Your trust is our most valuable asset

TravelPerk complies with applicable data protection laws, such as the EU GDPR, the UK GDPR, and the California CCPA. We have implemented appropriate technical and organizational measures to secure personal data shared with us. This includes ensuring that data is encrypted both in transit and at rest, within the platform and at endpoints. To ensure compliance, TravelPerk personnel receive relevant training, and we have centralized policies in place. Prior to accessing personal data, every individual and company undergoes a form of due diligence assessment and is bound by confidentiality obligations. Data processing agreements are in place with all our sub-processors, with the latest standard contractual clauses for international transfers issued by the European Commission on 4 June 2021, where applicable.

Our information security management system (ISMS) aligns with ISO 27001 guidelines for technical and operational controls for confidential and personal data security. Additionally, our platform is hosted on Amazon Web Services (AWS) in data centers located within the EU, with industry-defining security protocols.

We have implemented a range of controls to comply with the GDPR. To ensure privacy by design and by default, we focus on the lifecycle of customers’ data. We apply technical, organizational, and physical security measures from the moment personal data is entrusted to us until it is securely destroyed. These controls range from advanced Endpoint Detection & Response (EDR) to cloud security and monitoring. Our offices are also protected with a variety of measures, including 24/7 security guards and CCTV. For more details, please refer to our Security Whitepaper and Security Measures (TOMs) document.

Yes. Nowadays, encryption is one of the most basic security measures for protecting confidential data. We use AES-256 to encrypt your data at rest, including backups. For data in transit, we enforce a minimum of TLS v1.2 and do not support older legacy versions.

For password storage, we follow NIST recommended standards with our choice of hashing algorithm and password stretching mechanism. Our email system is also automatically encrypted using S/MIME wherever supported.

Yes, we maintain several security policies, including an Information Security Policy as part of our Information Security Management System (ISMS). These policies align with recognized global best practices in information and cyber security, such as ISO27001, ISO27005, and OWASP, and provide strategic direction for maintaining our ISMS.

Yes, we have a staff awareness training programme on privacy and security best practices in place. We believe in modifying behaviours for the better, not just ticking a compliance box with annual online training, which is why we provide in-house designed training to all employees, new joiners and relevant contractors. We also carry out phishing simulations, custom awareness posters, “Capture the Flag” style events, and more. We also implement role-based access control at TravelPerk – this means that only a limited number of our staff have access to customer data, based on the job role and on a strict need-to-know basis.

Your payment data is safe when you make payments within the TravelPerk platform. We teamed up with Stripe to securely store your credit card information and process your payment requests. TravelPerk will never see, store or process your payment card information – it’s always managed by Stripe; we simply use unique and anonymized reference numbers to connect with Stripe and charge you for bookings and services. Stripe processes customer data as an independent controller – please check Stripe’s Privacy Policy for more information on how they protect your personal data.

At TravelPerk, we are committed to continuously improving the security of our systems by reinforcing and updating our existing security measures. While we strive to meet our obligations under data protection laws, we cannot agree to individual customer security policies. As a global travel management SaaS company with a wide range of customers, we must maintain consistent and comprehensive security policies to ensure appropriate protections and consistency in our approach.

Rest assured, however, that we are happy to respond to security and audit questionnaires upon request. This will help you confirm that TravelPerk is fulfilling its obligations regarding the security of personal data. We understand the importance of maintaining the highest level of security for our customers and are dedicated to meeting these standards.

Our sub-processors have a contractual commitment to comply with equivalent technical and organisational security measures (TOMs) as those we offer to our customers. Our updated Security TOMs are available here. 

We request sub-processors to provide sufficient technical and operational security measures as well as measures to ensure compliance with relevant data protection laws. All sub-processors and vendors that will host customer data undergo thorough security audits and risk assessments conducted by both our Information Security team and our Privacy team to ensure compliance with these requirements. We also use continuous security monitoring to keep track of our vendors.

Vulnerability management. Periodic penetration testing simply isn’t enough for a fast-changing environment like ours. So we take our vulnerability management much further. We conduct daily dynamic vulnerability scans of our web application, while our mobile application is also scanned daily with a variety of static, dynamic and interactive testing. This, combined with any bug bounty program submissions or penetration test findings, is quickly reviewed and acted upon according to severity.

Malware prevention. As you might expect for an international company like us, we leverage world-class endpoint detection and response tooling. Using behavioural detection, this helps keeping us protected from next-generation attacks that signature-based systems won’t recognise. Our fast and efficient connection capabilities enable us to respond promptly to endpoint incidents anywhere in the world. We also have various solutions in place to ensure malicious software doesn’t enter our systems or travel applications.

