Travitor’s operations, policies and procedures are reviewed at least annually and audited regularly to ensure Travitor meets and exceeds all standards expected of service providers.

–

ISO 27001 is an information security standard originally published in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). In September 2013, ISO 27001:2013 was published which superseded the original 2005 standard. ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organisation’s Information Security Management System (ISMS).

–

Travitor has achieved the Cyber Essentials certification in April 2018. The Cyber Essentials scheme is a government certification that provides an independent assessment of security controls. This scheme is backed by the National Centre for Cyber Security. This certification further demonstrates Travitor’s continued commitment to Information Security and willingness to accommodate its customer’s requirements.

–

Travitor passed its first SOC2 (Type 1) report audit for its software-enabled cloud services in June 2018. Originally designed by the American Institute of Certified Public Accountants (AICPA), the SOC2 report evaluates the internal controls and security measures of an organisation. It assesses against 5 main, “Trust Services Principles and Criteria:” security; availability; processing integrity; confidentiality; and privacy.  Additionally, Travitor passed its first SOC2 (Type II) audit in July 2019; this evaluates the operational effectiveness of the internal controls and security measures.  Achieving SOC2 compliance provides to clients further assurance of the robustness of Travitor’s security posture and control framework.

–

In January 2019, Travitor officially achieved Payment Card Industry Data Security Standard (PCI DSS) Level 1 Compliance for its Cloud Operations services. Administered by the PCI Security Standards Council, PCI DSS is an information security standard that aims to enhance payment account security and prevent credit card fraud.

–

As further demonstration of Travitor’s commitment to cyber security, in October 2019, Travitor joined over 100 other tech leaders in signing the Cybersecurity Tech Accord,  whose collective goal is to: “promote a safer online world by fostering collaboration among global technology companies committed to protecting their customers and users and helping them defend against malicious threats.”

–

In general, Travitor follows industry best practices around implementation of secured transmission, storage, and disposal of information and of authentication and access controls within media, applications, operating systems and equipment.

–

Travitor has also implemented proactive security procedures such as perimeter defense and network intrusion prevention systems. Vulnerability assessments and penetration testing of the Travitor network infrastructure are evaluated and conducted on a regular basis by both internal and external third-party vendors.

Strict data protection laws govern the transfer of personal data originating from the European Economic Area (EEA) or Switzerland to other countries not deemed adequate under applicable data protection laws. Travitor has implemented the following international data transfer safeguards in order to comply with such data protection laws:

–

Intracompany data processing agreement. As a global company, Travitor may need to share personal data across its entities to support our customers in the provision of services. Travitor has put in place an intracompany data processing agreement incorporating the European Commission’s approved standard contractual clauses (“Model Clauses”) to allow the processing of personal data amongst its entities.

–

E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. Self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to enable companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. To learn more about the Privacy Shield Program, please see http://www.privacyshield.gov/welcome.

–

European Union Model Clauses. Travitor has incorporated the Model Clauses into our standard data protection agreement used with service providers located in a third country. The Model Clauses creates a contractual mechanism to meet the adequacy requirement which allows for transfer of personal data from the EEA to a third country.

Travitor has a documented internal security incident response plan in place both in Europe and North America that aligns with the GDPR data breach notification requirements.

–

The strong relationship between the Travitor Security and Legal teams enables the incident handling process to benefit from a broad approach and appropriate response plan to be implemented efficiently from technical and legal standpoints.

–

Due to our thorough training programs, a number of incidents or anomalies are directly reported by Travitor staff, thereby giving Travitor security a visibility of security threats affecting the company. Examples of such reports have included phishing (up to 100% reporting in some cases), possible mishandling of credentials and inappropriate permissions.

Information Classification and Risk-Based Controls

Travitor has implemented a three-tier classification scheme to protect information according to risk levels. All information that Travitor processes on behalf of its customers is given the highest levels of protection.

–

Use of Google’s G Suite products

Travitor extensively utilizes G Suite productivity and collaboration tools, products and software and especially Google Drive for storage purposes, thereby benefiting from Google’s experience and innovation in the security field. The use of G Suite enables Travitor to set appropriate security controls. Details on G Suite’s Security practices can be found here.

