Your security
comes first
Woman in high tech work

Your security
comes first

Companies trust us because of our continual commitment to protecting their data.

Security Partners

Application Security

  • Data Encryption at Rest
  • Data Encryption in Transit
  • Thorough testing before all code releases
  • Regular penetration testing on our web application and mobile applications
  • Hosted in high-availability data centres
  • Threat detection using Amazon GuardDuty
  • SAML-based SSO
  • Identity and Access Control through Okta integration
  • Access Control via BambooHR Integration
  • Regular Patching
  • CrowdStrike advanced EDR (endpoint detection and response) offering powered by machine learning to ensure breaches are stopped before they occur.
  • Whitelisting for files types that can be uploaded to your application
  • Bug Bounty reporting program

Organizational Security

We have a variety of security measures in place across our company – not only technical and physical. We have implemented comprehensive policies and procedures, and ensure that our employees are kept well-trained and informed.

Information Security Policy

We have a policy that all employees and applicable contractors are required to follow. It enforces best practice and we review it regularly.


As a company we are currently working towards our ISO 27001 certification and are already implementing best practices across the company. We also maintain our PCI compliance through our payment provider, Stripe. Amazon Web Services (AWS), our cloud provider that hosts our infrastructure is ISO 27001, SOC 1,2 and 3 compliant.

Employee Awareness Scheme

We provide security awareness training to every employee in the company on an annual basis. It’s delivered by our security team, is role-specific to each team and is tailored to our company and the risks we face. This includes training about GDPR. Other topics include:

  • Remote Working
  • Phishing
  • Threats
  • Incident Response
  • Data Protection
  • Data Exposure
  • Password Cleanliness

In the 2nd year of our training awareness program, we introduced a new curriculum for our employees. We also carry out an internal phishing campaign to test our staff awareness in relation to the different threats that TravelPerk faces.

Access control

We implement role-based access control at TravelPerk and work to ensure that people only have access to data required for their job.

Business continuity

Both our application and our support services have a variety of controls to ensure that our services remain constant if a negative event were to occur.

Physical security

Our offices are all protected with a variety of measures, including 24/7 security guards and CCTV.


We review all our data sub-processors to ensure that they maintain the high standard of security you’d expect for your data. We also ensure that a DPA is in place with each supplier.

Young guy coding

RFP Security Questionnaires

We have a dedicated Security team who manage all security related questions that a 3rd party may have. This includes security RFP requests or general security questionnaires.

TravelPerk receives many security RFP requests from both potential and current clients. Our Security Team has an RFP Master Security Questionnaire answer sheet to help answer any security queries you may have whether you are a potential client or current client carrying out due diligence.

If you need to complete a security review on TravelPerk, you can request our Master Security Questionnaire. This will provide you with the security controls and general security questions you may have. To request this document please do the following.

  • Email to request the Master Security Questionnaire
  • If you are still in need of additional information after reviewing our Master Security Questionnaire, you can send your request to who will manage your request.

Data Protection

We care about your privacy
Your trust matters to us and we are fully committed to protecting the privacy and security of your personal information. In our Privacy Policy and Data Processing Agreement you can get more detailed information about how we use, process and protect your personal data, either as a data controller or as a data processor.

How do we protect your information?
Your privacy matters to us and keeping your personal data secure is a priority to us. We have created an organization-wide security program designed to keep your personal data as safe as possible through the implementation of a range of technical and organizational security measures, depending on the type of data being processed. All these measures are aimed at protecting your information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.

When is your information shared with third parties?
We share your information only where you ask us to, where it’s necessary to perform our contract with you or our customers (and provide the hired services), or where there is a legal obligation for us to do so. Companies you book with via TravelPerk (like airlines, hotels, trains and car rentals) will collect and process your personal data according to their own privacy policies as independent data controllers. Finally, companies that help us provide our services will also collect and use your data on our behalf as data processors or sub processors.

We make sure our data processors and subprocessors are GDPR compliant
Every time we engage a processor or sub processor to provide our services, they are bound by a DPA. We audit all our sub processors to make sure their data processing is in line with the GDPR. If you are a customer and you object to the engagement of a specific sub processor by us, we would refrain from doing so (although it might affect our ability to provide you our services properly).

Personal Data Team Queries
TravelPerk has a Personal Data team who is dedicated to manage all data protection related queries.
If you are a TravelPerk user, client or prospect and have any requests please have a look at our privacy section on OUR website. If you have a specific query or want to exercise the rights set forth in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection (“GDPR”), please email and our team will respond and manage your request. Such rights are right to access, rectification, opposition, erasure, restriction of processing, data portability, right to lodge a complaint with a supervisory authority and to withdraw any given consent (“GDPR rights”).