Monitoring. We collect activity and access logs and important information from a variety of sources. Where we receive any alerts or other triggers, our team promptly inspects and investigates the suspected incident. Wherever possible, our tools are configured to detect suspicious activity and bring it to our attention without delay. This includes monitoring and alerts from across our own IT estate and tooling, in addition to our business travel applications.

Our Security team is trained in taking the lead for any security incident that might occur, getting the right people into the room and coordinating any response required by following our Incident Response Plan. We don’t introduce bias early on by assuming a severity level from what might initially be limited information. Instead, we treat every incident with equally high priority and importance until we have information to prove otherwise.

We have an engineering on-call system 24/7 so that should an incident occur out of hours that affects confidentiality, integrity or availability, our engineers can respond, escalate and swiftly resolve any issue, supported by our Security team. We follow best practices by maintaining an incident tracker and analysing incidents afterwards to ensure lessons are learned, and any possible improvements are made.

Yes, we have an Incident Response Plan that has been approved by the CTO. It sets out roles, responsibilities, contact details and steps to take in the event of a suspected incident. We also have an Incident Management Team in place. 

You can find more information on our Security page, Security Whitepaper and Security Measures (TOMs) document.

Yes, we include personal data breach identification and reporting procedures in security awareness training for all TravelPerk staff.

As a data processor, TravelPerk is required to notify personal data breaches to the affected clients (the data controllers) so they can notify the supervisory authority in compliance with the applicable data protection laws. In our notifications to clients, we provide all available information as per article 33.3 of the GDPR.

As a data processor, TravelPerk is required to notify personal data breaches to the affected clients (the data controllers) so they can notify the supervisory authority in compliance with the applicable data protection laws. In our notifications to clients, we provide all available information as per article 33.3 of the GDPR.

We may transfer data to recipients located in third countries, i.e., to countries outside the EEA without an adequacy decision by the EU Commission. For instance, we may transfer data to sub-processors which help us provide our services (see our updated List of Sub-processors), or to travel suppliers such as airlines, hotels or other transportation and accommodation providers. 

Where our sub-processors are located in third countries, we primarily rely on the latest standard contractual clauses for international transfers issued by the European Commission on 4 June 2021 to secure the transfer. We also perform a security assessment of all our suppliers, and where needed, we implement supplementary measures (as per the “post-Schrems II” EDPB Recommendations 01/2020) to ensure that the data transferred is afforded an adequate level of protection as per EU and GDPR standards. You can find more information in our International Data Transfers Whitepaper.

The process we follow every time we need to share customers’ data with a vendor located in a third country has 7 steps: 

1. We identify and map all our restricted transfers (i.e. any transfers of data to non-adequate countries).
2. We require potential vendors to complete a thorough privacy questionnaire assessed by our Information Security and Privacy teams.
3. We enter into a data processing agreement with the vendor, which sets out the same or equivalent data protection obligations as those set out in the DPA with our customers.
4. We put the latest standard contractual clauses for international transfers issued by the European Commission on 4 June 2021 in place with every vendor processing personal data in third countries.
5. We assess the laws of the vendor’s country of storage, with special emphasis on the United States.
6. We identify and adopt any supplementary measures and procedural steps needed to bring the level of protection of the data transferred up to EU standards.
7. We re-evaluate our assessments periodically to make sure that the international transfers remain secure over time.

Yes. The European Commission encourages controllers and processors to provide additional safeguards for transferring personal data overseas with supplementary contractual commitments that afford a level of protection essentially equivalent to EU standards.

With this in mind, TravelPerk conducts a thorough assessment of all processors and sub-processors located in third countries in order to determine the effectiveness of the standard contractual clauses in each particular case. Based on the assessment results, we direct such vendors to incorporate additional contractual commitments to the relevant data processing agreement. Our focus is both on the security measures implemented by the vendor and on specific safeguards to prevent or mitigate the risks of potential requests for disclosure of personal data to public or authorities or law enforcement in the vendor’s country, especially in the US under laws and regulations such as FISA Section 702, Executive Order 12333 or the CLOUD Act.

Depending on the case and based on the results of our assessment, we request our vendors to comply with some additional contractual commitments if they receive such disclosure requests. By way of example, we ask them to verify whether the disclosure request is lawful and appropriate, including with respect to the data sought and relevant jurisdiction, and to challenge the request in accordance with GDPR principles and contractual commitments on government access requests, as per articles 14 and 15 of the SCCs, if appropriate. We also direct our vendors to provide the minimum amount of information possible when responding to a disclosure request, to implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data, and to refrain from creating any back doors or similar programming that could be used by law enforcement or public authorities to access the systems and/or personal data.

