Companies trust us because of our continual commitment to protecting their data.
- Data Encryption at Rest
- Data Encryption in Transit
- Thorough testing before all code releases
- Regular penetration testing on our web application and mobile applications
- Hosted in high-availability data centres
- Threat detection using Amazon GuardDuty
- SAML-based SSO
- Identity and Access Control through Okta integration
- Access Control via BambooHR Integration
- Regular Patching
- CrowdStrike advanced EDR (endpoint detection and response) offering powered by machine learning to ensure breaches are stopped before they occur.
- Whitelisting for files types that can be uploaded to your application
- Bug Bounty reporting program
We have a variety of security measures in place across our company – not only technical and physical. We have implemented comprehensive policies and procedures, and ensure that our employees are kept well-trained and informed.
Information Security Policy
We have a policy that all employees and applicable contractors are required to follow. It enforces best practice and we review it regularly.
As a company we are currently working towards our ISO 27001 certification and are already implementing best practices across the company. We also maintain our PCI compliance through our payment provider, Stripe. Amazon Web Services (AWS), our cloud provider that hosts our infrastructure is ISO 27001, SOC 1,2 and 3 compliant.
Employee Awareness Scheme
We provide security awareness training to every employee in the company on an annual basis. It’s delivered by our security team, is role-specific to each team and is tailored to our company and the risks we face. This includes training about GDPR. Other topics include:
- Remote Working
- Incident Response
- Data Protection
- Data Exposure
- Password Cleanliness
In the 2nd year of our training awareness program, we introduced a new curriculum for our employees. We also carry out an internal phishing campaign to test our staff awareness in relation to the different threats that TravelPerk faces.
We implement role-based access control at TravelPerk and work to ensure that people only have access to data required for their job.
Both our application and our support services have a variety of controls to ensure that our services remain constant if a negative event were to occur.
Our offices are all protected with a variety of measures, including 24/7 security guards and CCTV.
We review all our data sub-processors to ensure that they maintain the high standard of security you’d expect for your data. We also ensure that a DPA is in place with each supplier.
RFP Security Questionnaires
We have a dedicated Security team who manage all security related questions that a 3rd party may have. This includes security RFP requests or general security questionnaires.
TravelPerk receives many security RFP requests from both potential and current clients. Our Security Team has an RFP Master Security Questionnaire answer sheet to help answer any security queries you may have whether you are a potential client or current client carrying out due diligence.
If you need to complete a security review on TravelPerk, you can request our Master Security Questionnaire. This will provide you with the security controls and general security questions you may have. To request this document please do the following.
- Email email@example.com to request the Master Security Questionnaire
- If you are still in need of additional information after reviewing our Master Security Questionnaire, you can send your request to firstname.lastname@example.org who will manage your request.
We care about your privacy
How do we protect your information?
Your privacy matters to us and keeping your personal data secure is a priority to us. We have created an organization-wide security program designed to keep your personal data as safe as possible through the implementation of a range of technical and organizational security measures, depending on the type of data being processed. All these measures are aimed at protecting your information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
When is your information shared with third parties?
We share your information only where you ask us to, where it’s necessary to perform our contract with you or our customers (and provide the hired services), or where there is a legal obligation for us to do so. Companies you book with via TravelPerk (like airlines, hotels, trains and car rentals) will collect and process your personal data according to their own privacy policies as independent data controllers. Finally, companies that help us provide our services will also collect and use your data on our behalf as data processors or sub processors.
We make sure our data processors and subprocessors are GDPR compliant
Every time we engage a processor or sub processor to provide our services, they are bound by a DPA. We audit all our sub processors to make sure their data processing is in line with the GDPR. If you are a customer and you object to the engagement of a specific sub processor by us, we would refrain from doing so (although it might affect our ability to provide you our services properly).
Personal Data Team Queries
TravelPerk has a Personal Data team who is dedicated to manage all data protection related queries.
If you are a TravelPerk user, client or prospect and have any requests please have a look at our privacy section on OUR website. If you have a specific query or want to exercise the rights set forth in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection (“GDPR”), please email email@example.com and our team will respond and manage your request. Such rights are right to access, rectification, opposition, erasure, restriction of processing, data portability, right to lodge a complaint with a supervisory authority and to withdraw any given consent (“GDPR rights”).