trivago has put in place technical and organizational measures to ensure that we maintain IT security across operations at trivago. An overview of some of the technical and organizational measures trivago has implemented are listed below.
IT Security policies
trivago has established written IT Security Policies to give guidance on various areas of IT Security. Further technical and organizational measures are contained in these policies, and they are based on best practice and international standards, e.g., ISO27k1 and NIST. These policies are regularly reviewed and take into account, among other things, the state of the art and risks faced by trivago so as to provide adequate IT Security which protects against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed at trivago.
trivago ensures a high level of IT Security across its operations by choosing vendors which are ISO27K1 certified or SOC certified for critical vendors or vendors which can provide an otherwise equally high level of IT Security.
trivago’s Cloud Computing storage is encrypted by default. The key management sovereignty is held within trivago and cannot be accessed by third parties.
trivago’s workstations and laptops are encrypted to protect from data theft. Encryption and decryption are centrally managed by the IT Support Team.
trivago conducts penetration testing by third-party experts once a quarter throughout all customer-facing systems. Results and issues are logged, assessed, and are managed centrally by the Incident and Response Team.
Vulnerability disclosure program
trivago offers a bug bounty program to attract hackers to find IT Security bugs in trivago’s products with the goal to continually improve the level of IT Security of trivago products. If you would like to participate in this program, please send an email to firstname.lastname@example.org.
trivago makes use of network segmentation supported by state-of-the-art firewall technologies for on-premise systems as well as cloud systems.
DDoS attack prevention
trivago makes use of extensive services that prevent and mitigate DDoS attacks.
Pseudonymization or anonymization
Where possible, trivago has automated pseudonymization or alternatively anonymization processes in systems handling personal data.
trivago has processes and procedures for access control, including on- and offboarding of employees as well as granting, revoking, and reviewing user access rights. User access rights are centrally managed in the Active Directory. Every user retrieves a unique user account; shared user accounts are prohibited.
Physical access controls are realized via ID-badges. The details of visitors to trivago offices are recorded and visitors are provided with least-access ID-badges. Offices are supervised 24/7 by trained security personnel.
trivago’s rights management system corresponds the Least-Privilege Access principle where users receive the least possible set of privileges on a computer system necessary to execute their responsibilities.
Segregation of duties
trivago’s software operation pipelines include the segregation of duties to effectively prevent software engineers from publishing and committing code changes without the review of colleagues.
To further improve code quality, trivago implemented two testing stages prior to production environment. trivago user personal data is only available on production level systems and restricted to non-human access.
Awareness and training
trivago continually trains its staff. Courses are updated regularly to cover individual learning objectives and trivago has compulsory baseline knowledge areas such as IT Security and Data Protection.
All contracts with trivago employees and freelancers working for trivago include confidentiality provisions. trivago makes extensive use of non-disclosure agreements to ensure that confidentiality is maintained when working with third parties.
trivago has an incident response team which consists of members from the following three organizational teams:
- Legal Team and Data Protection Officer
- IT Security Team
- Incident Team
All incident reports, penetration test results, and bug bounty submissions are centrally assessed, documented, tracked, and monitored.
How to contact us
For complete information, you may also want to review the following: