Physical, System, and Operational Security
Traxo services are hosted in cloud service providers that are audited and certified against industry standards. This includes AWS, which is compliant with the PCI, HIPAA, SSAE 16, SOC 2, and SOC 3 standards among others. A full list of AWS certifications is available at aws.amazon.com/compliance.
System configuration and patching occurs through an automated process, backed by source code management for change management, tracking and review. System access is logged and tracked and multiple factors of authentication (MFA) are required for operators access.
We use numerous monitoring solutions as part of regular operations to prevent and eliminate attacks. In addition, secure destruction policies are implemented for all sensitive information.
For more detailed information about our security practices, you can view our documentation.
Traxo complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework with respect to the transfer of personal data from the EEA or Switzerland, to our servers which are located In the US.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EEA and Switzerland to the United States.
European Union General Data Protection Regulation (GDPR)
We want to keep you informed and prepared about how we support the new European General Data Protection Regulation (GDPR). Not only is GDPR an important step in protecting the fundamental right to privacy for European citizens, it also raises the bar for data protection, security, and compliance.
The General Data Protection Regulation (GDPR) is a new European privacy law that goes into effect on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and will apply a single data protection law throughout the EU.
GDPR applies to any organization located within the EU as well asl those located outside of the EU if they offer goods or services to EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. The GDPR defines personal data as any information relating to an identified or identifiable natural person.
Depending on the service, Traxo is either a data controller or data processor, or both. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. In the case of Traxo CAPTURE and Traxo CONNECT, Traxo is only a data processor. For the Traxo Traveler service, Traxo is both a data controller and a data processor.
We have conducted an extensive analysis of our operations to ensure we comply with the new requirements of the GDPR. This has included all infrastructure, services, and products used by Traxo in the operations of our services for travelers, developers, and corporations. Additionally, with the assistance of outside advisors, we have reviewed our customer terms, privacy notices, and arrangements with third parties for compliance with GDPR. We can confirm all of our services will be fully compliant with GDPR by May 25, 2018.
Data Processing Addendum (DPA)
We offer data processing addendums (DPAs) for our customers that operate in the EU. This DPA reflects the requirements of the European Data Protection Regulation (“GDPR”) as it comes into effect on May 25, 2018. Traxo’s services offered in the European Union are GDPR ready and this DPA provides you with the necessary documentation of this readiness.
To ensure no inconsistent or additional terms are imposed on Traxo beyond that reflected in our standard DPA, we cannot agree to sign customers’ DPAs. Contact us if you have any questions.
Data Subject Rights (DSR) Requests
Controllers and processors of data are obliged to give effect to the rights of data subjects under EU data protection law. These rights are called Data Subject Rights (DSRs). In short, these rights include:
- Right of access
- Right to rectification, be forgotten & erasure
- Right to restriction of processing
- Right of data portability
- Right to object
Traxo has established processes to support exercising your DSR requests. All requests should be initiated as a logged-in user using features built into the Traxo product used.
- Traxo Travelers: Navigate to Settings to exercise your Member Account Rights
- Traxo CAPTURE: Navigate to your Account Overview to edit your account and exercise rights
- Traxo CONNECT: Navigate to your profile or the profile of the member to exercise rights
We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.
Contact us if you have any questions.