Third parties do not have access to our clients’ systems and processing facilities. However, TravelPerk may share client data with third party providers (sub-processors and travel suppliers) in order to provide business travel services (e.g., traveler name and contact details with an airline or hotel to confirm a booking). All such third parties undergo security assessments and have relevant DPAs and/or contractual clauses in place to ensure the security and confidentiality of the personal data transferred.

Yes, we have the standard contractual clauses for international transfers issued by the European Commission on 4 June 2021 in place with all sub-processors located outside the EEA in non-adequate countries, e.g., those located in the United States.

At the moment our sub-processors are located in the EU/EEA, UK, USA, Philippines, India, Japan, Australia, El Salvador and Israel. You can find our updated List of Sub-processors here.

If you are (or want to become) a customer of TravelPerk: the answer is NO. As an EU-based company processing personal data under the GDPR, TravelPerk is not required to use the standard contractual clauses for international transfers issued by the European Commission on 4 June 2021 (SCCs) between ourselves and our customers.

Where TravelPerk needs to perform onward transfers of your personal data to our sub-processors located in third countries (e.g., United States), you can rest assured that such transfers are already regulated by SCCs entered into between TravelPerk and the respective sub-processor. 

If you’re a supplier located outside the EU/EEA or UK in a country not recongnized as providing adequate privacy protection by the European Commission (list of adequate countries available here): the answer is YES – we must enter into the standard contractual clauses for international transfers issued by the European Commission on 4 June 2021 in order to provide a  service to TravelPerk that requires the processing of personal data.

Due to the nature of our SaaS service, it is not feasible to implement geolocation restrictions on a per-customer basis. Our SaaS environment and all associated operational and security processes are designed to be standardized and not tailored to specific clients. Therefore, access to and use of our SaaS is provided “as is” and in accordance with our existing processes, procedures, and the terms of the agreement between us and our customers.

Rest assured that we meet the highest security standards in our industry. Our operations are successfully audited in accordance with industry standards.  Our data centre provider, Amazon Web Services Ireland (with a fallback site in Germany), is ISO 27001 certified. It also has ISO 27017 and ISO 27018, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and BSI’s C5 certification.

As a SaaS platform, we do not engage sub-processors for individual customers. Our use of sub-processors is an integral part of our service delivery, and all third-party providers are pre-engaged and under contractual obligations with us. Before engaging any third-party provider, we perform comprehensive security assessments to ensure that they meet our strict security standards. Additionally, all sub-processors have relevant data protection agreements in place to guarantee the security and confidentiality of personal data processed on behalf of our customers. This allows us to maintain a high level of security and privacy protection while providing our customers with reliable and efficient services.

We have a comprehensive intragroup data processing agreement that governs all internal transfers, which includes the latest standard contractual clauses for international transfers issued by the European Commission on 4 June 2021. This agreement provides a robust framework to ensure that all data transfers within our organization comply with relevant data protection regulations and meet the highest standards of security and confidentiality. By utilizing these standard contractual clauses, we are able to maintain a high level of data protection even when transferring personal data across borders, providing our customers with the peace of mind they need to trust us with their valuable information.

If you are a TravelPerk user: as a data processor, we’re happy to assist our customers (data controllers) for them to handle Data Subject Requests (DSR) from their users. TravelPerk users must send data subject requests to their company’s TravelPerk account admin, who represents the data controller. Admins will be able to self-service data deletion (instructions here) and update directly from the TravelPerk platform, or request further information from us if they believe it is appropriate.

If you are a prospective customer, product tester, TravelPerk event attendee, or a TravelPerk website visitor: you can exercise your data protection rights through this form.

TravelPerk collects personal data provided by our users through our platform or customer care service to provide business travel services. If you are a traveler whose company is a customer of TravelPerk, we may process personal data including your name, business email address, phone number, and identity card or passport information. Additionally, we may handle data such as travel affiliation cards, payment methods, booking and trip information, as well as customer care requests or complaints as needed to facilitate our business travel management services and enable you to make travel bookings.

If you are a TravelPerk user and want to delete your user account, please send your request to your company’s TravelPerk account admin. Company admins can delete user accounts from the TravelPerk platform by following the steps provided in this article (under the “Delete user” section). Admins can also amend user data from the People directory available on the TravelPerk platform.