OUR POLICIES
Our policies are designed to guarantee the transparency, security and satisfaction of our clients when using our services. Information about our policies is provided below:
SECURITY POLICY:
At tripci, we are committed to guaranteeing the security of the personal information of our users and clients. This Information Security Policy sets out the principles and practices we follow to protect personal data and other information collected through our website and services. Our objective is to maintain the confidentiality, integrity and availability of information, as well as to prevent unauthorized access, inappropriate use, alteration or destruction of data.
We do collect personal data when you interact with us through the Site, we may collect personal data and other information from you in accordance with our Privacy Policy. Personal data may include, but is not limited to, information that you voluntarily provide by responding to surveys, participating in promotions, purchasing services, or registering to access our services.
Personal Data Protection We are committed to following industry best practices to protect personal data from misuse, alteration or destruction. We use encryption technology, such as SiteLock Security with Secure Sockets Layer (SSL).
1. Use of non-identifying information
When you interact with our Site, we receive and store certain non-personally identifiable information. This information is collected passively using various technologies and is used for statistical and analytical purposes, such as tracking the total number of visitors and pages viewed. No personal information is used in this process.
2. Use of cookies and local shared objects
We use cookies and local shared objects (flash cookies) to improve the functionality of the Site and analyze its use more accurately. Cookies help us remember your preferences and prevent you from having to enter information repeatedly. We only use cookies with your permission and you can manage them in your browser settings. Local Shared Objects are used to display personalized content and are also governed by your privacy settings.
3. Use of personal data and other information
We use the personal data you provide in accordance with our Privacy Policy. If you have provided us with personal data for a specific purpose, we will use it only in connection with that purpose. This includes responding to your inquiries, processing your requests for services, and providing you with access to our services.
4. Disclosure of personal data and other information
We do not sell your personal information to third parties. However, in certain circumstances, we may share your personal data with third parties without prior notice, as set out in our Privacy Policy. These circumstances include business transfers, related companies, agents and consultants, and legal requirements:
4.1. Sale of information: The Site is not authorized to sell users' personal information and considers that such information is essential to the relationship with them.
4.2. Business transfers: In the event of a corporate sale, merger, reorganization, dissolution or other similar event, users' personal data may be part of the transferred assets, as long as the protection of such information is guaranteed.
4.3. Related Companies: The Site may share users' personal data with related companies only for purposes consistent with this privacy policy.
4.4. Agents, Consultants, and Related Third Parties: In certain circumstances, the Site may contract with third-party companies to perform business-related functions, such as sending information, maintaining databases, and processing payments. These companies will only receive the information necessary to carry out their specific function and are committed to protecting and treating it in accordance with this policy.
4.5. Legal Requirements: The Site may disclose users' personal data if required to do so by law or if there is a good faith belief that such action is necessary to comply with a legal obligation, protect and defend the rights or property of the Site , act in urgent circumstances to protect the personal safety of users or the public, or protect against legal liability.
5. User Options
Users have the option to use the Site without providing any personal data. However, certain Site services may not be available if you do not provide such information.
6. Exclusions
6.1. Data not collected through the Site: This information security policy does not apply to any personal data collected by the Site other than personal data collected through the Site.
6.2. Unsolicited Information: The Information Security Policy does not apply to any unsolicited information provided to or through the Site. All unsolicited information will be considered non-confidential and may be freely used, disclosed and distributed by the Site.
7. Protection of children's data
The Site does not collect personal data from children under the age of 12. Parents and legal guardians are urged to monitor their children's Internet use and to instruct them not to provide personal data on the Site without their permission. If it becomes known that a child under the age of 12 has provided personal data to the Site, it is requested to contact the Site to have that data removed from the databases.
8. Links to other websites
This information security policy applies exclusively to the Site. The Site may contain links to third party websites. It is recommended that you contact those sites directly for information about their privacy and security policies.
9. Use of social networking services
The Site may provide access to third party social networking services. When you use these services, information is shared with the providers of those services, and such information is governed by the privacy policies and terms of service of the providers of social networking services. You are encouraged to review and adjust the privacy settings on these services to control the disclosure of information.
10. Security measures
The Site implements reasonable measures to protect personal data provided through the Site from loss, misuse, unauthorized access, disclosure, alteration, or destruction. However, you are cautioned that no transmission over the Internet or e-mail is completely secure or error-free. The Site advises caution when sending information by email and when disclosing personal data over the Internet.
