacy into TravelPerk’s culture by ensuring that the following are in place:
A training programme for all who access personal data.
Data protection is led from the top down with employees in data protection roles. overseeing the procedures implemented.
DPO in place.
We are currently working on automating our processes to allow for automated updating in data mapping, records of processing, our privacy policy and our SAR workflow.
Ensuring accountability at each stage of processing of data from collection to deletion -identified through our data flow map.
How do I delete my personal data from TravelPerk?
Data can be deleted by customer’s Admins at the People directory on the platform. More information can be found here.
A request can also be made to us within the platform via our Customer Care team or by emailing the Privacy team at personaldat@travelperk.com. We will handle this request within a calendar month.
If a customer expresses a wish to stop using our product and services or to close the company account, we will proceed to do so, deleting personal data within.
There may be data we will need to retain for a set period of time to comply with our legal obligations, which is permanently deleted after this period lapses.
How do you provide data subject access requests (DSARs)?
Once we receive a DSAR request, we will notify our customer to action as the data controller.
Upon successful verification of the requestor, we provide copies of the personal data or information requested via encrypted transfer.
In which format do you provide DSARs?
DSARs are provided in PDF format and via our end-to-end encryption platform. We also send copies of a customer’s personal data via our end-to-end encrypted file sharing platform for added security. We will handle this request within a calendar month.
