Secure by Design

FairFly has a best-in-class position when it comes to data security and privacy. As we operate across multiple jurisdictions we regularly conduct security audits in order to give our customers assurance that their data is safe and secure. 

Cybersecurity Posture

Amazon Web Services

FairFly has a long-standing partnership with Amazon Web Services in order to maintain the highest levels of data security. Some of the key highlights that this flexible partnership offers are:

Data encryption in transit and at rest

This means that not only when we store sensitive customer data but also when we are receiving it or sending it back to your TMC, the data is fully encrypted to ensure it cannot be read or used by any third party.

Multiple backup sites

FairFly has contracted multiple data storage back-up locations so that in the event of even multiple server failures we can continue to function without impacting uptime.

Distributed Denial of Service (DDoS) protection

Amazon CloudFront & Route 53 are used in combination so that no external actor can significantly impact FairFly’s performance whilst working with your data or when our systems are connected to your TMC or the GDS.

Least privilege principle

All FairFly software operates in the cloud and we operate a principal that users, programs, or processes only have the bare minimum access levels in order to perform their function. This reduces the likelihood by a large margin that errors impact business performance.

Amazon Web Service Security

ISO 27001 Certified

ISO 27001 is an international standard of how to manage information security and ensures FairFly maintains the highest standards of data security. FairFly regularly undergoes independent auditing of our security processes, procedures and infrastructure. This is done to ensure that we maintain best-in-class status and continue to improve our practices.

What is audited?

    • Security Policy
    • Organization of information security
    • Asset management
    • Human resources
    • Physical and environmental security
    • Communications and operations management
    • Access Control
    • Information systems acquisition, development and maintenance
    • Information security incident management
    • Business continuity management
    • Compliance

What controls do we have in place?

    • Information security policies (2 controls)
    • Organization of information security (7 controls)
    • Human resource security – 6 controls that are applied before, during, or after employment
    • Asset management (10 controls)
    • Access control (14 controls)
    • Cryptography (2 controls)
    • Physical and environmental security (15 controls)
    • Operations security (14 controls)
    • Communications security (7 controls)
    • System acquisition, development and maintenance (13 controls)
    • Supplier relationships (5 controls)
    • Information security incident management (7 controls)
    • Information security aspects of business continuity management (4 controls)
    • Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)


Personally Identifiable Information

As we work with travel data it is vital that we protect the security of traveler data at all times. In order to do so, FairFly has built-in encryption and anonymization processes in place.

  • When we receive data from the GDS or TMC that contains PII –  it is completely anonymized before it is stored or used in FairFly systems
  • No PII is stored in databases, logs, or debug records so cannot be accessed by our team or any third party
  • FairFly uses a one-way hashing and salting function to ensure that it cannot possibly be reversed
GDPR Compliant

Global Data Protection Law Compliance

FairFly is a global-first platform and implements the highest standards in privacy which are designed to comply with all applicable legislation. We adhere to the following standards:

    • General Data Protection Regulation, European Union but implemented in national acts of legislation
    • California Consumer Privacy Act (CCPA), United States
    • Lei Geral de Proteção de Dados (LGPD), Brazil
    • Protection of Personal Information, Japan
    • Personal Information Protection Act, South Korea
    • Thailand Personal Data Protection Act (PDPA), Thailand