Last Updated: 19 November 2024 

SECTION 1: ACCESS TO EXPEDIA PERSONAL DATA, EXPEDIA INFORMATION, NETWORKS, OR FACILITIES

SCOPE OF SECTION 1: If Company has access to Expedia Personal Data; Expedia Information; Expedia networks (including without limitation, if Expedia is providing a data feed or other information to Company via the internet or vice-versa); or Expedia facilities (e.g., Personnel of Company will be performing services at an Expedia facility), Company will, at a minimum, comply with the provisions in Section 1:

1.1 INFORMATION SECURITY PROGRAM

1.1.1 Information Security Risk Management Process

Company must have an established process that periodically assesses information security risk within the organization that has access to Expedia Information.

1.1.2 Information Security Policy

Company must have a documented information security policy, approved by appropriate management or governance committee and reviewed periodically, which defines responsibilities for protecting information assets. Policies shall be based upon industry best practices, addressing areas such as asset management, Personnel security, physical, environmental, equipment, and media security, communications and operations management, access controls, information systems development and maintenance, incident management, business continuity management, and compliance.

1.1.3 Organization of Information Security

Company must document, adopt, and enforce compliance with Company information security requirements, policies, standards, and procedures. Unless otherwise designated in writing, in relation to communications to Expedia by the Company, the relationship or account manager is the point of contact for escalation of all information security matters, copied to the security email address set out in the Agreement, in each case unless otherwise communicated to the Company in writing by Expedia. Company must provide Expedia a point-of-contact for escalation of all information security matters and if no such contact is provided, Expedia will communicate with the relationship or account manager designated by the Company. Any third-party access to Expedia Information on behalf of Company required to provide the Services under this Agreement, is conditional on Company ensuring downstream third-party and outsourced service providers comply with these Requirements or with requirements substantively similar to those in these Requirements, when working with Expedia Information on behalf of Company.

1.2 ASSET MANAGEMENT, CLASSIFICATION, AND HANDLING

1.2.1 Asset Management and Classification 

Company must establish and maintain a managed and up-to-date inventory of Company assets that have access to Expedia Information. Company must define and maintain an information classification process that specifies appropriate security and handling controls based upon defined classifications. Company must anonymize and/or pseudonymize Expedia Personal Data as required by applicable laws and regulations or by Expedia utilizing industry standard practices. If Company requires access to Expedia networks and utilizes non-Expedia owned equipment to connect with Expedia networks, Expedia has the right to conduct industry standard security configuration checks before permitting connectivity. Assets that do not meet connectivity requirements will not be granted access and may require modifications by Company to meet Expedia’s security compliance requirements including, but not limited to, custom configurations and settings, O/S hardening, patching, security agents and mobile security code (such as anti-virus and authentication certificates).

1.2.2 Handling Expedia Information

1. All Expedia Information must be encrypted in transit.
2. Expedia Highly Sensitive Information must be encrypted at rest.
3. All other Expedia Information must be encrypted or secured in a Protected Environment with limited access when at rest.

1.3 PERSONNEL AND HUMAN RESOURCES SECURITY

1.3.1 Background and Screening Check

To the extent allowed by local law and prior to employment, Company must conduct employee and contingent staff background screening commensurate with the level of access provided, including criminal, financial, and/or employment background screening. Background checks must be completed, and the results deemed satisfactory by Company, prior to the employee or contractor being assigned to perform services for Expedia where those services will involve having access to Expedia Information. Individuals whose background checks reveal convictions for violations including but not limited to computer crimes, fraud, theft, identity theft, or excessive financial defaults MUST not be permitted access to Expedia Information. Upon request and to the extent allowed by local law, Company will provide written confirmation that screening has been conducted and the results deemed satisfactory.

1.3.2 Security Awareness and Education

Anyone who has access to Expedia Information must complete information security awareness and privacy awareness training, annually. The training must educate employees and contingent staff on all applicable policies, procedures, and standards and the responsibility to secure confidential information and personal data such as Expedia Information. Company shall be responsible for providing and verifying successful training of all Company employees and contingent staff. Successful completion of Expedia's online information security awareness training is mandatory for anyone with credentials to access the Expedia corporate network. Company must require employees to acknowledge, in writing or electronically, that they have completed all required training, and have read, understand, and agree to abide by all applicable security policies and procedures. Upon request, Company must provide written confirmation that training has been completed.

1.4 PHYSICAL, ENVIRONMENTAL, EQUIPMENT, AND MEDIA SECURITY

The following provisions apply to physical facilities owned or leased by Company. Where a third-party facility and/or equipment is used to access, process, or store Expedia Information (such as data center providers), Company assumes the responsibility for carrying out appropriate due diligence to ensure that such third-party has implemented and maintains the controls below. 

1.4.1 Company must implement controls that restrict unauthorized physical access to areas containing equipment used to access Expedia Information. Company must monitor all areas containing equipment used to access Expedia Information for attempts at unauthorized access. All secure areas must be enclosed by a perimeter that will deter unauthorized Personnel from gaining access. Personnel working in secure areas must be easily identified as authorized to work in that area. Company must implement and maintain processes to verify that only authorized Personnel with an approved business need may be permitted to work in secure areas. Company must not allow visitors access to secure areas unescorted. Company must ensure proper disposal of all Expedia Information using industry standard practices such as, but not limited to, appropriately secured containers for shredding.

1.4.2 Company must only store Expedia Information in locations that will be protected from natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heat or cooling, and power failures or outages. Company must implement controls to prevent or detect the removal of any equipment involved in accessing Expedia Information. For purposes of clarity, this provision relates only to permanent storage facilities. Portable media controls are listed below.

1.4.3 If Company is contractually permitted to take Expedia Information off-site in any format, soft or hard copy, Company must in all cases take steps to protect such Expedia Information from unauthorized disclosure. Expedia Information must not be transmitted to unauthorized external services/companies for transfer, storage, or backup. When not in use, Expedia Information must be secured or locked away.

1.4.4 When the use of Company-supplied removable or portable data storage media is authorized by Expedia to store or access Expedia Information, the media must be encrypted to industry-standard levels or similarly protected.

1.4.5 Company must configure a password-protected inactivity timeout of fifteen (15) minutes, maximum, on workstations or laptops used to store or access Expedia Information.

1.4.6 Company must have processes in place to return or completely destroy Expedia Information upon request, in any format in which it is stored, soft or hard copy, and must not allow Personnel to discard any media containing Expedia Information except by secure methods that completely destroy the data.

1.5 COMMUNICATIONS AND OPERATIONS MANAGEMENT

1.5.1 Operational System Security 

On all Company IT systems used to access, process, or store Expedia Information:

1. Company must follow documented change management procedures. Company must ensure thorough testing of changes to IT systems to prevent negative security impacts.
2. Company must establish repeatable controls to ensure secure configuration and system hardening, including changing default passwords and settings, and disabling of all unnecessary services/daemons, ports, and network traffic on all systems that connect to Expedia networks or access Expedia Information.
3. Company must establish and maintain a patch management process for software (including open-source software and firmware) covering network devices, servers, and desktop/laptop computers, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. Company must deploy patches in a period commensurate with the criticality of the patch and sensitivity of Expedia Information accessed. Critical security patches must be installed within one month of their release.

1.5.2 Malware Protection

Company must deploy, enable, and keep up to date malware protection that detects, removes, and protects against all known types of malicious software on all IT systems that access, process, or store Expedia Information. Company must ensure malware protection technology is configured to enable upon boot-up, set both automatic updates and periodic scans, and have logging enabled. Infected systems must be removed from the network until verified as virus-free.

1.5.3 Network, Operating System, and Application Control 

All systems or networks connecting to Expedia networks and/or accessing Expedia Information must employ safeguard controls capable of monitoring and blocking unauthorized network traffic. Company must enable logging on network activity for audit, incident response, and forensic purposes. Where such controls are not available, systems or networks used to access Expedia Information must be physically or logically separate from other Company networks.