–

Logical Security

In addition to adhering to various security best practices, Travitor require all employees to set up two-factor authentication on their accounts, whenever possible and business effective. This includes G Suite access (policy controlled), Cloud provider services and secrets management systems.

–

Data Encryption at rest and in transit

Customer data is encrypted at rest whenever possible. Travitor encrypts customer data transmitted over transit in network.

–

Security Compliance by Travitor Staff

Travitor has a secure procedure for vetting new employees, which includes conducting background checks on all employees consistent with applicable country specific laws.

–

Travitor takes appropriate steps to ensure compliance with our security measures and standards by employees and contractors to the extent applicable to their scope of performance. This includes ensuring that all persons authorized to process customer personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

–

All Travitor employees receive privacy and security training during onboarding as well as on an ongoing basis. In addition, tailored business unit training and awareness sessions, for example focused on social engineering are carried out throughout the year.

–

Subprocessor Security

Before engaging any third party to process our customer’s data (“Subprocessor”), Travitor conducts an audit of the security and privacy practices of Subprocessors to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are considered for.

–

Once Travitor has assessed the risks presented by Subprocessors, they are required to enter into appropriate security, confidentiality and privacy contract terms.

–

Retention and Deletion

Travitor only retains customer personal data as long as necessary to provide services and products for a customer or for the purposes permitted by the customer. Once the purpose of retaining personal data expires, Travitor will return or delete personal data to the customer and will only retain a copy of such data if required by law, and to that extent, only the portion of personal data that is absolutely necessary.

–

Privacy by Design

Before launching any new product, Travitor’s privacy and product teams evaluate how such product collects, uses and stores data. This allows the business to identify any potential privacy and data protection risks early; therefore allowing for early resolution saving costs in the long term and ensuring that transparent and comprehensive information can be provided to customers.

–

Ongoing evaluations and improvements

Travitor recognizes that data protection and data security are very important priority for our global customers. As such, Travitor continues to monitor legal developments, both on an EU and member state level and to improve its practices and processes.

–

Vulnerability Disclosure

At Travitor, we are committed to the responsible disclosure of vulnerabilities,  allowing all third parties, including: partners, researchers, media outlets, and the general public a suitable, legal method to disclose any known vulnerabilities to us. Vulnerabilities can be reported to support@travitor.com.

–

Data Protection Officer

Travitor has appointed a data protection officer (DPO) to oversee compliance with relevant data protection laws.  If you have any questions about our data protection or security practices, please contact your account manager.

The European Union’s General Data Protection Regulation (GDPR) protects European Union data subjects’ fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.

–

In addition to our own compliance, Travitor is committed to offering services and resources to our customers to help them comply with GDPR requirements that may apply to their activities. New features are launched regularly, and Travitor has 500+ features and services focused on security and compliance.

–

Security of Personal Data

Travitor has in place effective technical and organizational measures for data processors to secure personal data in accordance with the GDPR. Security remains our highest priority, and we continue to innovate and invest in a high bar for security and compliance across all global operations. Our industry-leading functionality provides the foundation for our long list of internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and EU-specific certifications such as BSI’s Common Cloud Computing Controls Catalogue (C5).

–

Compliance-enabling Services

Many requirements under the GDPR focus on ensuring effective control and protection of personal data. Travitor has the capability to ensure security measures in the ways you need in order to enable your compliance with the GDPR, including specific measures such as:

–

• Encryption of personal data

• Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services

• Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

• Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing

–

Conformity with a Code of Conduct

GDPR introduces adherence to a “code of conduct” as a mechanism for demonstrating sufficient guarantees of requirements that the GDPR places on data processors. In this context, we previously announced compliance with the CISPE Code of Conduct. The CISPE Code of Conduct provides customers with additional assurances regarding their ability to fully control their data in a safe, secure, and compliant environment when they use services from providers like AWS. More detail about the CISPE Code of Conduct can be found at: https://aws.amazon.com/compliance/cispe/