Security & Compliance
Built for compliance. Trusted by enterprise. Every transaction encrypted, every access logged, every credential rotatable — security is foundational, not a feature.
Our security stack passes the procurement reviews of global OTAs, TMCs, and Fortune 500 corporate travel teams. A Data Processing Agreement (DPA) and detailed security documentation are available on request.
How we protect your integration
Encryption everywhere
TLS/SSL encryption on every API call (TLS 1.2 or higher). Sensitive data is encrypted at rest.
Rotatable credentials
Time-bound API keys you can rotate or revoke on demand, scoped per environment.
IP whitelisting
Production endpoints accept traffic only from your approved application servers.
Audit logging
Comprehensive, traceable audit logs across access and transactions.
Environment isolation
The sandbox is completely isolated from production data and systems.
Incident response
A defined process for detection, escalation and customer notification.
Compliance & data handling
Frameworks. Tripgic's security program is built around GDPR and CCPA obligations, SOC 2 practices, and TLS 1.2+ encryption standards. We provide a DPA and supporting documentation on request — typically as part of your procurement review.
Data minimization & privacy. We process only what's needed to fulfil search, booking and post-ticketing operations. See our Privacy Policy for how data is collected, used and retained.
Availability. Production partners receive performance monitoring and alerting as part of operations.
Responsible disclosure. Found a vulnerability? Email [email protected] with details and we'll triage it through our escalation path. Please give us reasonable time to remediate before any public disclosure.
Security FAQ
Is data encrypted in transit and at rest?
Yes. Every API call is encrypted with TLS 1.2 or higher, and sensitive data is encrypted at rest.
Can I rotate or revoke API keys?
Yes. API keys are time-bound and can be rotated or revoked at any time from your dashboard.
Do you support IP whitelisting?
Yes. Production endpoints require IP whitelisting so only your approved application servers can transact.
Is the sandbox isolated from production?
Yes. The sandbox environment is completely isolated from production data and systems.
Which compliance frameworks does Tripgic align with?
Tripgic's program aligns with GDPR, CCPA, SOC 2 and TLS 1.2+ practices. A DPA and security documentation are available on request.
How do I report a security issue?
Email [email protected] with details. Our team triages and responds through a documented escalation path.
Need our security documentation?
Request a DPA, security overview, or a procurement questionnaire — we'll get it to your team fast.