1.5.4 Logging of System Use

1. Company must configure all Company systems used to access, process, or store Expedia Information to enable basic forensic accountability. In the case of an information security incident involving Company-supplied laptops, desktops, or removable or portable data storage media used to access, process, or store Expedia Information, Company must conduct a forensic analysis, and if Expedia Information has been impacted or is reasonably believed to have been impacted, provide the results to Expedia or Expedia’s representatives upon request except when the incident involves the actual loss or destruction of the equipment or media.
2. Company servers used to access, process, or store Expedia Information must maintain sufficient audit logging to enable forensic analysis, including logging of security events, connectivity to services and sessions, and modification to user and configuration settings. Audit logs must be maintained for a minimum of three months. In the case of an information security incident involving Company servers used to access, process, or store Expedia Information, and if Expedia Information has been impacted or is reasonably believed to have been impacted, Company must conduct a forensic analysis and provide the results to Expedia or Expedia’s representatives upon request.

1.6 ACCESS CONTROL

1.6.1 Expedia-Managed Environments 

If Company requires access to Expedia Information and the data resides physically or logically within Expedia-managed environments, Company access will be subject to Expedia’s access management policies and procedures. Expedia must authorize all decisions for access to Expedia Information residing within Expedia-managed environments; and, where applicable, its landlords’ or service providers’ managed environments. Company may not extend access to Expedia Information residing within Expedia-managed environments to third parties without prior written consent. Expedia reserves the right to monitor all systems used to access Expedia-managed environments. If Expedia provides equipment such as laptops used to access Expedia Information, the equipment will be subject to Expedia’s configuration and access management policies and procedures. Company must immediately notify Expedia in writing if a Company employee or Company subcontractor with access to Expedia-managed systems terminates, no longer requires access to the Expedia account, or requires changes to the user account. Notification must include name and User ID of the accounts or systems the person has access to.

1.6.2 Remote Access Control 

If Company requires remote network connectivity to Expedia-managed environments, such connectivity must always use Expedia-approved methods such as, but not limited to, SSL VPN when connecting. Expedia’s security policy will not allow connection from equipment without the capability of meeting Expedia’s security requirements for remote management, encryption, and authentication, such as current system patch levels, anti-virus software signatures and scanning engines, and personal firewalls. 

1.6.3 Outside of Expedia-Managed Environments 

If Company is accessing, processing, or storing Expedia Information outside of Expedia-managed environments, Company must have an access management process that includes account authorization and management, password management and authentication, and remote access controls. Company must not provide access to Expedia Information to any third party (including, without limitation, Company’s subsidiaries and affiliates, subcontractors, and any person or entity acting on behalf of Company) unless the access is necessary to carry out Company’s obligations under this Agreement; such third party is bound by the obligations that are at least of the same level as those set out in this Agreement, and, for personal data, such obligations must comply with the requirements of the Applicable Data Protection Law and requirements substantially similar to those set out in Expedia's Processor DPA in Part 4 of these Requirements. Company shall remain responsible for any breach of the obligations set forth in this Agreement to the same extent as if Company had directly caused such breach.

1.6.4 Company User Access Management

Expedia authorizes access to Expedia Information on a need-to-know basis. All user accounts used to access Expedia Information must be unique and clearly associated with an individual user. Company must ensure unique assignment of user IDs, tokens, or physical access badges provided to employee or contingent staff granted access to Expedia Information outside of Expedia-managed environments. Company must ensure all user/system/service/administrator accounts and passwords are never shared. Company is responsible for reviewing authorization privileges assigned to its employees and contingent staff on a cadence that is at least industry standard, to ensure that access is appropriate for the user’s functioning role. Access authorization should follow “principles of least privilege.” Company must provide and ensure that IT administrators use separate and unique accounts for administration and non-administration responsibilities. Company must ensure that procedures exist for prompt modification or termination of access rights in response to organizational changes.

1.6.5 Password Management and Authentication Controls on Company Systems

Company must ensure that systems with access to Expedia Information require complex passwords with reasonable expiration, reuse, and lock-out controls. Company must prohibit its users from sharing passwords. Company must encrypt authentication credentials during storage and transmission. Company must change passwords immediately for accounts suspected of compromise.

