Cyber Security

trivago has put in place technical and organizational measures to ensure that we maintain IT security across operations at trivago. An overview of some of the technical and organizational measures trivago has implemented are listed below.

GDPR

As of May 25th, 2018, trivago is compliant with the EU’s General Data Protection Regulations (GDPR). trivago has undergone the appropriate measures to be compliant, and by definition, trivago is a Processor under GDPR. You can find more details in our privacy policy.

IT Security policies

trivago has established written IT Security Policies to give guidance on various areas of IT Security. Further technical and organizational measures are contained in these policies, and they are based on best practice and international standards, e.g., ISO27k1 and NIST. These policies are regularly reviewed and take into account, among other things, the state of the art and risks faced by trivago so as to provide adequate IT Security which protects against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed at trivago.

Vendor assessments

trivago ensures a high level of IT Security across its operations by choosing vendors which are ISO27K1 certified or SOC certified for critical vendors or vendors which can provide an otherwise equally high level of IT Security.

Encryption

trivago’s Cloud Computing storage is encrypted by default. The key management sovereignty is held within trivago and cannot be accessed by third parties.
trivago’s workstations and laptops are encrypted to protect from data theft. Encryption and decryption are centrally managed by the IT Support Team.

Penetration testing

trivago conducts penetration testing by third-party experts once a quarter throughout all customer-facing systems. Results and issues are logged, assessed, and are managed centrally by the Incident and Response Team.

Vulnerability disclosure program

trivago offers a bug bounty program to attract hackers to find IT Security bugs in trivago’s products with the goal to continually improve the level of IT Security of trivago products. If you would like to participate in this program, please send an email to security@trivago.com.

Firewalls

trivago makes use of network segmentation supported by state-of-the-art firewall technologies for on-premise systems as well as cloud systems.

DDoS attack prevention

trivago makes use of extensive services that prevent and mitigate DDoS attacks.

Pseudonymization or anonymization

Where possible, trivago has automated pseudonymization or alternatively anonymization processes in systems handling personal data.

Access control

trivago has processes and procedures for access control, including on- and offboarding of employees as well as granting, revoking, and reviewing user access rights. User access rights are centrally managed in the Active Directory. Every user retrieves a unique user account; shared user accounts are prohibited.
Physical access controls are realized via ID-badges. The details of visitors to trivago offices are recorded and visitors are provided with least-access ID-badges. Offices are supervised 24/7 by trained security personnel.

Need-to-know restrictions

trivago’s rights management system corresponds the Least-Privilege Access principle where users receive the least possible set of privileges on a computer system necessary to execute their responsibilities.

Segregation of duties

trivago’s software operation pipelines include the segregation of duties to effectively prevent software engineers from publishing and committing code changes without the review of colleagues.
To further improve code quality, trivago implemented two testing stages prior to production environment. trivago user personal data is only available on production level systems and restricted to non-human access.

Awareness and training

trivago continually trains its staff. Courses are updated regularly to cover individual learning objectives and trivago has compulsory baseline knowledge areas such as IT Security and Data Protection.

Confidentiality

All contracts with trivago employees and freelancers working for trivago include confidentiality provisions. trivago makes extensive use of non-disclosure agreements to ensure that confidentiality is maintained when working with third parties.

Incident response

trivago has an incident response team which consists of members from the following three organizational teams:

  • Legal Team and Data Protection Officer
  • IT Security Team
  • Incident Team

All incident reports, penetration test results, and bug bounty submissions are centrally assessed, documented, tracked, and monitored.

How to contact us

We take IT Security seriously. If you have any additional questions that aren't answered above or by the trivago Help Center, please email security@trivago.com and we'll reply as quickly as we can.

For complete information, you may also want to review the following: