Platform Security Whitepaper
Version 3.2 — June 7, 2026
CONFIDENTIAL — FOR PROSPECTS & CUSTOMERS
Table of Contents
- Transport Layer Security (HTTPS / TLS)
- Authentication & Identity Management
- Role-Based Access Control (RBAC)
- Multi-Tenant Data Isolation
- Third-Party Payment Model
- Client Consent & Authorization Framework
- Comprehensive Audit Logging
- File Storage & Document Security
- Email Security & Delivery Tracking
- Session & Token Security
- Application Security Practices
- Infrastructure & Platform Security
- Compliance Summary Matrix
1. Transport Layer Security (HTTPS / TLS)
All communications between users, clients, and the Travel Office Suite Pro platform are encrypted using industry-standard transport protocols. No unencrypted HTTP traffic is accepted.
| Security Aspect | Status | Details |
|---|---|---|
| HTTPS Enforcement | ✅ Enforced | All traffic redirected to HTTPS; HTTP requests rejected |
| TLS Protocol | ✅ TLS 1.2 / 1.3 | Modern encryption with forward secrecy |
| SSL Certificate | ✅ Auto-Provisioned | Certificates auto-renewed; no manual intervention required |
| HSTS Headers | ✅ Enabled | Browser instructed to always use HTTPS |
| Certificate Monitoring | ✅ Automated | Renewal well before expiration |
What this means: Every interaction — login, file upload, payment, form submission — is encrypted end-to-end. Even on public WiFi, data cannot be intercepted.
2. Authentication & Identity Management
Travel Office Suite Pro implements a multi-layered authentication system that protects every user account from unauthorized access.
Password Security
| Feature | Implementation |
|---|---|
| Password Hashing | bcrypt with per-password unique salts — computationally expensive to brute-force |
| Complexity Requirements | Minimum 8 characters with mandatory uppercase, lowercase, digit, and special character |
| Password Rotation | Mandatory 180-day rotation cycle with 14-day advance warning notifications |
| Forced Password Change | Temporary passwords require change on first login (mustChangePassword flag) |
| Password Reset | Cryptographic token with 1-hour expiry; emailed to verified address |
| Email Enumeration Prevention | Password reset always returns success — attackers cannot discover valid emails |
Two-Factor Authentication (2FA)
Travel Office Suite Pro supports optional TOTP-based two-factor authentication for enhanced account security:
- Protocol — Time-Based One-Time Password (TOTP) per RFC 6238
- Supported Apps — Google Authenticator, Authy, Microsoft Authenticator
- Enrollment — User-initiated from account security settings; QR code provisioning with backup codes
- Enforcement — Optional per-user; can be required by tenant administrators
Login Rate Limiting & Account Lockout
- Threshold — 5 consecutive failed login attempts trigger automatic account lockout
- Lockout Duration — 30-minute cooldown period before reattempt is permitted
- Audit Trail — All failed login attempts are logged with IP address and timestamp
- Notification — Account holder notified of lockout events via email
Session Management
| Feature | Implementation |
|---|---|
| Session Strategy | JWT (JSON Web Tokens) with cryptographic signing |
| Token Storage | Secure, HttpOnly cookies — inaccessible to JavaScript |
| CSRF Protection | Built-in cross-site request forgery protection via NextAuth |
| Session Refresh | Tokens refreshed on critical actions (role change, profile update) |
Onboarding Security Flow
Every new user must complete a mandatory security flow before accessing the platform:
- Email Verification — account linked to verified email
- Forced Password Change — temporary/invited passwords must be changed immediately
- Terms of Service Acceptance — legal agreement with version tracking, IP address, and timestamp recorded
- Profile Completion — required before accessing dashboard functionality
- Tester Approval — trial/tester users require explicit admin approval with time-limited access
Team Invitations
- Invitation-only onboarding via cryptographic tokens
- Tokens validated before team join; expired tokens rejected
- Role pre-assigned by admin during invitation
3. Role-Based Access Control (RBAC)
Access to every feature, page, and API endpoint is governed by a dual-layer role system — preventing unauthorized data access even for authenticated users.