1.7 UNAUTHORIZED ACCESS TO EXPEDIA INFORMATION

Company shall not attempt to access, or allow access to, any Expedia Information which they are not authorized to access under this Agreement or associated Schedules/Statements of Work. If such access is attained, Company shall immediately terminate such access, report such incident to Expedia, describe in detail the accessed Expedia Information and return or destroy any copied or removed Expedia Information upon Expedia’s instruction.

1.8 SECURITY INCIDENT MANAGEMENT

1.8.1 Company must establish and maintain procedures that ensure appropriate response to security incidents. Management procedures should address monitoring, investigation, response, and notification. Company must securely save evidence such as security logs for forensic analysis. Incident response plans must include methods to protect evidence of activity from modification or tampering, and allow for the establishment of a proper chain of custody for evidence.

1.8.2 Company must notify Expedia without undue delay, and in no event later than seventy-two (72) hours after becoming aware of a verified personal data breach and within seventy-two (72) hours of any verified compromise of information security, system abuse, and/or violation of information security policy involving Expedia Information; and must, at Company’s cost and expense, assist and cooperate with Expedia concerning any disclosures to affected parties and/or data protection authorities, and other remedial measures as reasonably requested by Expedia or required under applicable law.

1.8.3 Security notifications should be reported to the relationship manager or account manager via email with a copy to the Expedia security inbox as set out in the Agreement or otherwise communicated to the Company by Expedia in writing. 

1.9 COMPLIANCE

Company information security policies and practices must comply with all applicable laws and regulations and contractual obligations to Expedia. Where local laws appear to prevent compliance with Expedia Information Security requirements, Company is responsible for notifying Expedia Group Security to determine appropriate compensating controls.

1.10 RIGHT TO AUDIT

1.10.1 Expedia shall have the right to conduct inspections, assessments and/or audits (e.g. questionnaires, phone interviews, and onsite reviews) as determined by the personal data involved, upon ten (10) days advance notice to Company, at a maximum of one (1) time per year, to evaluate compliance with these Requirements and Applicable Data Protection Laws. Company agrees to cooperate with Expedia or its assigned agents regarding such inspections, assessments and/or audits. Company, at its own cost, will promptly correct deficiencies in the Technical and Organizational Measures identified by Company or by Expedia. Each party shall bear their own reasonable costs of such inspections, assessments, and/or audits. 

1.10.2 In addition to Expedia’s annual compliance audit, in the event of a verified personal data breach involving Expedia Personal Data, whether between or among Company's subsidiaries and affiliates or any other person or entity acting on behalf of Company, Company agrees, at its sole expense, to provide a mutually agreed upon independent third-party auditor, and any governmental authority acting pursuant to statutory powers, access for inspections, assessments and/or audits (e.g. via questionnaires, phone interviews, and onsite reviews), and with no less than ten (10) days advance notice to Company, including relevant and reasonable access to Company’s facilities, systems, records, procedures and business practices to the extent related to the personal data breach and the contracted products and services. The third-party auditors shall execute a mutually agreed-upon nondisclosure agreement with Company prior to commencing an audit. Any such audit may take place during the term of the Agreement and for a period of two years thereafter, shall occur during normal business hours and shall not unreasonably interfere with Company’s normal business operations. Company shall cooperate with third-party auditor’s agents regarding such inspections, assessments and/or audits. Any such audit reports shall be shared with Expedia, subject to redaction of information reasonably considered highly sensitive and therefore confidential by Company.

1.11 DELETION OR RETURN

Unless Expedia requests return of Expedia Personal Data prior to termination of expiry of the Agreement (whereupon such personal data shall be promptly returned to Expedia in machine readable format), upon such expiry or termination, Company will immediately delete all copies of Expedia Personal Data, save that, in the event that Company is unable to destroy Expedia Personal Data (due to backup or legal reasons), Company shall (a) continue to extend the protections of these Requirements to such data until such time that such Expedia Personal Data can be destroyed; and (b) immediately terminate any further processing of that Expedia Personal Data without Expedia’s express prior written consent, except where and to the extent required by applicable law.

