Ellison Travel & Tours Data Privacy and Protection Policy
This document explains Ellison Travel & Tours’ protocol related to data security requirements. Ellison Travel & Tours is committed to protecting the data of all parties involved in any transaction with our business. Ellison Travel & Tours is compliant with regulations including PCI DSS to protect sensitive data and all employees must be PCI DSS trained and certified. As well, all employees are required to adhere to the policies described within this document.
For the purpose of doing business, Ellison Travel & Tours needs to collect, use and store information related to customers, suppliers, business contacts, employees and other people the organization has relationships with or may need to contact.
Guidelines and Data Storage
- Employees will follow all policies and procedures to keep data secure.
- Data will not be shared informally either internally or externally.
- Sensitive or personal data will not be disclosed to unauthorized people within the company or externally.
- Ellison Travel & Tours will only share data that is necessary for the purpose of doing business with a third-party. For example, the date and time of a group visiting a restaurant or list of travelers staying in a hotel or buying flight tickets.
- Employees must never share their password and only strong passwords must be used.
- Sensitive data stored on paper must be kept in a secure place where unauthorized people cannot see it. When this information is not required it must be kept locked in a cabinet.
- Employees are required to follow the company’s ‘clean desk policy’. Only items needed for the day shall be kept on the desk. All other documents must remain in the cabinets and out of sight.
- Data stored on paper must be kept in a secure place where unauthorized people cannot see it. When not required it must be kept locked away in a cupboard or safe.
- Sensitive data printouts should be shredded and disposed of when no longer required.
- Data can only be stored in our servers or cloud services approved by the company.
- Data should never be saved directly to laptops or mobile devices without using our deployed systems.
- Non-personal data may be used as samples such as itineraries.
Ellison Travel & Tours must follow the invoicing guidelines specified by TICO (Travel Industry Council of Ontario) rules and regulations.
Personal data may be disclosed to law enforcement agencies without consent as per legislation. Relevant data must be stored as required by laws including the income tax act or by regulatory agencies such as TICO (Travel Industry Council of Ontario) or IATA (International Air Transport Association). Currently, we are required to keep data for at least 7 years.
Ellison Travel & Tours follows best practices and regulations to maintain and protect all systems and keep them up to date. We perform regular penetration testing, phishing testing, and security patch updates are applied at least within 30 days. Antivirus and anti-spyware constantly monitor our network and workstations.
We utilize Microsoft Office 365 cloud-based service for email and files. Microsoft is not allowed to use the data for any other purpose other than supporting the service. Under no circumstance will Microsoft share data with marketing companies or mine data for advertising. Their policy is backed by agreement and practice for cloud private ISO-IEC 27018. Cloud data is stored in Canadian compliant datacenters which never leave Canada.
We use PCI DSS certified third-party company (Moneris) processing for online payment credit card information.
Data is backed up daily; both locally to servers located in our secure main office and to a secure Cloud hosted only in Canada, by Barracuda Networks. Backup servers are stored in a secure place under lock and key. Our Microsoft Office 365 accounts use Cloud-to-Cloud Backup is a SaaS solution maintained and operated in the Barracuda Cloud. Barracuda Cloud storage is SOC 2 Type-II audited and undergoes annual third-party audits.
Employees connect to our servers using SSL VPN Techology provided by Barracuda. Microsoft Remote Desktop Services allows employees to access company resources using 128-bit encryption/RC4 encryption algorithm.
Sabre booking software, handles all the booking transitions using their proprietary 128-bit encrypted SVPN.
End-of-life computer drives are permanently erased (destroyed) and dropped off at secure local e-waste recycler.
This policy will be reviewed at least annually.
Policy last reviewed: April, 2021.