Information Security Policy

Last updated on April 5th, 2019


Overview

As a market leader in SME business travel, we are committed to providing high quality business travel that saves money, time and is safe. We must ensure that the information we hold or are responsible for is safeguarded where necessary against inappropriate disclosure; is accurate, timely and attributable; and is available to those who should be able to access it.

The Information Security Policy below provides the framework by which we take account of these principles. Its primary purpose is to enable all Taptrip staff to understand both their legal and ethical responsibilities concerning information, and empower them to collect, use, store and distribute it in appropriate ways.

How we protect of customers

We use the best technology available to keep your information safe. From login to logout, we encrypt our customers’ data with the highest standards available.

Industry Standard Security

State-of-the-art encryption technology

Your data is transferred with high-grade TLS and multi-layered encryption at rest with AES-128 – the industry-standard for commercial applications. Encryption keys are stored separately from the data, and it’s all hosted in Amazon AWS and can only be accessed from our production VPN. All requests to our production servers pass through several management layers before reaching them.

Data centre security

We are using Amazon AWS as our server infrastructure. AWS’s data centres are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centres. This experience has been applied to the AWS platform and infrastructure. AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data centre access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centres by AWS employees is logged and audited routinely.

Two-factor authentication

Access to sensitive data requires two-factor authentication and is restricted only to authorized personnel performing specific tasks for the client (e.g. customer service).

Data retention

Our data is stored in a well-protected production environment where only authorized employees can access data on as-needed basis. We keep only necessary customer data that is required to conduct business transactions. Our data storage is not accessible from public internet and is only retained for the duration of relevant contract with the customer. All archived data is strongly encrypted, and customer data is deleted by technical means, sufficient to render this data irretrievable by ordinary commercially available ways.

Real-time audit log

We also keep a real-time audit log of all data access and changes made by administrators, customers, employees and our automated system.

In-house monitoring

We have a technical team that is always busy thinking about how to keep your data safer!

3rd party testing

Our site and API are subjected to independent, ongoing penetration testing, security scans, threat detection and greybox assessment by well- respected cyber security firms.

Any questions? Contact our Chief Technology Officer by emailing jack@taptrip.co

High availability infrastructure

Redundancy

Our architecture and deployment is designed for resiliency and for keeping our service up.

Recoverability

We store backups in multiple secure locations and update them throughout the day, every day.

Uptime

Our technology ensures high availability of your information: 99.9% uptime (with security in mind).s

1. Introduction

The confidentiality, integrity and availability of information, in all its forms, are critical to the on- going functioning and good governance of Taptrip. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for Taptrip to recover.

This information security policy outlines Taptrip’s approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of Taptrip’s information systems. Supporting policies, codes of practice, procedures and guidelines provide further details.

Taptrip is committed to a robust implementation of Information Security Management. It aims to ensure the appropriate confidentiality, integrity and availability of its data. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the Taptrip is responsible. Taptrip is specifically committed to preserving the confidentiality, integrity and availability of documentation and data supplied by, generated by and held on behalf of third parties pursuant to the carrying out of work agreed by contract in accordance with the requirements of data security standard ISO 27001.

1.1 Objectives

The objectives of this policy are to:

  1. Provide a framework for establishing suitable levels of information security for all Taptrip information systems (including but not limited to all Cloud environments commissioned or run by Taptrip, computers, storage, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
    1. This explicitly includes any ISO27001-certified Information Security Management Systems Taptrip may run.
    2. The resources required to manage such systems will be made available
    3. Continuous improvement of any ISMS will be undertaken in accordance with Plan Do Check Act principles
  2. Make certain that users are aware of and comply with all current and relevant UK and EU legislation.
  3. Provide the principles by which a safe and secure information systems working environment can be established for staff and any other authorised users.
  4. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
  5. Protect Taptrip from liability or damage through the misuse of information.
  6. Maintain research data and other confidential information provided by suppliers at a level of security commensurate with its classification, including upholding any legal and contractual requirements around information security.
  7. Respond to changes in the context of the organisation as appropriate, initiating a cycle of continuous improvement.

1.2 Scope

This policy is applicable to, and will be communicated to, all staff and third parties who interact with information held by Taptrip and the information systems used to store and process it. This includes, but is not limited to: Cloud systems developed or commissioned by Taptrip, any systems or data attached to the Taptrip data or telephone networks, systems managed by Taptrip, mobile devices used to connect to Taptrip networks or hold Taptrip data, data over which Taptrip holds the intellectual property rights, data over which Taptrip is the data controller or data processor, electronic communications sent from the Taptrip.

2. Policy

2.1 Information security principles

The following information security principles provide overarching governance for the security and management of information at Taptrip.

