Skip to content
TripFusion

Security

Last updated: June 1, 2026

TripFusion operates real-time booking infrastructure for hotels, golf courses, spas, events, and activity providers. Protecting Customer, partner, and traveler data is foundational to that work. This page summarizes our security program.

Compliance
SOC 2 Type II Compliant

Independently audited against the AICPA Trust Services Criteria for security, availability, and confidentiality.

Compliance and certifications

  • SOC 2 Type II. TripFusion maintains an active SOC 2 Type II program covering the Security, Availability, and Confidentiality Trust Services Criteria. Reports are available to qualifying customers and prospects under NDA.
  • PCI DSS. Payment card data is handled exclusively by PCI-DSS-compliant processors; the Company does not store full card numbers.
  • GDPR / CCPA. We support customer obligations under EU and California privacy law, including Standard Contractual Clauses for international transfers and DPA terms on request.

To request our latest SOC 2 report, Pen Test Letter, or DPA, email security@tripfusion.com.

Data protection

  • Encryption in transit. All connections to the platform use TLS 1.2 or higher with modern cipher suites.
  • Encryption at rest. Customer and traveler data is encrypted at rest using AES-256 on managed cloud storage.
  • Key management. Encryption keys are managed by our cloud provider's KMS with strict access policies and rotation.
  • Network isolation. Production workloads run in private subnets behind authenticated load balancers; direct database access is not exposed to the public internet.

Access control

  • Least privilege. Engineering and operations access is granted on a need-to-know basis and reviewed regularly.
  • Single sign-on and MFA. SSO is required for all internal systems; multi-factor authentication is enforced for all employees and contractors.
  • Strong authentication. Password policies enforce length and complexity requirements; first-time and reset passwords are unique and must be changed on use.
  • Audit logging. Authentication, administrative actions, and sensitive data access are logged and retained for review.

Vulnerability management

  • Continuous monitoring. Dependencies, container images, and infrastructure are scanned continuously for known vulnerabilities.
  • Patch cadence. Critical patches are applied on an expedited timeline; routine patches follow our standard release process.
  • Penetration testing. Independent third parties conduct penetration tests annually; remediation is tracked to closure.
  • Threat intelligence. We monitor security advisories from NIST, US-CERT, CISA, and our cloud and software vendors to adapt to new threats.

Incident response

We maintain a documented Incident Response Plan with defined roles, communication procedures, and severity tiers (response targets range from immediate for Very High Risk events to within eight business hours for Low Risk). The plan is tested at least annually and updated based on lessons learned.

In the event of a confirmed security breach involving Customer data, we will notify affected Customers in accordance with applicable law and the timelines described in our agreements.

To report a suspected security issue, email security@tripfusion.com. Please include sufficient detail to reproduce the issue and your contact information so we can follow up.

Vendor management

Third parties that process Customer or traveler data on our behalf are reviewed before engagement and reassessed periodically. Contracts include security and confidentiality terms commensurate with the sensitivity of the work performed.

Personnel security

  • Background checks are conducted for employees with access to production systems, where permitted by local law.
  • Security training. All workforce members complete security awareness training on hire and at least annually. Engineers receive additional secure-coding training.
  • Acceptable use and confidentiality. All workforce members acknowledge our security policies and sign confidentiality agreements.

Data classification

| Class | Examples | Handling | | ---- | ---- | ---- | | Public | Marketing site, press releases | No restriction | | Internal | Internal docs, announcements | TripFusion personnel only | | Sensitive / Confidential | Customer data, traveler PII, source code, security reports | Need-to-know access, encrypted in transit and at rest |

Sensitive or confidential data must not be transmitted to third parties via unencrypted email or FTP; encrypted channels are required.

Responsible disclosure

We welcome reports from the security research community. Please report vulnerabilities to security@tripfusion.com and give us a reasonable window to investigate and remediate before public disclosure. We do not pursue legal action against researchers who follow good-faith disclosure practices.

Contact