TripActions Security Policy
Last Updated May 14, 2018
How We Protect Our Customers
We use the best technology available to keep your information safe. From login to logout, we encrypt our customers’ data with the highest standards available.
Industry Standard Security
State-of-the-art encryption technology
Your data is transferred with high-grade TLS and multi-layered encryption at rest with AES-128 – the industry-standard for commercial applications. Encryption keys are stored separately from the data, and it’s all hosted in Amazon AWS and can only be accessed from our production VPN. All requests to our production servers pass through several management layers before reaching them.
Data center security We are using Amazon AWS as our server infrastructure. AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.
Two-factor authentication Access to sensitive data requires two-factor authentication and is restricted only to authorized personnel performing specific tasks for the client (e.g. customer service).
Data Retention Our data is stored in a well protected production environment where only authorized employees can access data on as-needed basis. We keep only necessary customer data that is required to conduct business transactions. Our data storage is not accessible from public internet and is only retained for the duration of relevant contract with the customer. All archived data is strongly encrypted and customer data is deleted by technical means, sufficient to render this data irretrievable by ordinary commercially available ways.
Real-time audit log We also keep a real-time audit log of all data access and changes made by administrators, customers, employees and our automated system.
In-house monitoring We have an in house security team that is always busy thinking about how to keep your data safer!
3rd party testing Our site and API are subjected to independent, ongoing penetration testing, security scans, threat detection and greybox assessment by well- respected cyber security firms.
Questions? Contact our Data Protection Officer by emailing [email protected]
High Availability Infrastructure
Redundancy Our architecture and deployment is designed for resiliency and for keeping our service up.
Recoverability We store backups in multiple secure locations and update them throughout the day, every day.
Uptime Our technology ensures high availability of your information: 99.9% uptime (with security in mind).
TripActions Security Policy View the full PDF