  1. Information should be classified according to an appropriate level of confidentiality, integrity and availability (see Section 2.3. Information Classification) and in accordance with relevant legislative, regulatory and contractual requirements (see Section 2.2. Legal and Regulatory Obligations).
  2. Staff with particular responsibilities for information (see Section 3. Responsibilities) must ensure the classification of that information; must handle that information in accordance with its classification level; and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
  3. All users covered by the scope of this policy (see Section 1.2. Scope) must handle information appropriately and in accordance with its classification level.
  4. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.

On this basis, access to information will be on the basis of least privilege and need to know.

  1. Information will be protected against unauthorized access and processing in accordance with its classification level.
  2. Breaches of this policy must be reported (see Sections 2.4. Compliance and 2.5. Incident Handling).
  3. Information security provision and the policies that guide it will be regularly reviewed, including through the use of annual internal audits and penetration testing.

Any explicit Information Security Management Systems (ISMSs) run within Taptrip will be appraised and adjusted through the principles of continuous improvement, as laid out in ISO27001 clause 10.

2.2 Legal & regulatory obligations

Taptrip has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements.

A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided in Appendix A.

Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.

2.3 Information classification

The following table provides a summary of the information classification levels that have been adopted by Taptrip and which underpin the 8 principles of information security defined in this policy.

These classification levels explicitly incorporate the General Data Protection Regulation’s definitions of Personal Data and Special Categories of Personal Data, as laid out in Taptrip’s Data Protection Policy, and are designed to cover both primary and secondary research data.

Information may change classification levels over its lifetime, or due to its volume – for instance:

Security Level Definition Examples FOIA2000 Status
Confidential Only accessible to Taptrip staff and authorised third parties that require access to such information. Should be held in an encrypted state outside of Taptrip’s systems; may have encryption at rest requirements from providers. GDPR-defined Special Categories of personal data (racial/ethnic origin), passwords; large aggregates of personally identifying data (>1000 records) including elements such as name, address, telephone number and date of birth. Subject to significant scrutiny in relation to appropriate exemptions/ public interest and legal considerations.
Restricted Only accessible to Taptrip staff and authorised third parties that require access to such information. GDPR-defined Personal Data (information that identifies living individuals including home / work address, age, telephone number); Subject to significant scrutiny in relation to appropriate exemptions/ public interest and legal considerations.
Internal use Only accessible to Taptrip staff and third parties that require access to such information. Internal use. This includes travel budgets and potential support queries. Subject to scrutiny in relation to appropriate exemptions/ public interest and legal considerations.
Public Accessible to all members of the public. Case studies where agreed and applicable. Freely available on the Taptrip website.

2.4 Suppliers

All Taptrip’s suppliers will abide by Taptrip’s Information Security Policy, or otherwise be able to demonstrate corporate security policies providing equivalent assurance. This includes:

  1. When accessing or processing Taptrip assets, whether on site or remotely
  2. When subcontracting to other suppliers.

2.5 Cloud Providers

Under the GDPR, a breach of personal data can lead to a fine of up to 4% of global turnover. Where Taptrip uses Cloud services, Taptrip retains responsibility as the data controller for any data it puts into the service, and can consequently be fined for any data breach, even if this is the fault of the Cloud service provider. Taptrip will also bear the responsibility for contacting Information Commissioner’s Office concerning the breach, as well as any affected individual. It will also be exposed to any lawsuits for damages as a result of the breach. It is extremely important, as a consequence, that Taptrip is able to judge the appropriateness of a Cloud service provider’s information security provision. This leads to the following stipulations:

  1. Cloud services used to process personal data will be expected to have ISO27001 certification, with adherence to the standard considered the best way of a supplier proving that it has met the GDPR principle of privacy by design, and that it has considered information security throughout its service model.

2.6 Compliance, Policy Awareness and Disciplinary Procedures

Any security breach of Taptrip’s information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the General Data Protection Regulation, contravenes Taptrip’s Data Protection Policy, and may result in criminal or civil action against Taptrip.

The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against Taptrip. Therefore, it is crucial that all users of Taptrip’s information systems adhere to the Information Security Policy.

All current staff, and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.

2.7 Incident Handling

If a member of the staff is aware of an information security incident, then they must report it to support@taptrip.co or a board member. Breaches of personal data will be reported to the Information Commissioner’s Office by Taptrip’s executive team.

2.8 Supporting Policies, Codes of Practice, Procedures and Guidelines

Supporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures and guidelines are published together and are available on Taptrip’s website.

All staff, and any third parties authorised to access Taptrip’s network or computing facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

2.9 Review and Development

This policy, and its subsidiaries, shall be reviewed by the CTO & CEO and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations. Additional regulations may be created to cover specific areas.

3. Responsibilities

Taptrip staff:

All staff and approved third parties will be users of Taptrip information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation, supporting policies, procedures and guidance.

No individual should be able to access information to which they do not have a legitimate access right. Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy, nor allow others to do so. To report policy contraventions, please see Section 2.5: Incident Handling.

CTO & CEO:

Responsible for the advising on and recommending information security policies to the Information Technology Committee, assessing information security risks, identifying and implementing controls to risks.