We frequently get questions from prospective clients regarding data privacy and security, and how Traxo's services meet legal requirements for both areas. For corporate travel managers seeking to understand their booking blindspots, we've compiled some of the most common questions and our responses, which can be shared with internal legal and IT teams.
First, a few general points to keep in mind about Traxo services:
- You retain complete control and ownership of your data -- Traxo does not process any data unless your company sends it to us. We never access your email server, sensitive PII, or payment information, nor do we "snoop" on personal emails or monitor browser behavior. There are other solutions on the market which may do these things, but Traxo does not.
- Traxo facilitates many of the same workflows that your TMC and/or OBT perform for your company -- such as integrating with your Duty of Care provider or Expense Management application -- but we do so for the bookings occurring *outside* of those channels (i.e., "leakage"). From a privacy perspective, there is no difference in what Traxo does with the user data for these bookings and what your TMC or OBT do with the user data for their bookings.
- Data privacy regulations apply differently in an employer/employee context, versus a consumer context. As your company's Data Processor, Traxo can only process employee personal data in accordance with your directions -- we never access data that you haven't already authorized us to receive, and we cannot and do not sell or share that data with any third parties. Typically, these directions are already communicated to your employees as part of your company travel policy, their employment agreement, and/or your company's Acceptable Use policy governing how employees may and may not use company resources (including corporate email, payment cards, networks, devices, etc.). So, your company is quite likely already covered to use employee data when the purpose is specific to conducting company business.
Data Security
Does Traxo scan or read emails?
Traxo DOES NOT scan, monitor, or read your company’s emails, and does not have any access to your company email server. Your company's IT team and/or email administrator controls which emails are forwarded to Traxo; there is no Traxo technology installed or integrated into your corporate network. Traxo only processes emails that you proactively send to us -- we never see or access your company's internal email communications.
How does Traxo keep the data secure?
Traxo has robust practices and procedures utilizing monitoring solutions to prevent and eliminate attacks across all of our services.
Traxo personnel do not have physical access to the infrastructure and systems hosting customer data. Our infrastructure is hosted at cloud service providers that are audited and certified against industry standards. Traxo is Privacy Shield certified and uses technologies like encryption and multi-factor authentication (MFA) extensively to protect sensitive data.
Traxo’s primary cloud service provider, AWS (Amazon Web Services), is compliant with the PCI, HIPAA, SSAE 16, SOC 2, and SOC 3 standards among others. A full list of AWS certifications is available at https://aws.amazon.com/compliance/.
For more information on all the steps that Traxo takes to ensure the security of your data, see: https://www.traxo.com/security
Data Privacy
Is Traxo GDPR Compliant?
Yes. Traxo has conducted an extensive analysis of our operations to ensure we comply with the requirements of GDPR. This has included all infrastructure, services, and products used by Traxo in the operations of our services for travelers, developers, and corporations. Additionally, with the assistance of outside advisors, we have reviewed our customer terms, privacy notices, and arrangements with third parties for compliance with GDPR. We can confirm all of our services are fully compliant with GDPR as of May 25, 2018. Traxo also includes a standard Data Processor Agreement as part of our commercial MSA when you contract with us, which explicitly covers how you authorize us to use your company data.
Do travelers need to opt-in or approve the company sending corporate travel booking emails to Traxo?
The general interpretation is that the company has a “Legitimate Interest” or “Legal Obligation” in processing the data related to an employee's business travel plans. This is because the company pays for the trip and also has a duty of care responsibility toward that employee while they are traveling for business. Data collected by the company and shared with Traxo is only used to track location and spending for the purpose of a business trip. Traxo does not sell user data, and only shares data with the third party providers that a company authorizes us to share on their behalf -- for example, your Duty of Care or Expense Management provider.
No other use of that data is permitted by the company or any other downstream sub-processors (“Data Processors” like TMCs, Duty of Care providers, Expense Management providers, or a service like Traxo). Thus, the need to secure employee consent to use that data for each business trip instance may be overruled by the company's legitimate interest and/or legal obligation in processing the data and its risk management obligations.
Many companies also mandate that all email activity conducted within corporate environments is subject to review by the company as part of employment and contractor agreements. Some clients may choose to share with employees that this feature is being used as a way to facilitate corporate travel management, including the benefit to employees by automating the process of capturing this data (i.e., employees don’t have to manually enter it).
Traxo suggests you consult with your legal counsel and share these details with them to determine the most appropriate interpretation of the consent requirements, in particular as relates to GDPR, and also consider your own corporate culture needs as relates to data transparency.
For more information on all the steps that Traxo takes to ensure the privacy of your data, see: https://www.traxo.com/eu-privacy
For reference:
● Legitimate Interest standard for GDPR - https://bit.ly/2DWmB8w
● Legal Obligation standard for GDPR - https://bit.ly/2NZnHpJ
Does Traxo see any personal (PII) data for travelers?
Traxo does not have visibility to sensitive PII data. The only personal information Traxo has visibility to is traveler name, their work email address, and potentially a travel loyalty account number. By comparison, this is significantly less PII information than what your TMC and expense management provider access on a regular basis.
What happens if the traveler receives personal bookings to their work email?
Traxo’s research finds that this is not only an infrequent practice but it is also declining as more suppliers support separate traveler “profiles” for business and leisure bookings (e.g., Uber for Business, Booking.com for Business, etc). Where that is supported by a given supplier, only business trips are processed. Additionally, the travel administrator can delete employee trips from Traxo if the trip is personal in nature.
For trips that contain both business and leisure components (i.e., "bleisure"), the corporation may still has a duty of care obligation toward that employee by virtue of the business travel component of the trip, and the company would still need to see those trip details. Furthermore, many clients we talk to believe this is a benefit to offer employees -- they know their company has their back if they run into trouble on a trip and need assistance.
Many clients we work with have chosen to communicate to their employees how this trip data may be processed, so the employee is aware that, should they choose to send personal trip details to their company email, the company may see that detail. This is typically covered in the company's travel policy and/or Acceptable Use policy for usage of company resources.
Wrapup
Traxo takes data privacy and security extremely seriously -- we would not be the solution of choice for some of the largest enterprise clients in the world, otherwise. If your IT Security, Legal, or Privacy teams have further questions about our processes, we encourage them to reach out to us to discuss how we address these issues.
We welcome questions, comments and feedback as well! Contact your Traxo sales rep for more information, or to schedule a demo and followup conversation regarding privacy and security processes.