11. Other terms and conditions
Access to and uses of the Site are subject to additional terms and conditions posted on the Site.
12. Changes in the information security policy
12.1. Reserve of Right: We reserve the right, at our sole discretion, to change or modify portions of this Information Security Policy at any time.
12.2. Notification of Changes: In case of making material changes in the Information Security Policy, they will be published on the Site and the date of the last revision will be indicated. In addition, users will be notified via pop-up notice, email, or other reasonable means.
12.3. Acceptance of Changes: Your continued use of the Site after making changes to the Information Security Policy constitutes acceptance of the new version. Users should periodically review the Information Security Policy to be aware of any changes.
13. Access to the information security policy
The Information Security Policy will be available for consultation at all times. Users may access a current and effective copy of the policy by selecting the "information security policy" link on the Site.
14. Liability and Compliance
All parties involved in the handling of personal data through the Site are responsible for complying with this Information Security Policy and for taking the necessary measures to guarantee the security and confidentiality of the data collected.
15. Applicable law
This information security policy will be governed and interpreted in accordance with the laws in force in the Dominican Republic, Santo Domingo.
16. Contact
If users have any questions, concerns, or requests related to information security or personal data protection, they may contact the Site through the contact channels provided on the Site.
17. Validity
This information security policy enters into force as of its publication date and will be kept updated in accordance with the changes and modifications that are made.
NETWORK SECURITY POLICY:
At our organization, we are committed to ensuring the security of our customers' personal information and following industry best practices to protect it from misuse, alteration, or destruction. To achieve this, we have established a Network Security Policy that addresses the following aspects:
1. Protection of personal information:
• We implement technical and organizational measures to protect our customers' personal information against unauthorized access, disclosure or alteration.
• We use robust technologies such as SiteLock Security with Secure Sockets Layer (SSL), Malware Scan, Spam Scan, Vulnerability Scan.
• Our provider (Azul) stores credit card information with AES-256 encryption, guaranteeing a high level of security in the storage of sensitive data.
• Our payment service provider Azul is the one we use to manage payment processes. Azul complies with rigorous security and encryption standards to ensure the protection of your information. When using Azul's services, only the information necessary to securely complete the required payment process will be collected. To gain a more detailed understanding of how Azul handles your information, we strongly encourage you to review its Privacy Policy. Our company is committed to working with trusted partners who are dedicated to safeguarding the security and privacy of our customers' data. More details https://www.azul.com.do/Pages/es/preguntas-frecuentes.aspx
2. Compliance with security standards:
• We are committed to complying with all the requirements of the Payment Card Industry Data Security Standard (PCI-DSS). This includes implementing appropriate security controls to protect credit card data.
• We conduct regular system and network security assessments to identify and address potential vulnerabilities.
3. Access and authentication:
• We establish access controls to ensure that only authorized personnel can access customers' personal information.
• We use strong password policies and recommend multi-factor authentication to protect user accounts and prevent unauthorized access.
4. Monitoring and detection of threats:
• We implement network monitoring and intrusion detection systems to quickly identify and respond to any suspicious activity or unauthorized access attempt.
• We maintain logs of network activity and review them regularly to detect potential security incidents and take corrective action in a timely manner.
5. Training and awareness:
• We provide regular education and training to our staff on network security practices and the importance of protecting our customers' personal information.
• We foster a culture of security throughout the organization, where all employees are responsible for protecting information and reporting any security incident.
6. Management of security incidents:
• We have a security incident management process to respond effectively and in a timely manner to any security incident that may affect the network or our customers' personal information.
• We will transparently communicate any significant security incident to customers and take steps to mitigate risks and prevent future similar incidents.
This Network Security Policy will be reviewed periodically to ensure that it remains effective and in line with changes in technology and security best practices. Our objective is to guarantee the confidentiality, integrity and availability of our clients' personal information, providing a safe and reliable environment to carry out transactions.
ACCESS POLICY AND ACCESS CONTROL:
a. Physical and logical access controls:
i. We implement physical access controls, such as locks, video surveillance systems and access controls, to protect the areas where payment card systems and data are located. Physical access is only allowed to authorized personnel.
ii. We implement logical access controls, such as authentication mechanisms, to ensure that only authorized team of employees have access to payment card systems and data.
b. Unique IDs and passwords:
i. Our workforce has unique IDs that uniquely identify them in the system. These IDs are to be assigned individually and are not shared with other users.
ii. We have strong password policies in place, including requirements for length, complexity, and frequency of change. Passwords are confidential and are not shared with other users.
c. Principle of least privilege:
i. Access privileges are assigned according to the principle of least privilege. This means that in our workforce they only have the necessary permits to carry out their job functions. We avoid under all circumstances excessive or unnecessary privileges that may increase the risk of unauthorized access or misuse of payment card data.
ii. Access privileges are reviewed and updated as necessary, based on changes in users' job responsibilities.
d. Management of changes and updates:
i. We have established procedures to manage changes and updates related to access controls. This includes the periodic review and update of access and control policies, as well as the implementation of changes in systems and applications that improve the security of payment card data.
ii. Changes in access privileges are duly documented and approved by authorized managers before implementation.
e. Training and awareness:
i. All of our workforce must receive regular training on access policies and access control, as well as security best practices related to payment card data.
ii. We promote awareness activities to foster a security culture in the handling of payment card information, highlighting the importance of protecting the confidentiality and integrity of the data.
f. Audit and monitoring:
i. Our vendors have auditing and monitoring mechanisms in place to detect and record suspicious or unauthorized activity on payment card systems and data.
ii. Audit and monitoring logs are regularly reviewed to identify potential security breaches and take timely corrective action.
This Access Control and Access Policy is periodically reviewed and updated to keep up with security best practices and applicable regulatory requirements.
PHYSICAL SECURITY POLICY:
a. Systems and data protection:
i. The physical systems of tripci do not store payment card data. Similarly, we implement physical security measures to protect customer systems and data from unauthorized access, theft or damage. This includes the protection of physical storage devices, servers, and any other components involved in data storage or processing.
ii. We have established safeguards to prevent unauthorized physical manipulation of the systems and devices used to handle payment card data.
b. Restriction of areas:
i. Areas where payment card data is processed or stored are restricted and accessible only to authorized personnel. These areas are clearly marked as restricted areas and should only be accessible through appropriate access control mechanisms.
ii. We implement electronic locks, alarm systems and security cameras to protect sensitive areas where payment card systems and data are located.
c. Access control:
i. We have established appropriate access control mechanisms to limit and monitor entry into areas where payment card data is processed or stored. This may include the use of identification cards, access credentials, PIN codes or biometric authentication systems.
ii. We implement policies and procedures for the registration and control of visitors to sensitive areas. Visitors must be supervised and escorted at all times while in such areas.
d. Monitoring and surveillance:
i. We install security camera systems to monitor and record activities in areas where payment card data and systems are located. These systems must be operational and have the ability to securely store recordings for an appropriate period of time.
ii. Surveillance recordings are reviewed periodically to detect possible security incidents and take appropriate action in case of detection of suspicious activities.
e. Maintenance of equipment and devices:
i. Equipment and devices used for payment card data processing or storage are properly maintained and regularly inspected. Any damage or malfunction is reported and repaired in a timely manner to ensure its integrity and availability.
ii. We have policies and procedures for the safe removal and disposal of obsolete or obsolete equipment and devices that contain payment card data. These devices are to be disposed of following established security practices and complying with applicable regulations.
This physical security policy is communicated and trained to all employees and authorized personnel, and regular reviews are conducted to ensure compliance and stay current in response to changing technologies and security threats.
SECURE APPLICATION DEVELOPMENT POLICY:
In our organization, the security of payment card data is a top priority. This secure application development policy aims to ensure that all applications that process or store payment card data meet the highest security standards during development and production. Through this policy, we are committed to safeguarding the confidentiality, integrity and availability of our clients' confidential information and guaranteeing protection against possible vulnerabilities and threats.
1. Compliance with security best practices:
1.1. All applications developed in our organization that handle payment card data must follow security best practices at every stage of their development.
1.2. Our development team will ensure proper security controls are in place, such as user authentication, data encryption at rest and in transit, and proper access management.
1.3. Protection measures will be established against common threats, such as SQL injection attacks, cross-site scripting (XSS) and cross-site request forgery (CSRF), among others.
2. Security testing and code reviews:
2.1. Before an application is deployed to production, extensive security testing will be conducted to identify and fix potential vulnerabilities and weaknesses.
2.2. Our development team will perform regular code reviews to ensure that security best practices are followed and that there are no potential security gaps.
23. Security testing will be conducted using industry-recognized tools and methodologies.
3. Responsibility of the development team:
3.1. The development team will be responsible for ensuring the effective implementation of security measures in all applications that deal with payment card data.