System Roles (UserRole)
| Role | Description | Key Permissions |
|---|---|---|
| ADMIN | Platform / Agency Owner | Full access — user management, tenant settings, audit logs, all data |
| MANAGER | Senior Advisor / Team Lead | Create/edit trips & clients, view audit logs |
| VIEWER | Junior Team Member | Read-only access to assigned data; no sensitive operations |
Tenant Roles (TenantRole)
| Role | Typical Assignment |
|---|---|
| OWNER | Agency owner with full administrative control |
| MANAGER | Office manager with team oversight |
| ADVISOR | Travel advisor with client-facing access |
| VIEWER | Read-only team member |
| ADVISOR_TESTER | Time-limited trial advisor with expiry enforcement |
Permission Matrix
| Action | Admin | Manager | Viewer |
|---|---|---|---|
| View Clients & Trips | ✅ | ✅ | ✅ |
| Create/Edit Records | ✅ | ✅ | ❌ |
| View Audit Logs | ✅ | ✅ | ❌ |
| Manage Team Members | ✅ | ❌ | ❌ |
| Modify Tenant Settings | ✅ | ❌ | ❌ |
| Generate Impersonation Tokens | ✅ (Platform Owner) | ❌ | ❌ |
329 API routes are individually protected with session validation, role checks, and tenant scoping. Every route calls getServerSession() and returns 401 if unauthenticated.
4. Multi-Tenant Data Isolation
Travel Office Suite Pro is architected as a multi-tenant platform where each travel agency operates in a completely isolated data environment.
Isolation Guarantees
| Layer | Protection |
|---|---|
| Database Queries | Every query is automatically scoped by tenantId — no cross-tenant data leakage possible |
| API Routes | Session user's tenant ID is derived server-side, never from client requests |
| File Storage | Uploaded files are namespaced per tenant in cloud storage |
| Email Templates | Each tenant has independent email template customizations |
| Branding & Settings | Colors, logos, consent text, payment links — all per-tenant |
| Audit Logs | Logs are tenant-scoped; agencies only see their own activity |
🔒 Zero Cross-Tenant Visibility: Agency A can never see Agency B's clients, trips, invoices, documents, or any other data — regardless of any API manipulation attempt. Tenant isolation is enforced at the database query level.
5. Third-Party Payment Model
🔒 Zero Raw Card Data — External Redirect & Tokenized Payment Architecture: Travel Office Suite Pro does not collect, process, store, or transmit raw (unencrypted) client payment card data. All payment transactions are handled entirely by external third-party processors using a redirect model. The platform also offers an optional PCI Vault feature for tokenized card-on-file storage, powered by a PCI-DSS Level 1 certified third-party provider — only secure tokens and masked card references (e.g., last 4 digits, card brand) are stored on the platform. Raw card numbers, CVVs, and expiration dates never enter or pass through the platform.
How Payments Work
The platform supports four distinct payment collection methods — three of which route clients to external, third-party payment processors, and one (PCI Vault) that uses a PCI-DSS Level 1 certified third-party provider for tokenized card-on-file storage:
| Payment Method | Provider | How It Works |
|---|---|---|
| Stripe Payment Links | Stripe (PCI DSS Level 1) | Platform generates a Stripe-hosted payment link. Client clicks and is redirected to Stripe's checkout page to enter card details. Payment is processed entirely on Stripe's infrastructure. |
| External Payment URLs | Host Agency / Consortia / Custom | Advisor configures an external payment URL (e.g., host agency consortia payment portal). Client is redirected to the external provider's website to complete payment. |
| Planning Fees | Stripe | Advisor creates a planning-fee Stripe Payment Link. Client pays via Stripe's hosted checkout. Funds settle directly to the advisor's Stripe account. |
| PCI Vault (Card-on-File) | PCI-DSS Level 1 Third-Party Provider | Client submits card data through a tokenized collection form hosted by the third-party provider. Card data is encrypted and tokenized before any reference reaches the platform. Only secure tokens and masked card references are stored — the platform never sees, stores, or has access to raw card numbers, CVVs, or expiration dates. Advisors retrieve masked references to manually enter card details into the travel vendor's own booking system. Available on Pro, Team, and Enterprise plans; metered during the free trial. Basic plan subscribers do not have access to PCI Vault. |
Why This Matters for Security
| Security Benefit | Details |
|---|---|
| Zero Raw Card Data Exposure | The platform never collects, processes, stores, or transmits raw (unencrypted) payment card numbers, CVVs, or expiration dates. PCI Vault stores only secure tokens and masked references provided by a PCI-DSS Level 1 certified third-party provider. |
