Your trust is our most valuable asset

Your trust is our most valuable asset

We are committed to processing your data responsibly at every stage of your journey with TravelPerk. Our products put your privacy first.

Your data. Your rights.

Compliance with data protection laws
Privacy by Design
You have control

Compliance with data protection laws

We believe in the importance of protecting your privacy and adhering to EU and UK GDPR, CCPA and other applicable privacy regulations.

  • Our data center is located in the EU (AWS Ireland – eu-west-1, with a fallback site in AWS Germany – eu-central-1).
  • Our sub-processors located outside the EU/EEA and UK adhere to the latest Standard Contractual Clauses (EU and UK SCCs) for the transfer of personal data outside of Europe.
  • We put additional safeguards in place when we deem the SCCs insufficient to ensure safe international data transfers.
  • We have Data Processing Agreements with all suppliers who access personal data processed by TravelPerk.
  • We support you in performing your privacy obligations as data controllers.
  • We apply world-class technical and organizational measures to protect and secure your personal information.
  • More information can be found in our International Data Transfers Whitepaper.


We have a comprehensive security program designed to keep your personal data safe.

  • ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, PCI DSS Level 1, and BSI’s C5 certified data center (AWS).
  • Encryption in transit and at rest with both the platform and at the TravelPerk endpoint.
  • Firewalls on Network and Application Layer.
  • Data pseudonymization where necessary.

Check our Security Whitepaper for more information.

Privacy by Design

We apply rigorous privacy protection standards to all stages of our product’s development.

  • We provide access to personal data on a strictly ‘need-to-know’ basis.
  • We provide training to all employees and contractors on data privacy and information security.
  • We collect the minimum personal data needed facilitate use of our platform.
  • We have a dedicated team overseeing privacy at TravelPerk.

You have control

We make it easy for you to keep your personal data up to date.

  • We make available a range of access profiles, giving control over colleagues’ access to your personal data.
  • We give you the tools to access and update your profile information.
  • We make it easy to archive or delete obsolete user profiles from our platform.


We keep you informed so you can make the best decisions.

  • Our Privacy Whitepaper provides detailed information on how we process and protect your personal data.
  • Our International Data Transfers Whitepaper summarises how our customers can use TravelPerk to transfer personal data outside the European Union (EU) or the European Economic Area (EEA) in compliance with EU law by relying on our industry-leading contractual, technical and organisational frameworks and safeguards.
  • Our Privacy documentation is publicly available for you to assess the reliability of our practices.
  • We’ll keep you informed of any material changes to our privacy policies.

Frequently asked questions

International Data Transfers
Data Subject Requests

Where are your services hosted and what service resilience has been built in?

Our service and backups are hosted on Amazon Web Services (AWS) in Ireland with a fallback site in Germany. It’s a high availability data centre built and maintained with resilience, continuity and disaster recovery. AWS holds ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and BSI’s C5 certifications.

What are the purposes for which TravelPerk may process customers’ personal data?

We process personal data of TravelPerk users as a data processor for the following purposes outlined in our Data Processing Agreement

(i) to create, maintain and update customer accounts; 

(ii) to manage travel bookings, process orders and payments; 

(iii) to send notices to users regarding cancellation, modification or no-show, unfinished booking processes, and/or booking recommendations based on their previous bookings and search history; 

(iv) to provide customer support and handle special requests; 

(v) to inform our customers and users about services updates, including new features and functionalities; 

(vi) to render all services hired by our customers from time to time, such as business travel management, Premium, PRO and flexible cancellation services, API access, services related to CO2 compensation, etc.; and 

(vii) to notify an emergency to the contact person informed by the traveler for this purpose. 

Additionally, we may process personal data of TravelPerk users as a data controller for the applicable purposes outlined in our Privacy Policy.

Who oversees Privacy at TravelPerk?

TravelPerk has a dedicated Privacy Team formed by legal and operational specialists focused on maintaining a word-class privacy compliance program for anyone who entrusts their personal data to our company. Our Privacy and Information Security teams work closely to ensure our operations are aligned towards always keeping your personal data safe.

Our Data Protection Officer (DPO) is responsible for translating regulatory insights into actionable enhancements to our privacy culture, and acts as the contact point for supervisory authorities and customers for any privacy compliance questions.

