We take the security of our clients' data seriously. This page provides an overview of our security practices, infrastructure, and commitment to protecting sensitive travel information.
🔒 Encryption
All data in transit is encrypted via TLS 1.3. Data at rest is protected with AES-256 encryption standards.
✉️ Email Authentication
We strictly enforce SPF, DKIM, and DMARC (p=reject) policies to prevent spoofing and ensure domain integrity.
☁️ Infrastructure
Hosted on Amazon Web Services (AWS) in the US-East (Virginia) region with redundant failover capabilities for high availability.
📊 Monitoring
24/7 automated monitoring of email delivery rates, bounce rates, complaint rates, and system uptime. Anomalies trigger immediate alerts.
Security Practices
Access Controls
We implement role-based access controls (RBAC) to ensure that only authorized personnel can access sensitive systems and data. All administrative access requires multi-factor authentication (MFA). Access permissions are reviewed quarterly.
Data Protection
- Encryption in Transit: All HTTPS and SMTP connections use TLS 1.3.
- Encryption at Rest: All stored data is encrypted with AES-256.
- Key Management: Encryption keys are managed through AWS Key Management Service (KMS) with automatic rotation.
- Data Isolation: Client data is logically separated. No cross-client data access is possible.
Application Security
- Input validation and output encoding on all user-facing interfaces.
- CSRF (Cross-Site Request Forgery) protection on all form submissions.
- Content Security Policy (CSP) headers to prevent XSS attacks.
- Regular dependency audits and timely patching of known vulnerabilities.
Infrastructure Details
Cloud Hosting
Our platform is hosted on AWS (US-East-1, Virginia). We use redundant application servers behind a load balancer to ensure availability. Database backups are performed daily and stored in a separate availability zone.
Email Delivery
Transactional emails are routed through Mailgun (by Sinch) via authenticated SMTP relay. We use dedicated IP addresses for sending, allowing us to maintain full control over our sending reputation.
- Average monthly volume: ~8,000 transactional messages.
- Average complaint rate: < 0.05% (well below the 0.1% threshold).
- Average bounce rate: < 2%.
- Feedback loops actively monitored for all major ISPs.
Incident Response
In the event of a security incident affecting client data, we follow a structured incident response process:
- Detection & Triage (0–4 hours): Automated monitoring identifies anomalies. The on-call engineer assesses severity and scope.
- Containment (4–12 hours): Affected systems are isolated. Access revoked for compromised credentials.
- Notification (within 72 hours): Affected clients are notified via email and phone within the GDPR-mandated 72-hour window. Supervisory authorities notified as required.
- Remediation (1–7 days): Root cause analysis performed. Patches deployed. Post-incident report shared with affected clients.
- Review (within 30 days): Lessons learned documented. Security controls updated to prevent recurrence.
Logging & Audit Trail
- Email Delivery Logs: Every sent, delivered, bounced, and opened event is logged with timestamps. Retained for 90 days.
- Platform Access Logs: All logins, API calls, and administrative actions are logged. Retained for 12 months.
- Change Management: All infrastructure changes are tracked and require approval from at least one senior engineer.
Compliance
We are committed to compliance with the following regulations and standards:
- GDPR: We process personal data in accordance with the General Data Protection Regulation. We maintain Data Processing Agreements (DPAs) with all clients and sub-processors.
- CCPA: We comply with the California Consumer Privacy Act for California residents.
- CAN-SPAM Act: All transactional emails comply with the CAN-SPAM Act, including accurate sender identification and functional unsubscribe mechanisms.
- CASL: Compliance with Canada's Anti-Spam Legislation for Canadian recipients.
Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in our platform, please report it to our security team:
Email: security@cinnamon-travels.com
When reporting, please include:
- Description of the vulnerability and its potential impact.
- Steps to reproduce the issue.
- Your contact information for follow-up.
We commit to acknowledging receipt within 48 hours and providing an initial assessment within 5 business days.
Contact
For security inquiries or compliance questions:
Cinnamon Travels Worldwide, LLC
1601 Dodge Street, Suite 3700
Omaha, NE 68102
Security: security@cinnamon-travels.com
General: info@cinnamon-travels.com
Phone: +1 (402) 555-0198