PART 2 SECTION 2

SECTION 2: CODE OR SYSTEMS DEVELOPMENT AND MAINTENANCE

SCOPE OF SECTION 2: If Company’s services to Expedia include providing any software (whether or not developed by Company or another third-party), or where Company is providing Expedia with development services Company will comply with the provisions in Section 2:

1.1 APPLICATION SECURITY

Company must not allow Expedia production data in any development, test, quality assurance (“QA”), or other non-production environment. If production-quality data is required for development or testing purposes, it must first be pseudonymized and/or anonymized to ensure the removal of all personal data elements, including name, SSN or equivalent, credit card numbers, etc. Company must ensure protection of Personal Data and Expedia Information that is stored in cache or cookies.

1.1.1 Cryptographic Controls 

Where applicable, Company must use commercially available, industry standard cryptographic algorithms and all deployed encryption solutions must follow best practices in key management. Company must ensure encryption keys are protected against disclosure and misuse and are rotated on a regular basis, calculated by reference to the level of sensitivity of information and industry standards. Retired keys must be destroyed.

1.1.2 System Security

Company must establish and maintain configuration standards for all network devices and hosts accessing, processing, or storing sensitive Expedia Information, addressing currently known security vulnerabilities and industry best security practices. Company must ensure that software (including open-source software and firmware) used in operational systems maintain current level of patching support by its supplier.

1.1.3 Secure Development and Support 

All software development done on behalf of Expedia must follow a documented software development process or life cycle (SDLC) with appropriate security checkpoints. Company must validate and test firmware, software, and application source code against vulnerabilities and weaknesses before deploying code to production. If Company develops software for Expedia, it may be required to demonstrate the effectiveness of security controls prior to software acceptance. All software deployed to a production status in Expedia’s environment must adhere to and utilize Expedia’s change control process.

1.2 SECURITY AWARENESS AND EDUCATION

Company shall be responsible for providing and verifying successful completion of secure development training based upon industry best-practice standards for all Company developers working with the applicable code or systems. Successful completion of annual privacy training and Expedia's secure development training is a mandatory requirement for Company developers with an account on the Expedia corporate network. Upon request, Company must provide evidence and reports of training completion to Expedia. 

PART 2 SECTION 3

SECTION 3: CARDHOLDER AND FINANCIAL/PAYMENT ACCOUNT DATA

SCOPE OF SECTION 3: If Company has access to or otherwise receives Expedia employee or customer financial/payment account numbers, including without limitation Cardholder Data and/or other data in scope for PCI DSS, or provides cardholder processing software to Expedia, Company will comply with the provisions in Section 4:

1.1 Company represents that it is presently in compliance, and will remain in compliance with, the requirements of the PCI DSS from time to time. Company shall provide Expedia with a copy of its PCI DSS Attestation of Compliance annually at the time of filing, and immediately notify Expedia of any change in its PCI DSS compliance status.

1.2 Company acknowledges that Cardholder Data is owned exclusively by Expedia, credit card issuers, the relevant Payment Card Brand, and entities licensed to process credit and debit card transactions on behalf of Expedia, and further acknowledges that such Cardholder Data may be used only on the instruction of Expedia and in accordance with the Agreement, these Requirements, applicable privacy and security laws, and the operating regulations of the Payment Card Brands.

1.3 Company agrees that, in the event of a Personal Data Breach involving Cardholder Data, Company shall afford full cooperation and access to Company’s premises, books, logs and records by a designee of the Payment Card Brands to the extent necessary to perform a thorough security review and to validate Company’s compliance with the PCI Standards.

1.4 If Company provides Expedia with software that processes any payments via a payment application, Company represents that software provided to Expedia has been assessed and complies with the PA-DSS, and agrees to provide Expedia with all documentation, including the PA-DSS Implementation Guide, necessary for Expedia to deploy the software in a manner consistent with PCI DSS. Company agrees to re-assess software following any changes determined to impact payment application security in accordance with the PA-DSS and provide updated documentation as necessary.