You can reach out to our Privacy Team at Our DPO is available at

Do all TravelPerk employees have access to customer data?

TravelPerk employees access customer data on a need-to-know basis. TravelPerk employees may have access to the minimum customer data required to provide our services (e.g., business contact details, travel and booking history, and history of user queries by the Customer Care team., business information, billing and platform usage history and similar reports by the respective Account Manager, etc.).

All TravelPerk’s personnel are bound by confidentiality obligations and have undergone training and awareness programme which includes onboarding security and data protection training with testing and annual refresher courses.

Is TravelPerk a controller or a processor with regards to personal data processed on behalf of its customers?

As outlined in our Data Processing Agreement and Privacy Whitepaper, our customers are controllers of the data of their employees, contractors and other people accessing customer’s TravelPerk account. On the other hand, TravelPerk, as a business travel services provider for our customers, is the data processor of such information. This means that TravelPerk handles personal data on the customer’s behalf and under its instructions for the purposes allowed by the customer as defined in the Data Processing Agreement.

What are the data protection roles of suppliers engaged by TravelPerk?

Where TravelPerk transfers customer personal data to certain suppliers to help us provide business travel management services, such suppliers are deemed sub-processors and bound by the relevant data processing agreements and, where applicable, standard contractual clauses issued by the European Commission and the United Kingdom for international data transfers. 

On the other hand, where TravelPerk transfers customer data to travel suppliers such as hotels, airlines, train companies, or car rental companies, for the provision of the respective accommodation and transportation services to travelers, such travel suppliers will be processing the data in their capacity as independent controllers. Nevertheless, TravelPerk has data protection clauses in place in all service agreements with all travel suppliers stating their obligation to comply with applicable data protection laws and to only process customer data as permitted in such laws.

What are your data retention and destruction policies?

Our data retention policy outlines all the legal retention rules to which we at TravelPerk adhere to such as customer data under contractual law. We additionally have schedules for each team which outlines retention periods for personal data processed for business activities outlined in our privacy policy.

Once this retention period expires, the relevant personal data is deleted.

Do you carry out Data Protection Impact Assessments (DPIA) on the data processing you undertake?

Yes, we carry out Data Protection Impact Assessments (DPIA) as a data controller when required by the GDPR and other applicable laws. In relation to the personal data we process as a data processor, we assist our customers (data controllers) to conduct their own DPIAs as required by the GDPR.

Is TravelPerk in a position to assist in conducting a Data Protection Impact Assessments (DPIA) when acting as processor?

Yes, this is one of our GDPR obligations as a data processor and we’re happy to assist our customers (data controllers) when conducting a DPIA.

Do we need to sign a Data Processing Agreement (DPA) with TravelPerk for prospect phase?

No. TravelPerk will only act as data processor once the prospect becomes a customer and TravelPerk actually processes personal data of TravelPerk users. Until that moment, TravelPerk is a controller and processes prospect data according to the Privacy Policy.

Once you become a customer, we will enter into a DPA. You can then request it by filling out this form.

Do you have a version of your Data Processing Agreement (DPA) that we can sign?

Please fill out this form with your company’s information to digitally sign a copy of TravelPerk’s Data Processing Agreement. Once you submit the form, we’ll email the executable copy to the person you assign as the signatory. The executable copy will contain the same content from our online Data Processing Agreement.

TravelPerk has adopted the oneDPA standard for all suitable transactions. oneDPA was created collaboratively by a group of leading law firms and in-house teams with input from the wider legal community. The terms of oneDPA have been discussed extensively by legal professionals from several jurisdictions to ensure it meets legal requirements and to make it balanced, fair and easy to understand.

Given the balanced nature of oneDPA’s content, oneDPA cannot be amended other than to populate the details specific to our engagement on the variables section. For more information on oneDPA, please access the oneDPA official website.

Are you willing to review and sign customer’s DPA?

As a SaaS provider, we provide consistent data protection standards to all our customers. Therefore, we must use our standard Data Processing Agreement, which is already incorporated in the business travel service agreement and tailored to the type of services provided and the security measures offered by TravelPerk.

TravelPerk has adopted the oneDPA standard for all suitable transactions. oneDPA was created collaboratively by a group of leading law firms and in-house teams with input from the wider legal community. The terms of oneDPA have been discussed extensively by legal professionals from several jurisdictions to ensure it meets legal requirements and to make it balanced, fair and easy to understand.

Given the balanced nature of oneDPA’s content, oneDPA cannot be amended other than to populate the details specific to our engagement on the variables section. For more information on oneDPA, please access the oneDPA official website.

Does TravelPerk request customers’ authorisation to engage new sub-processors?

TravelPerk may engage new sub-processors based on a general authorisation provided by our customers (data controllers), as permitted by article 28 of the GDPR. By contracting our services and entering into the relevant DPA, our customers consent to and authorise the engagement of the sub-processors included in the current sub-processors list. TravelPerk also undertakes the obligation to notify customers of any intended additions to such list so that customers have the right to timely object to the engagement of any new sub-processors by TravelPerk. If an objection is raised, TravelPerk and customer will work to find a solution to overcome customer’s concerns. If this is not possible, customer will always have the option to terminate the agreement at no extra cost.

Does TravelPerk maintain a mandatory Record of Processing Activities (RoPA)?

Yes. As a data processor under article 30.2 of GDPR, TravelPerk must maintain a record of all categories of processing activities carried out on behalf of our customers (data controllers).

How will TravelPerk protect my personal data?

TravelPerk complies with applicable data protection laws, such as the EU GDPR, the UK GDPR, and the California CCPA. We have implemented appropriate technical and organizational measures to secure personal data shared with us. This includes ensuring that data is encrypted both in transit and at rest, within the platform and at endpoints. To ensure compliance, TravelPerk personnel receive relevant training, and we have centralized policies in place. Prior to accessing personal data, every individual and company undergoes a form of due diligence assessment and is bound by confidentiality obligations. Data processing agreements are in place with all our sub-processors, with the latest standard contractual clauses for international transfers issued by the European Commission on 4 June 2021, where applicable.

Our information security management system (ISMS) aligns with ISO 27001 guidelines for technical and operational controls for confidential and personal data security. Additionally, our platform is hosted on Amazon Web Services (AWS) in data centers located within the EU, with industry-defining security protocols.

What are the main security measures that you have adopted to ensure compliance with article 32 of the GDPR?

We have implemented a range of controls to comply with the GDPR. To ensure privacy by design and by default, we focus on the lifecycle of customers’ data. We apply technical, organizational, and physical security measures from the moment personal data is entrusted to us until it is securely destroyed. These controls range from advanced Endpoint Detection & Response (EDR) to cloud security and monitoring. Our offices are also protected with a variety of measures, including 24/7 security guards and CCTV. For more details, please refer to our Security Whitepaper and Security Measures (TOMs) document.

Do you encrypt the personal data handled on behalf of your customers?

Yes. Nowadays, encryption is one of the most basic security measures for protecting confidential data. We use AES-256 to encrypt your data at rest, including backups. For data in transit, we enforce a minimum of TLS v1.2 and do not support older legacy versions.

For password storage, we follow NIST recommended standards with our choice of hashing algorithm and password stretching mechanism. Our email system is also automatically encrypted using S/MIME wherever supported.

Does TravelPerk have any security policies in place?

Yes, we maintain several security policies, including an Information Security Policy as part of our Information Security Management System (ISMS). These policies align with recognized global best practices in information and cyber security, such as ISO27001, ISO27005, and OWASP, and provide strategic direction for maintaining our ISMS.

Is TravelPerk’s staff duly trained to handle personal data safely and subject to confidentially obligations?

Yes, we have a staff awareness training programme on privacy and security best practices in place. We believe in modifying behaviours for the better, not just ticking a compliance box with annual online training, which is why we provide in-house designed training to all employees, new joiners and relevant contractors. We also carry out phishing simulations, custom awareness posters, “Capture the Flag” style events, and more. We also implement role-based access control at TravelPerk – this means that only a limited number of our staff have access to customer data, based on the job role and on a strict need-to-know basis.

How secure are my payments within the TravelPerk platform?

