Privacy and Security Overview

The Flip.to platform takes several measures to ensure data is securely collected and remains private, and is compliant with GDPR, CCPA, ADA and others.


Architecture

The Flip.to platform is hosted on Microsoft Azure—Microsoft’s Cloud Platform.

Microsoft Azure runs in geographically dispersed datacenters and meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards like Australia IRAP, UK G-Cloud, and Singapore MTCS.


Data Handling

Data Scope

Data collected is limited in scope to the most basic traveler information and is configured by the customer. Flip.to does not have access to, collect or use any traveler’s financial information.

Data Transfer

All data transfers between the transaction engine and Flip.to are encrypted over a secure connection (HTTPS). Breached encryption protocols are disabled at the server level, requiring all client browser transmission to be done over a trusted protocol.

Data Access

Flip.to maintains a strict security policy to ensure that users can only access and manipulate data based on the permissions granted to them.

Data Ownership

All data collected by Flip.to is solely owned by customers, and Flip.to can only use data on behalf of its customers. Data is not shared among customers or transferred to any third party without explicit consent of the relevant customer.

Data Usage

All data collected by Flip.to is subject to the rules and regulations of the country or regions laws regarding email usage. Customers are responsible for complying with all usage information that is collected regarding email addresses in future marketing. Flip.to will work with customers to ensure collection of the data is compliant with the rules and regulations of the country or regional laws regarding email usage. However, it is incumbent on the customer to honor the usage of the data.

PII Data Collection

Personal Data is any information that relates to an identified or identifiable individual. The Personal Data can be collected from a third-party (for instance, the transaction engine) or can be provided by travelers such as:

  • When a traveler submits a form while planning their trip, Flip.to receives their first name and email address.

  • When a traveler completes a transaction, Flip.to receives their full name, email address and reservation number.

  • When a traveler submits a story, Flip.to receives their photo, quote and caption.

  • When a traveler shares plans or their story to their social networks, Flip.to receives their social network account ID and the

    post ID (if available).

  • When a social connection of a traveler submits a form, Flip.to receives their full name and email address.

PII Data Usage

Personal Data received is only used on behalf of the customer. Flip.to does not distribute or sell Personal Data to third-parties.


Data Protection

Infrastructure Level Controls

  • Utilizing Azure Defender to protect against irregular activity & vulnerabilities.

  • Automated server patches, anti-malware and anti-virus

  • DDoS Protection.

  • Using Auditing & Threat Detection.

  • Access to the servers requires two-step verification (also known as two-factor authentication), and can only be performed from authorized locations.

  • Clear separation between web and database servers, the latter only being accessible by the application within the confines of the datacenter network.

  • Flip.to employees are uniquely identified when accessing confidential information and are given limited access to only the accounts that they are actively managing.

  • Public access to Flip.to web servers and communication can only be established with common Internet ports (80 and 443).

  • Sensitive data stays within Azure and doesn't cross any network boundaries. This data is always encrypted when stored.

  • All communications over the App Service are encrypted.

Database Level Controls

  • Using SQL Azure for additional protection.

  • Using Auditing & Threat Detection.

  • Using ongoing Vulnerability Assessments.

  • Backups are secured and encrypted.

  • Short-term point-of-time backups stored for 35 days.

  • Long-term weekly backups are stored for 52 weeks. • Databases use Transparent Data Encryption (TDE)

Application Level Controls

  • Maintain documentation on overall application architecture, process flows, and security features.

  • Employ secure programming guidelines in the development of applications.

  • Multi-tier architecture each maintained with minimum privileges possible.

  • Using the strictest security configurations available to Microsoft-based web applications.

  • Central authentication and authorization mechanism.

  • Encryption of sensitive information.

  • Central validation of all input based on strict guidelines of data type, format and content.

  • Central handling of untrusted uploaded images.

  • Central handling of errors and limiting the data being sent back to clients.

  • Limit cookie usage and cookie permissions, and use them for tracking only.

  • Forcing HTTPS for any sensitive data exchanged between client and server.

  • Central guards against injection attacks.

  • Central guards against click-jacking attacks on all pages not meant to be loaded inside an iframe.

  • Automated tests during the development process.

  • A mix of automated and manual tests once application updates are deployed.

Website & Booking Engine Integration Strategies

  • Details passed on the URL are encoded.

  • All data collected is passed to Flip.to over HTTPS.

  • All data passed to Flip.to is validated for syntax, format and content.

  • Data is validated against our backend to ensure authenticity.

  • Data sent back to client is directly from the backend, and does not include any information supplied from the original caller.


GDPR & CCPA Compliance

Flip.to is compliant with GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act), and is certified under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks, and uses proactive measures to ensure that its customers employ best privacy practices to meet the strict privacy requirements while using the Flip.to platform.


ADA Compliance

All integrations and components of the Flip.to platform are designed to be accessible by all users, including individuals with sight, hearing, and other disabilities; adhering to the World Wide Web’s Consortium’s Web Content Accessibility Guidelines 2.2 Level AA (WCAG 2.2 AA).

Last updated