EU Data Protection

Travel data is our business. Customer trust is our mission.


We are proud of our privacy practices and the strength of our site security. We want you to know how we protect your information and use it to provide you services. As there are unique concerns and needs for companies in the EU as well as EU citizens, we have created this resource to help answer questions about our data protection practices, privacy policy, and the like.

Refer to our full data security statement, User Agreement, and Privacy Policy, but here are some details that are likely of most interest relative to the EU.

Physical, System, and Operational Security

Traxo services are hosted in cloud service providers that are audited and certified against industry standards. This includes AWS, which is compliant with the PCI, HIPAA, SSAE 16, SOC 2, and SOC 3 standards among others. A full list of AWS certifications is available at

System configuration and patching occurs through an automated process, backed by source code management for change management, tracking and review. System access is logged and tracked and multiple factors of authentication (MFA) are required for operators access.

We use numerous monitoring solutions as part of regular operations to prevent and eliminate attacks. In addition, secure destruction policies are implemented for all sensitive information.

For more detailed information about our security practices, you can view our documentation.

European Union General Data Protection Regulation (GDPR)

We want to keep you informed and prepared about how we support the new European General Data Protection Regulation (GDPR). Not only is GDPR an important step in protecting the fundamental right to privacy for European citizens, it also raises the bar for data protection, security, and compliance.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and will apply a single data protection law throughout the EU.

Who does GDPR apply to?

GDPR applies to any organization located within the EU as well as those located outside of the EU if they offer goods or services to EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. The GDPR defines personal data as any information relating to an identified or identifiable natural person.

What is Traxo’s role under GDPR?

Depending on the service, Traxo is either a data controller or data processor, or both. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. In the case of Traxo CAPTURE and Traxo CONNECT, Traxo is only a data processor. For the Traxo Traveler service, Traxo is both a data controller and a data processor.

What has Traxo done to comply with GDPR?

We have conducted an extensive analysis of our operations to ensure we comply with the new requirements of the GDPR. This has included all infrastructure, services, and products used by Traxo in the operations of our services for travelers, developers, and corporations. Additionally, with the assistance of outside advisors, we have reviewed our customer terms, privacy notices, and arrangements with third parties for compliance with GDPR. We can confirm all of our services will be fully compliant with GDPR by May 25, 2018.

Data Processing Addendum (DPA)

We offer data processing addendums (DPAs) for our customers that operate in the EU. This DPA reflects the requirements of the European Data Protection Regulation (“GDPR”) as it comes into effect on May 25, 2018. Traxo’s services offered in the European Union are GDPR ready and this DPA provides you with the necessary documentation of this readiness.

To ensure no inconsistent or additional terms are imposed on Traxo beyond that reflected in our standard DPA, we cannot agree to sign customers’ DPAs.

To get a copy of Traxo’s latest data processing addendum or to ask questions regarding data processing, please email us at

Data Subject Rights (DSR) Requests

Controllers and processors of data are obliged to give effect to the rights of data subjects under EU data protection law. These rights are called Data Subject Rights (DSRs). In short, these rights include:

  • Right of access
  • Right to rectification, be forgotten & erasure
  • Right to restriction of processing
  • Right of data portability
  • Right to object

Traxo has established processes to support exercising your DSR requests. All requests should be initiated as a logged-in user using features built into the Traxo product used.

  • Traxo Travelers: Navigate to Settings to exercise your Member Account Rights
  • Traxo Capture: Navigate to your Account Overview to edit your account and exercise rights
  • Traxo Connect: Navigate to your profile or the profile of the member to exercise rights

We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.

Contact us if you have any questions.

“European Parliment, Plenar Hall” by CherryX licensed under CC BY 3.0 with modifications