Your security
comes first
Woman in high tech work

Your security
comes first

Companies trust us because of our continual commitment to protecting their data.

Security Partners

Application Security

  • Data Encryption at Rest
  • Data Encryption in Transit
  • Thorough testing before all code releases
  • Regular penetration testing on our web application and mobile applications
  • Hosted in high-availability data centres
  • Threat detection using Amazon GuardDuty
  • SAML-based SSO
  • Identity and Access Control through Okta integration
  • Access Control via BambooHR Integration
  • Regular Patching
  • CrowdStrike advanced EDR (endpoint detection and response) offering powered by machine learning to ensure breaches are stopped before they occur.
  • Whitelisting for files types that can be uploaded to your application
  • Bug Bounty reporting program

Organizational Security

We have a variety of security measures in place across our company – not only technical and physical. We have implemented comprehensive policies and procedures, and ensure that our employees are kept well-trained and informed.

Information Security Policy

We have a policy that all employees and applicable contractors are required to follow. It enforces best practice and we review it regularly.


We are currently working towards ISO 27001 certification and are already implementing best practices across the company. The AWS data centres we use already hold various certifications that include SOC 1,2,3 and ISO 27001. We’re also PCI compliant through our external payment provider, Stripe.

AWS ISO Certification
PCI Compliant

Employee Awareness Scheme

We provide security awareness training to every employee in the company on an annual basis. It’s delivered by our security team, is role-specific to each team and is tailored to our company and the risks we face. This includes training about GDPR. Other topics include:

  • Remote Working
  • Phishing
  • Threats
  • Incident Response
  • Data Protection
  • Data Exposure
  • Password Cleanliness

In the 2nd year of our training awareness program, we introduced a new curriculum for our employees. We also carry out an internal phishing campaign to test our staff awareness in relation to the different threats that TravelPerk faces.

Access control

We implement role-based access control at TravelPerk and work to ensure that people only have access to data required for their job.

Business continuity

Both our application and our support services have a variety of controls to ensure that our services remain constant if a negative event were to occur.

Physical security

Our offices are all protected with a variety of measures, including 24/7 security guards and CCTV.


We review all our data sub-processors to ensure that they maintain the high standard of security you’d expect for your data. We also ensure that a DPA is in place with each supplier.

Young guy coding

RFP Security Questionnaires

We have a dedicated Security team who manage all security related questions that a 3rd party may have. This includes security RFP requests or general security questionnaires.

TravelPerk receives many security RFP requests from both potential and current clients. Our Security Team has an RFP Master Security Questionnaire answer sheet to help answer any security queries you may have whether you are a potential client or current client carrying out due diligence.

If you need to complete a security review on TravelPerk, you can request our Master Security Questionnaire. This will provide you with the security controls and general security questions you may have. To request this document please do the following.

  • Email to request the Master Security Questionnaire
  • If you are still in need of additional information after reviewing our Master Security Questionnaire, you can send your request to who will manage your request.

Assets in Scope

You are permitted to test the following listed assets, provided you comply with all rules provided in this document by TravelPerk.

  • Our web application:
  • Our mobile application: Travelperk Trip Assistant (iOS & Android)

Testing Accounts

Testing is only permitted via the following methods:

  • Unauthenticated testing
  • Using dedicated test accounts

Live accounts belonging to TravelPerk or its clients must not be targeted during testing.

Out of Scope

The following are explicitly out of scope for any testing:

  • Live accounts belonging to TravelPerk or TravelPerk clients
  • Automated scanning of any kind
  • Denial of Service attacks
  • Social engineering and phishing
  • Physical security attacks
  • Attacks requiring MITM or physical access to a user’s device
  • Vulnerability must not previously be known to us
  • TravelPerk employees and their relatives are NOT eligible for reward.

Low impact areas

We are not likely to provide bug bounty rewards for the following categories (unless you have an exploitable vulnerability with an associated proof of concept):

  • Email configuration such as SPF, DKIM, DMARC
  • Encryption support such as SSL and TLS versions
  • Click jacking on pages that have no sensitive actions
  • Issues relating to rate limiting or brute forcing on non-authentication end points
  • Missing best practices relating to Content Security Policy or similar headers
  • Attacks where the victim must be using a rooted mobile device for the exploit to be successful
  • Software version disclosure / banner identification issues.