Your payment data is safe when you make payments within the TravelPerk platform. We teamed up with Stripe to securely store your credit card information and process your payment requests. TravelPerk will never see, store or process your payment card information – it’s always managed by Stripe; we simply use unique and anonymized reference numbers to connect with Stripe and charge you for bookings and services. Stripe processes customer data as an independent controller – please check Stripe’s Privacy Policy for more information on how they protect your personal data.

Would you be willing to implement additional security measures upon request?

At TravelPerk, we are committed to continuously improving the security of our systems by reinforcing and updating our existing security measures. While we strive to meet our obligations under data protection laws, we cannot agree to individual customer security policies. As a global travel management SaaS company with a wide range of customers, we must maintain consistent and comprehensive security policies to ensure appropriate protections and consistency in our approach.

Rest assured, however, that we are happy to respond to security and audit questionnaires upon request. This will help you confirm that TravelPerk is fulfilling its obligations regarding the security of personal data. We understand the importance of maintaining the highest level of security for our customers and are dedicated to meeting these standards.

Do you have specific technical and organisational security measures that you expect your sub-processors to comply with?

Our sub-processors have a contractual commitment to comply with equivalent technical and organisational security measures (TOMs) as those we offer to our customers. Our updated Security TOMs are available here

We request sub-processors to provide sufficient technical and operational security measures as well as measures to ensure compliance with relevant data protection laws. All sub-processors and vendors that will host customer data undergo thorough security audits and risk assessments conducted by both our Information Security team and our Privacy team to ensure compliance with these requirements. We also use continuous security monitoring to keep track of our vendors.

What does TravelPerk do to prevent data breaches from occurring?

Vulnerability management. Periodic penetration testing simply isn’t enough for a fast-changing environment like ours. So we take our vulnerability management much further. We conduct daily dynamic vulnerability scans of our web application, while our mobile application is also scanned daily with a variety of static, dynamic and interactive testing. This, combined with any bug bounty program submissions or penetration test findings, is quickly reviewed and acted upon according to severity.

Malware prevention. As you might expect for an international company like us, we leverage world-class endpoint detection and response tooling. Using behavioural detection, this helps keeping us protected from next-generation attacks that signature-based systems won’t recognise. Our fast and efficient connection capabilities enable us to respond promptly to endpoint incidents anywhere in the world. We also have various solutions in place to ensure malicious software doesn’t enter our systems or travel applications.

Monitoring. We collect activity and access logs and important information from a variety of sources. Where we receive any alerts or other triggers, our team promptly inspects and investigates the suspected incident. Wherever possible, our tools are configured to detect suspicious activity and bring it to our attention without delay. This includes monitoring and alerts from across our own IT estate and tooling, in addition to our business travel applications.

What is TravelPerk’s incident management policy?

Our Security team is trained in taking the lead for any security incident that might occur, getting the right people into the room and coordinating any response required by following our Incident Response Plan. We don’t introduce bias early on by assuming a severity level from what might initially be limited information. Instead, we treat every incident with equally high priority and importance until we have information to prove otherwise.

We have an engineering on-call system 24/7 so that should an incident occur out of hours that affects confidentiality, integrity or availability, our engineers can respond, escalate and swiftly resolve any issue, supported by our Security team. We follow best practices by maintaining an incident tracker and analysing incidents afterwards to ensure lessons are learned, and any possible improvements are made.

Does a process exist to ensure all security Incidents are reported accordingly?

Yes, we have an Incident Response Plan that has been approved by the CTO. It sets out roles, responsibilities, contact details and steps to take in the event of a suspected incident. We also have an Incident Management Team in place. 

You can find more information on our Security page, Security Whitepaper and Security Measures (TOMs) document.

Have you provided training to your staff on what to do in the event of a personal data breach?

Yes, we include personal data breach identification and reporting procedures in security awareness training for all TravelPerk staff.

Would you notify the supervisory authority in the event of a security incident affecting customers’ data?

As a data processor, TravelPerk is required to notify personal data breaches to the affected clients (the data controllers) so they can notify the supervisory authority in compliance with the applicable data protection laws. In our notifications to clients, we provide all available information as per article 33.3 of the GDPR.

Did you report any data breach to the supervisory authorities in the past five years?

As a data processor, TravelPerk is required to notify personal data breaches to the affected clients (the data controllers) so they can notify the supervisory authority in compliance with the applicable data protection laws. In our notifications to clients, we provide all available information as per article 33.3 of the GDPR.

Do you transfer personal data to third countries? How do you secure such transfers?

We may transfer data to recipients located in third countries, i.e., to countries outside the EEA without an adequacy decision by the EU Commission. For instance, we may transfer data to sub-processors which help us provide our services (see our updated List of Sub-processors), or to travel suppliers such as airlines, hotels or other transportation and accommodation providers. 

Where our sub-processors are located in third countries, we primarily rely on the latest standard contractual clauses for international transfers issued by the European Commission on 4 June 2021 to secure the transfer. We also perform a security assessment of all our suppliers, and where needed, we implement supplementary measures (as per the “post-Schrems II” EDPB Recommendations 01/2020) to ensure that the data transferred is afforded an adequate level of protection as per EU and GDPR standards. You can find more information in our International Data Transfers Whitepaper.

Can you provide more details on the process you follow to handle international data transfers?

The process we follow every time we need to share customers’ data with a vendor located in a third country has 7 steps: 

  1. We identify and map all our restricted transfers (i.e. any transfers of data to non-adequate countries).
  2. We require potential vendors to complete a thorough privacy questionnaire assessed by our Information Security and Privacy teams.
  3. We enter into a data processing agreement with the vendor, which sets out the same or equivalent data protection obligations as those set out in the DPA with our customers.
  4. We put the latest standard contractual clauses for international transfers issued by the European Commission on 4 June 2021 in place with every vendor processing personal data in third countries.
  5. We assess the laws of the vendor’s country of storage, with special emphasis on the United States.
  6. We identify and adopt any supplementary measures and procedural steps needed to bring the level of protection of the data transferred up to EU standards.
  7. We re-evaluate our assessments periodically to make sure that the international transfers remain secure over time.

Do you implement supplementary measures to ensure the effectiveness of standard contractual clauses entered into with your sub-processors, where required?

Yes. The European Commission encourages controllers and processors to provide additional safeguards for transferring personal data overseas with supplementary contractual commitments that afford a level of protection essentially equivalent to EU standards.

With this in mind, TravelPerk conducts a thorough assessment of all processors and sub-processors located in third countries in order to determine the effectiveness of the standard contractual clauses in each particular case. Based on the assessment results, we direct such vendors to incorporate additional contractual commitments to the relevant data processing agreement. Our focus is both on the security measures implemented by the vendor and on specific safeguards to prevent or mitigate the risks of potential requests for disclosure of personal data to public or authorities or law enforcement in the vendor’s country, especially in the US under laws and regulations such as FISA Section 702, Executive Order 12333 or the CLOUD Act.

Depending on the case and based on the results of our assessment, we request our vendors to comply with some additional contractual commitments if they receive such disclosure requests. By way of example, we ask them to verify whether the disclosure request is lawful and appropriate, including with respect to the data sought and relevant jurisdiction, and to challenge the request in accordance with GDPR principles and contractual commitments on government access requests, as per articles 14 and 15 of the SCCs, if appropriate. We also direct our vendors to provide the minimum amount of information possible when responding to a disclosure request, to implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data, and to refrain from creating any back doors or similar programming that could be used by law enforcement or public authorities to access the systems and/or personal data.

Do external third parties have access to TravelPerk’s customer systems or processing facilities?

Third parties do not have access to our clients’ systems and processing facilities. However, TravelPerk may share client data with third party providers (sub-processors and travel suppliers) in order to provide business travel services (e.g., traveler name and contact details with an airline or hotel to confirm a booking). All such third parties undergo security assessments and have relevant DPAs and/or contractual clauses in place to ensure the security and confidentiality of the personal data transferred.

Has TravelPerk adopted the new EU standard contractual clauses for international transfers (2021 EU SCCs) for transfers of personal data to sub-processors located outside of the EEA?

Yes, we have the standard contractual clauses for international transfers issued by the European Commission on 4 June 2021 in place with all sub-processors located outside the EEA in non-adequate countries, e.g., those located in the United States.

In what countries does TravelPerk and its sub-processors process customer data for the provision of business travel management services?

At the moment our sub-processors are located in the EU/EEA, UK, USA, Philippines, India, Japan, Australia, El Salvador and Israel. You can find our updated List of Sub-processors here.

Do I need to enter into standard contractual clauses with TravelPerk?

If you are (or want to become) a customer of TravelPerk: the answer is NO. As an EU-based company processing personal data under the GDPR, TravelPerk is not required to use the standard contractual clauses for international transfers issued by the European Commission on 4 June 2021 (SCCs) between ourselves and our customers.

Where TravelPerk needs to perform onward transfers of your personal data to our sub-processors located in third countries (e.g., United States), you can rest assured that such transfers are already regulated by SCCs entered into between TravelPerk and the respective sub-processor. 

If you’re a supplier located outside the EU/EEA or UK in a country not recongnized as providing adequate privacy protection by the European Commission (list of adequate countries available here): the answer is YES – we must enter into the standard contractual clauses for international transfers issued by the European Commission on 4 June 2021 in order to provide a  service to TravelPerk that requires the processing of personal data.

Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?

Due to the nature of our SaaS service, it is not feasible to implement geolocation restrictions on a per-customer basis. Our SaaS environment and all associated operational and security processes are designed to be standardized and not tailored to specific clients. Therefore, access to and use of our SaaS is provided “as is” and in accordance with our existing processes, procedures, and the terms of the agreement between us and our customers.

Rest assured that we meet the highest security standards in our industry. Our operations are successfully audited in accordance with industry standards.  Our data centre provider, Amazon Web Services Ireland (with a fallback site in Germany), is ISO 27001 certified. It also has ISO 27017 and ISO 27018, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and BSI’s C5 certification.

Could you remove some of your sub-processors when you’re providing services to us?

As a SaaS platform, we do not engage sub-processors for individual customers. Our use of sub-processors is an integral part of our service delivery, and all third-party providers are pre-engaged and under contractual obligations with us. Before engaging any third-party provider, we perform comprehensive security assessments to ensure that they meet our strict security standards. Additionally, all sub-processors have relevant data protection agreements in place to guarantee the security and confidentiality of personal data processed on behalf of our customers. This allows us to maintain a high level of security and privacy protection while providing our customers with reliable and efficient services.

How is customer data protected in the event your non-EEA affiliates, subsidiaries or parent companies need to have access to the data?

We have a comprehensive intragroup data processing agreement that governs all internal transfers, which includes the latest standard contractual clauses for international transfers issued by the European Commission on 4 June 2021. This agreement provides a robust framework to ensure that all data transfers within our organization comply with relevant data protection regulations and meet the highest standards of security and confidentiality. By utilizing these standard contractual clauses, we are able to maintain a high level of data protection even when transferring personal data across borders, providing our customers with the peace of mind they need to trust us with their valuable information.

How does TravelPerk handle Data Subject Requests (DSR)? Where can I exercise my rights?

If you are a TravelPerk user: as a data processor, we’re happy to assist our customers (data controllers) for them to handle Data Subject Requests (DSR) from their users. TravelPerk users must send data subject requests to their company’s TravelPerk account admin, who represents the data controller. Admins will be able to self-service data deletion (instructions here) and update directly from the TravelPerk platform, or request further information from us if they believe it is appropriate.

If you are a prospective customer, product tester, TravelPerk event attendee, or a TravelPerk website visitor: you can exercise your data protection rights through this form.

What types of personal data do you collect about me?

TravelPerk collects personal data provided by our users through our platform or customer care service to provide business travel services. If you are a traveler whose company is a customer of TravelPerk, we may process personal data including your name, business email address, phone number, and identity card or passport information. Additionally, we may handle data such as travel affiliation cards, payment methods, booking and trip information, as well as customer care requests or complaints as needed to facilitate our business travel management services and enable you to make travel bookings.

I want you to delete my user account.

If you are a TravelPerk user and want to delete your user account, please send your request to your company’s TravelPerk account admin. Company admins can delete user accounts from the TravelPerk platform by following the steps provided in this article (under the “Delete user” section). Admins can also amend user data from the People directory available on the TravelPerk platform.

Supporting image for section

Contact us

If you have any other questions about privacy at TravelPerk, email us at