Summary: All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Messages are end-to-end encrypted. Infrastructure is hosted across Google Cloud, AWS, Akamai, and NTT globally. ISO 27001:2022 certified. Hawkeye monitors for threats — but only activates user-level visibility on SOS or emergency triggers. 72-hour breach notification as required by law.
1. Our Commitment
Viaje Holidays Private Limited treats security as a core product requirement. Our security programme is governed by an ISO 27001:2022 certified Information Security Management System (ISMS) operated by our Security Operations Centre (SOC). We comply with CERT-In Cyber Security Guidelines 2022, the IT (Reasonable Security Practices and Procedures) Rules 2011, PCI-DSS through our certified payment gateway partners, and the DPDP Act 2023 breach notification requirements. Security is not an afterthought — it is built into every component of the Platform.
2. Infrastructure & Global Resilience
Viaje's infrastructure is distributed across multiple geographies for resilience, performance, and regulatory compliance. Primary hosting and data storage is on Google Cloud (India region); global content delivery and edge security through Akamai; backup and redundancy on Amazon Web Services; and Asia-Pacific infrastructure on NTT Communications (Japan). This multi-cloud, multi-region architecture ensures that no single point of failure can compromise data availability. All infrastructure providers operate under Data Processing Agreements and are independently audited to international security standards.
Additional security controls include: enterprise Web Application Firewall (WAF) filtering malicious traffic at the edge; DDoS mitigation via Cloudflare Enterprise; network segmentation separating production, staging, and development environments; intrusion detection and prevention systems (IDS/IPS) monitoring all traffic in real time; and automated patching with critical security patches applied within 72 hours of public vulnerability disclosure.
3. Encryption Standards
All data in transit is encrypted using TLS 1.3 with HTTP Strict Transport Security (HSTS) enforced and certificate transparency monitoring active. All data at rest is encrypted using AES-256 with hardware security modules (HSMs) managing encryption keys, which are rotated on a quarterly schedule. Message content between users is end-to-end encrypted (E2EE) — Viaje cannot read message content and cannot decrypt it even in response to a legal order. Government ID numbers, if referenced, are stored only as one-way SHA-3 cryptographic hashes. Payment card data is tokenised by our PCI-DSS certified gateway partners — raw card data never enters Viaje's systems.
4. Access Control
Access to production systems and user data is governed by the principle of least privilege — staff may only access systems and data required for their specific role. Multi-factor authentication (MFA) is mandatory for all staff accessing production environments. We operate a zero-trust architecture where no implicit trust is granted based on network location. Privileged access is managed through a Privileged Access Management (PAM) system with session recording and time-limited elevation. All staff with data access undergo comprehensive background verification. Access rights are reviewed quarterly and revoked within one hour of employment termination.
5. Hawkeye — Safety & Threat Monitoring
Hawkeye is Viaje's proprietary security and safety monitoring platform. It operates at the platform level, analysing signals across logins, transactions, and content patterns for anomalies indicative of fraud, abuse, or account compromise. Hawkeye does not track individual user location, browsing behaviour, or content in real time as a matter of standard operation. Individual-level monitoring is activated only when: an algorithmic anomaly threshold is crossed (e.g. unusual login velocity, payment fraud pattern, compromised account signal); or a user activates the SOS or emergency feature on the Platform. In SOS scenarios, Hawkeye generates an alert that is reviewed by the safety team. All Hawkeye alert-driven access to user data is logged, audited, and time-limited.
6. Incident Response
Our Incident Response Plan follows the NIST Cybersecurity Framework (Identify → Protect → Detect → Respond → Recover). On detection of a suspected breach: affected systems are immediately isolated by automated controls; the security team assesses scope, impact, and root cause; affected users and relevant authorities are notified within 72 hours as required by the DPDP Act 2023 and CERT-In mandatory reporting obligations; remediation and hardening are applied; and a full post-incident review is conducted with findings shared with users where appropriate.
7. Protecting Your Account
You can significantly strengthen your account security by: enabling two-factor authentication (2FA) in app settings; using a unique, strong password (minimum 12 characters with mixed case, numbers, and symbols); logging out on shared or public devices; and reviewing your login history periodically in account settings. If you notice unrecognised activity, report it immediately to report@viaje.in.
Viaje will never contact you via email, SMS, WhatsApp, or phone to ask for your password, OTP, full card number, or CVV. Any such request is a social engineering attack. Report it immediately to report@viaje.in.
8. ID Verification Security
Viaje's digital ID verification is performed via DigiLocker and HyperVerge — government-authorised, encrypted APIs. All verification API calls occur over TLS 1.3 with certificate pinning. No document images or raw ID numbers are transmitted to or stored by Viaje. The OTP-based consent flow ensures the verification is initiated only by the legitimate ID holder. Verification session tokens are single-use and expire within 15 minutes.
9. Security Testing
Viaje conducts: continuous automated vulnerability scanning of all public-facing and internal systems; annual independent penetration testing by CERT-In empanelled security firms; mandatory security code review for all changes deployed to production; and regular red team exercises simulating adversarial attacks. Findings are tracked to remediation and reviewed at the board level quarterly.
10. Certifications & Compliance
ISO 27001:2022 (Information Security Management System); PCI-DSS Level 1 compliance through certified payment gateway partners; DPDP Act 2023 and IT (Reasonable Security Practices) Rules 2011; CERT-In Cyber Security Guidelines 2022 (mandatory 6-hour incident reporting); GDPR-aligned for EEA user data; CCPA/CPRA compliant for California user data.
11. Responsible Disclosure
If you discover a security vulnerability in the Viaje Platform, please disclose it responsibly to report@viaje.in with: a description of the vulnerability, detailed reproduction steps, your assessment of potential impact, and your contact details. We commit to acknowledging reports within 48 hours, resolving critical vulnerabilities within 7 days, and not pursuing legal action against researchers who act in good faith under this programme. We do not currently operate a paid bug bounty but recognise responsible researchers in our security acknowledgements.