3.2. Each member of the development team will receive regular education and training on application security issues to enhance her knowledge and skills in this field.
3.3. A security culture will be fostered in the development team, promoting security awareness and responsibility.
4. Update and continuous improvement:
4.1. This policy will be regularly reviewed and updated to ensure that it is aligned with the latest security standards and industry best practices.
4.2. We are committed to continually improving our secure application development processes to meet emerging security challenges and effectively protect our customers' payment card data.
Our secure application development policy ensures that all applications that handle payment card data follow rigorous security measures and are extensively tested to identify and fix vulnerabilities before deployment. Our goal is to protect our customers' confidential information and maintain their trust.
RETURN POLICY AND PENALTIES FOR CANCELLATION
We understand that unforeseen situations may arise that require the cancellation of a reservation made through our platform. Our return policy and cancellation penalties are detailed below to provide clarity and transparency to our users:
1. Responsibility of the user:
a. It is the responsibility of the user to read and understand the cancellation policies of each reservation before making the corresponding electronic payment.
b. By making the electronic payment, the user accepts the cancellation policies established for that particular reservation.
2. Amounts to be reimbursed:
a. The amounts to be reimbursed for cancellations will be specified in the cancellation policy corresponding to each reservation.
b. Refundable amounts may vary depending on the number of days remaining before the scheduled entry date.
c. Our policy seeks to be fair and equitable, taking into account the commitments and costs associated with managing reserves.
3. Fees for Electronic Transactions:
a. The charges for electronic transactions, equivalent to 5% of the reservation payment, will not be refunded under any circumstances.
b. These charges are directly related to the payment method used and not to the reservation itself.
4. Free cancellation and refund:
a. In cases where the cancellation policy allows a free cancellation and refund, the user must directly cancel their reservation through our platform.
b. Subsequently, you must request the refund by sending an email to info@tripci.com, providing all the necessary information of the reservation you wish to cancel.
c. The refund request will be carefully reviewed to ensure compliance with the cancellation policies established in the corresponding reservation.
5. Communication and transparency:
a. We are committed to providing clear and accurate information about our cancellation policies before users make the payment.
b. Our customer service team is available to answer any questions or clarifications related to the cancellation and refund policies.
Remember that these refund policies and cancellation penalties are designed to ensure proper management of reservations and maintain the quality of our services. We recommend that you carefully read the cancellation policies of each reservation before making the payment to avoid misunderstandings or inconveniences in the future.
If you have any additional questions or need more information, feel free to contact our customer support team. We will be happy to assist you and provide you with the necessary information so that you enjoy a satisfactory experience with us.
INCIDENT MANAGEMENT POLICY:
q. Incident Management Process:
i. We have established a formal incident management process that defines the steps to be taken to detect, respond to, and mitigate any security incident involving payment card data.
ii. The process includes the designation of a Security Incident Response Team (CSIRT) tasked with coordinating and executing the actions necessary to address incidents.
b. Incident documentation:
i. All security incidents involving payment card data are fully and accurately documented. This includes the collection of information about the nature of the incident, the potential impact, the actions taken and the results obtained.
ii. Incident records must be maintained in a secure manner and accessible only to authorized personnel. These records will serve as the basis for further analysis and decision making to prevent similar incidents in the future.
c. Prevention of recurrences:
i. After the resolution of an incident, steps must be taken to prevent its recurrence in the future. This involves identifying the root causes of the incident and taking corrective actions to address the deficiencies or vulnerabilities that allowed it.
ii. Existing security policies, procedures, and controls should be reviewed and updated based on findings and lessons learned from past incidents.
d. Security breach notification:
i. In the event of a security breach involving payment card data, affected cardholders and appropriate authorities must be promptly notified, following applicable legal and regulatory requirements.
ii. The notification must include a description of the incident, the potential impact on cardholders, actions taken to mitigate the effects, and recommendations to guard against possible negative consequences.
e. Coordination with interested parties:
i. During incident management, it is important to maintain effective communication with relevant stakeholders such as cardholders, payment processing service providers, regulatory authorities, and legal teams.
ii. Clear and defined communication protocols must be established to ensure a coordinated and efficient response to security incidents.
f. continuous improvement:
i. Incident management should be part of a continuous improvement approach to security. Periodic assessments of the incident management process should be conducted, policies and procedures reviewed and updated as necessary, and simulation exercises and tests conducted to improve incident response capability.
It is important to note that all our policies are constantly being reviewed and that they can be updated at any time. As soon as any update is made, you will be notified.