| PCI DSS Scope Minimized | For payment transactions, no cardholder data enters the platform (external redirect model). PCI Vault card tokenization is handled entirely by the PCI-DSS Level 1 certified third-party provider — the platform stores only tokens and masked references, keeping the platform's PCI-DSS exposure minimal. |
| Tokenized Card-on-File via PCI Vault | Unlike systems that store raw or encrypted card data directly, PCI Vault uses a PCI-DSS Level 1 certified third-party provider for tokenization. The platform only stores secure tokens and masked card references — never raw card numbers or sensitive authentication data. |
| Third-Party Compliance | Stripe is a PCI DSS Level 1 Certified Service Provider for payment processing. The PCI Vault tokenization provider is also PCI-DSS Level 1 certified. Both providers bear full compliance responsibility for their respective services. |
| Minimal Attack Surface | By delegating payment processing to external providers and card tokenization to a PCI-DSS certified provider, the platform minimizes its exposure to payment-related vulnerabilities. No raw card data is ever stored, processed, or transmitted through the platform. |
| Cardholder Data Prohibition | Users are strictly prohibited from storing raw cardholder data (full card numbers, CVVs, expiration dates) anywhere within the platform outside of the designated PCI Vault feature. Violations may result in immediate account termination. See Terms of Service Section 9.7. |
Advisor Responsibilities
As outlined in the platform's Terms of Service (Section 9.5):
- Travel advisors are solely responsible for their own Stripe account setup, compliance, and payment accuracy
- Advisors who use external payment URLs are responsible for the security and compliance of those third-party providers
- The platform provides the tools to generate and deliver payment links — it does not process, hold, or guarantee any funds
- All payment disputes, chargebacks, and refunds are handled directly between the advisor, their payment processor, and the client
- PCI Vault card-on-file data must be used solely for booking travel on behalf of the authorizing client, and advisors must obtain proper cardholder authorization before storing card data
- Users are strictly prohibited from storing raw cardholder data (full card numbers, CVVs, expiration dates) anywhere on the platform outside of the designated PCI Vault feature (see Terms of Service Section 9.7)
Reference: This payment model is documented in the platform's Terms of Service (Sections 9.5 — Client Payment Collection, and 9.7 — PCI Vault Service and Cardholder Data Prohibition) and Privacy Policy (Section 4.3 — Client Payment Processing). Both documents confirm that no raw payment card data is ever stored, processed, or transmitted through the Travel Office Suite Pro platform. PCI Vault stores only secure tokens and masked references provided by a PCI-DSS Level 1 certified third-party provider.
6. Client Consent & Authorization Framework
Travel Office Suite Pro implements a comprehensive, legally defensible consent and authorization system for client data access and communications.
Authorization Lifecycle
| Phase | Duration | Description |
|---|---|---|
| Client Portal Authorization | 7 days | Client grants data access via secure portal with full consent text |
| Extension (Optional) | +7 days | One-time extension via portal re-consent or email confirmation |
| Maximum Window | 14 days | Hard limit — no further extensions possible |
| Post-Expiry | Blocked | All access requests denied; data remains encrypted |
| Revocation | Immediate | Advisor or client can revoke authorization at any time |
Consent Record Tracking
Every consent interaction is immutably recorded with:
- Full Consent Text — exact language shown to the client at time of consent
- Timestamp — precise date/time of consent
- IP Address — client's IP at time of consent
- User Agent — browser/device information
- Signature Data — digital signature capture when applicable
- Links to Legal Documents — Terms of Service, Privacy Policy, Client Agreement URLs recorded at consent time
SMS & Communication Consent
- Explicit opt-in required for text message communications
- Phone number confirmed by double-entry verification
- Consent status stored per-client with audit trail
Terms of Service Acceptance
- Version-tracked acceptance — records which version was accepted
- IP address and user agent captured at acceptance time
- Middleware enforces acceptance before dashboard access
- New versions require re-acceptance
7. Comprehensive Audit Logging
Every sensitive action on the platform is recorded in an immutable audit log with full context — who, what, when, and where.