You are responsible for complying with any applicable laws and expected to act in good faith at all times.

You are not eligible to participate in this program if you are currently an employee of Travelperk.

Reports from former employees, immediate family of current employees, or other associates of TravelPerk that may present a conflict of interest will be reviewed. Eligibility for any reward will be at the sole discretion of TravelPerk.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

    On behalf of the TravelPerk team, thank you for working with us in a responsible manner. We look forward to working with you!

TravelPerk Security Team Commitment

We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the TravelPerk security team and associated development organizations will use reasonable efforts to:

  • Respond in a timely manner, acknowledging receipt of your vulnerability report
  • Provide an estimated time frame for addressing the vulnerability report
  • Notify you when the vulnerability has been fixed

You can send and share details of the suspected vulnerability with TravelPerk by sending an email to

Data Protection

Firstly, when processing such data, we must take some general principles stated by the GDPR into account (these apply not only to sensitive data but to all data we process). Thus, such data must be:

  •  Processed lawfully (with a legal basis, such as explicit consent of the data subject), fairly and transparently
  • Data must be collected for a specific purpose and must not be processed in a manner that is incompatible with that purpose
  • Processing must be adequate, limited and relevant to what is necessary in relation to the purposes for which they are processed
  • Data must be accurate and kept up to date
  • Data should be kept in a form which permits identification of data subjects (travelers) for no longer than is necessary (storage limitation, anonymization, pseudonymization)
  • We must implement adequate technical and organizational data protection measures.

Processing of sensitive data (e.g. health data), also entails other obligations, such as conducting a Data Protection Impact Assessment (DPIA), maintaining a record of processing activities, and appointing a DPO.

As far as security measures are concerned, we must comply with technical and organizational measures stated in Art. 32 GDPR in order to ensure a level of security appropriate to the risk. Those measures include:

  • Pseudonymization and encryption of personal data. For instance:
    •  Sensitive (health) data should be in a different database from specific identifiable data of the data subjects, so that such information is stored separate and can be subject to appropriate technical and organizational measures.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. For instance:
    • Physical access control: no unauthorized access to data processing facilities (e.g. magnetic cards, keys, electronic door openers, alarm systems, video/CCTV systems and surveillance cameras, entrance security staff, etc.)
    • Electronic access control: no unauthorized use of the data processing/storage systems (e.g. through secure passwords, encryption of data carriers/storage/storage media, automatic blocking mechanisms, etc.)
    • Only authorized personnel should be allowed to access sensitive personal data (e.g. multiple authorization levels when granting access to sensitive systems, authorizations managed via defined processes according to TK security policy, User IDs, implementation of a password policy, etc.)
    • Firewalls, security patch management, use of VPN, monitorization of VPN logins, etc.
    • Internal access control: permissions for user rights of access to and amendment of data, need-based rights of access, etc.
    • Data transfer controls (e.g. through encryption, VPN, electronic signature)
    • Data entry control: verification, whether and by whom personal data is entered into our data processing system, is changed or deleted (e.g. logging). We need to ensure traceability.
    • Availability control: personal data must be protected against accidental or unauthorized destruction or loss (e.g. through implementation of regular backup processes, use of uninterrupted power supplies in the data centers, having defined business contingency plans and disaster recovery strategies, firewalls, antivirus, specific security monitoring, etc.)
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. For instance:
    • Rapid recovery: executing regular disaster recovery exercises (e.g. once a year)
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. For instance:
    • Data protection management: implementation of a multi-layered defense strategy as a protection against unauthorized modifications (e.g. through firewalls, antivirus, backup and recovery, encryption of data in transit and at rest, external and internal penetration testing, etc.).
    • Incident response management
  • Data protection by design and default. For instance:
    • Implementation of data protection principles such as data minimisation, encryption, maintaining and enhancing the security and privacy levels with appropriate technical and organizational measures, limitation of the extent of data processing, the period of their storage and their accessibility, etc.

Obviously not all security measures mentioned above must be implemented. I just wanted to provide some examples. The most important thing is to bear in mind that processing sensitive data, such as health data, requires an extra level of security, and therefore several measures should be implemented regarding each of those fields (pseudonymization and encryption, confidentiality, integrity, availability, resilience, restoring availability, regular testing, assessment and evaluation, protection by design and default).