Security Policy

Last Updated -

At Acai Travel, we believe trust from our customers is paramount. We recognize the importance of providing a top performing application that is continuously available, while protecting your data and keeping it private. Our security consists of layers of protection, starting with team policies and procedures, and incorporates continuous monitoring and automation built into our software development cycle. Our commitment to security extends to our partners and trained third-party security professionals who provide guidance, ensure compliance, and validate security across all areas of the organization.

Data Center and Network Security Protocols

The Acai Travel platform runs on AWS in their fully certified data centers and applies security controls and system checks to keep your data safe.

Software Development Security Protocols

Through regular reviews and third-party penetration and monitoring, Acai Travel ensures the platform is secure at the code level and throughout the software development lifecycle process.

Platform Security Features

Customers have complete control over their Acai Travel platform instance ensuring only credentialed users have access and manage user permissions granularly within the app.

Internal Operations Security Controls

Acai Travel applies best practices and controls to reduce social engineering threats and improve the security and awareness of Acai Travel employees.

Compliance and Certifications

Acai Travel maintains a comprehensive set of IT controls which are regularly audited by independent firms to ensure the company is meeting its compliance obligations. More information on compliance can be found here.

Data Center and Network Security Protocols

Protection

Our network is protected through the use and integration of key AWS security services and other network intelligence technologies that monitor and block malicious traffic and network attacks. Regular third-party audits and penetration tests ensure the effectiveness of our data center and network security protection protocols.

Hosting

The Acai Travel platform is fully hosted within Amazon AWS data centers that offer a comprehensive set of security capabilities and have been ISO 27001 and PCI/DSS Service Provider Level 1 certified, as well as maintains SOC II compliance.

Architecture

Our network security architecture consists of multiple security zones. We apply additional security monitoring and access controls depending on the zone. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk.

Multi-Region Disaster Recovery

Our cloud-based infrastructure runs across multiple regions to enable high availability. Each of our hosting environments has a primary region and a secondary region. In the event of a regional infrastructure service disruption in any of our primary regions, we have the ability to migrate your network traffic to a secondary region.

Virtual Private Cloud (VPC)

All services are hosted within a VPC exposing only the limited hosts/port mappings required for public API and internal access.

Firewall

The Acai Travel platform’s external endpoints are each protected by an AWS Web Application Firewall (WAF), which protects the platform from common web exploits that could affect availability and security.

Monitoring

All production network systems, networked devices are constantly monitored by Acai Travel. Physical security, power, and internet connectivity are monitored by AWS.

Intrusion Detection and Protection

Service ingress and egress points are instrumented and monitored to detect anomalous behavior. Monitored 24/7,these systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats.

Penetration Tests

Acai Travel partners with third-party vendors to conduct frequent penetration tests on Acai Travel’s network, systems, services, and employees.

Network Vulnerability Scanning

Acai Travel regularly conducts network scanning for quick identification of out-of-compliance or potentially vulnerable systems.

Encryption in Transit

In order to protect data in transit, we use encryption protocols, such as Transport Layer Security (TLS) to protect the transport of data everywhere. This ensures that if hosts are compromised, attackers can not glean information by eavesdropping on network communications. We use certificates to protect communications from interception and misuse, and also have certificate expiration and renewal via automation in place to ensure proper key rotation.

Encryption at Rest

All data, including backup data is stored using encryption on the volume, disk, or data stored level.

Software Development Security Protocols

Quality Assurance (QA)

Our tech department follows industry best practices around Automated, Integration & End-to-end testing of our application and platform. Our CI/CD pipelines also identify, test, and triage security vulnerabilities in the code on a regular basis.

Penetration Testing

In addition to our extensive internal scanning and testing program, Acai Travel employs a third-party security consultancy to conduct biannual penetration tests on our core web application application.

Vulnerability Scanning

We employ a third-party, security consultancy to continuously scan our core applications against the Open Web Application Security Project (OWASP) Top 10 security risks. Our dedicated product security team tests and works with our engineering teams to remediate any discovered issues.

Separate Environments

Testing and Staging environments are logically separated from the production environment. No client data is used in the development or test environments.

Platform Security Features

Authentication

We support SSO through the use of OAuth (Auth0) or SAML Identity Providers.

Single Sign-On (SSO)

SSO allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your Acai Travel platform instance. The Acai Travel application supports JSON Web Token (JWT), Security Assertion Markup Language (SAML), and Open Authorization (OAuth) through Google.

Secure Credential Storage

All credentials are stored using SHA256 hashing algorithms with user-specific salts. API tokens, based on JWT-tokens, are validated at runtime and not stored in the system.

Role Based Access Controls

Access to Acai Travel platform data is governed by Role Based Access Control (RBAC), and can be configured to define granular access privileges.

Transmission Security

All communications with Acai Travel’s UI and APIs are encrypted using TLS encryption protocols.

Domain Filtering

Acai Travel Applications can be configured to only allow access from specific domains that our clients define.

IP Ranges

IP ranges  based secure access to our apps can be provided on request after evaluating the needs.

Internal Operations Security Controls

Security Training

Acai Travel has a third-party security consultancy that provides all employees with security awareness training on their first day prior to being given network access. Additionally, employee security trainings are conducted annually, and includes secure code training covering OWASP Top 10 security risks, common attack vectors, and security controls.

Information Security Policies

All Acai Travel employees must read and acknowledge the information security policies prior to being given network access on their first day. Acai Travel information security policies are reviewed and updated on a biannual basis.

Security Incident Response

Acai Travel has a documented incident response plan for all urgent issues that impact the production system. Additionally, Acai Travel has a 24/7 Security Incident Response Team (SIRT) that specializes in handling security incidents properly within the organization from containment to notification of impacted users within a specific timeframe.

Compliance and Certifications

GDPR

Acai Travel is fully committed to and has put in place mechanisms to comply with GDPR regulations. Learn more about our GDPR compliance here.

PCI Level I

Acai Travel does not process monetary transactions either directly or on behalf of its clients through any of its applications or website.

Acai Travel Privacy Policy

Review the Acai Travel privacy policy here.