Tracked Actions
| Category | Logged Events |
|---|---|
| Authentication | Login, Logout, Failed Login, Signup |
| Client Records | Create, Update, Delete, View |
| Trip Management | Create, Update, Delete, Archive |
| Documents | Upload, Download, Delete, PDF Processing |
| Payment Links | Generate Payment Link, Track Payment Status |
| Authorizations | Extend, Revoke Authorization |
| Settings | Tenant Settings Changes, User Settings Changes |
| Impersonation | Token Generation, Login as Another User |
Audit Record Fields
| Field | Description |
|---|---|
| Actor User ID | Who performed the action |
| Actor Role | Role at time of action (ADMIN, MANAGER, VIEWER) |
| Action | Standardized action type (e.g., CREATE_CLIENT, GENERATE_PAYMENT_LINK) |
| Entity Type & ID | What was affected (Client, Trip, Document, etc.) |
| Metadata | Additional context (e.g., payment method, reason) |
| IP Address | Request origin IP |
| User Agent | Browser and device information |
| Timestamp | Precise datetime of action |
Audit logs are tenant-isolated — each agency's audit trail is visible only to their own admins and managers, never to other tenants.
8. File Storage & Document Security
All uploaded documents — trip confirmations, passports, contracts, invoices — are stored securely in cloud storage with multiple layers of protection.
| Feature | Implementation |
|---|---|
| Storage Provider | AWS S3 with server-side encryption |
| Upload Method | Presigned URLs — files go directly to S3, never through application servers |
| Access Control | Public/Private flags per file; private files require time-limited signed URLs |
| URL Expiration | Signed download URLs expire automatically — no permanent access links |
| Filename Sanitization | Timestamp-prefixed filenames prevent path traversal attacks |
| Content Type Validation | File type verified before upload authorization |
| Tenant Namespacing | Files organized by tenant — cross-tenant file access impossible |
9. Email Security & Delivery Tracking
Outgoing email communications are secured, tracked, and logged for compliance and deliverability.
| Feature | Implementation |
|---|---|
| Email Logging | Every outbound email recorded with full content, recipient, status, and timestamp |
| Delivery Tracking | Delivered, Opened, Clicked, and Bounced status tracking |
| Provider Response | Full provider response stored for troubleshooting |
| Error Handling | Error codes and messages captured for failed deliveries |
| Template Customization | Per-tenant email templates — agencies control their branding and messaging |
| Notification Controls | Each notification type can be individually enabled/disabled by tenant |
Client-Facing Email Security
- Password reset links expire after 1 hour
- Payment links use cryptographic tokens with expiry enforcement
- Client portal access via secure, non-guessable tokens
- Short links with click tracking and optional expiration dates
10. Session & Token Security
Token Types & Lifecycle
| Token Type | Purpose | Expiry |
|---|---|---|
| JWT Session Token | User authentication | Configurable; refreshed on actions |
| Password Reset Token | Secure password recovery | 1 hour |
| Impersonation Token | Platform owner support access | Short-lived; JWT-signed |
| Client Portal Token | Client access to shared content | Non-guessable CUID |
| Team Invitation Token | New team member onboarding | Validated before use |
| Authorization Token | Time-limited data access | 7 days (extendable to 14) |
| Intake Form Token | Client form submission | Session-based |
| Short Link Code | Branded URL shortening | Optional expiration |
Middleware Security Enforcement
A centralized middleware layer intercepts every request and enforces:
- Authentication Check — unauthenticated users redirected to login
- Password Change Enforcement — temporary passwords blocked until changed
- Terms Acceptance — users must accept current terms before proceeding
- Profile Completion — incomplete profiles blocked from dashboard
- Tester Expiry — expired tester accounts redirected to access-expired page
- Maintenance Mode — platform-wide lockout when maintenance is active
11. Application Security Practices
Input Validation & Data Protection
- Server-Side Validation — all inputs validated at the API level, not just client-side
- SQL Injection Prevention — Prisma ORM parameterizes all database queries
- XSS Protection — React's built-in output escaping prevents cross-site scripting
- Safe Email Handling — safeEmail and safePhone guards prevent accidental blanking of contact data
- Path Sanitization — file upload paths sanitized to prevent directory traversal
API Security
- Authentication on Every Route — 329 API routes individually call getServerSession()
- User ID from Session — user identity derived server-side, never from request parameters
- Tenant Scoping — tenant ID derived from authenticated user, not from request body
- Rate Limiting — infrastructure-level request rate limiting
- Error Handling — generic error responses that don't leak internal details
API Key Security (BYOK Model)
Advisors who integrate third-party services (e.g., AI providers, mapping APIs) use a Bring Your Own Key (BYOK) model:
- API keys are stored encrypted at rest in the database
- