Confidence in Travel starts with security

Yapta is a cloud application providing airfare and hotel price tracking and assurance services for corporate and personal travelers. We offer FareIQ, an intelligent price tracking and airfare savings alert service, as well as RoomIQ, which monitors hotel bookings for price reductions and amenity gains on comparable rooms at the same hotel, sending alerts if room rate drops for corporate travel.


Data Security

Only limited Yapta employees with an approved and validated need for access may access the production environment, and they can only achieve this using a highly secured SSH key authentication system. Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.


Employee Screening and Policies

As a condition of employment all Yapta employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies. Annual security training occurs for all employees.

Security Staff: Our security team is lead by the Chief Information Security officer (CISO) and includes staff responsible for application and information security. The security team works closely with the entire Yapta organization and customers to address risk and continue Yapta’s commitment to trust.


Backups and Disaster Recovery

The Yapta platform and databases are deployed across multiple regions and automatically backed up as part of the build and deployment process on secure, access controlled, and redundant storage. We use these backups to deploy FareIQ and RoomIQ to our infrastructure and are able to recreate the infrastructure in a different data center in the unlikely event of an outage.


Privacy

Yapta is committed to customer privacy and transparency. FareIQ and RoomIQ business products do not store Personal Identifiable Information (PII) in our infrastructure, unless explicitly requested in writing by a customer. We protect the privacy of our customers and protect data stored within the platform including multi-factor authentication, access controls, data transport encryption, and HTTPS support.

Security Assessments and Compliance

Data Centers


Yapta’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

SOC 2 Type II Compliance


Yapta has obtained Service Organization Control 2 (SOC 2) Type II compliance status, validating its controls and processes that safeguard sensitive customer travel data. The examination by an independent auditing firm provides details on the stringent SOC 2 security standards, solidifying Yapta as a trusted partner for enterprise organizations.

Physical Security


Yapta utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.

For additional information see: https://aws.amazon.com/security

Environmental Safeguards

Fire Detection and Suppression


Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

Power


The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.

Climate and Temperature Control


Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels.

Management


Data center staff monitor electrical, mechanical and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.

For additional information see: https://aws.amazon.com/security.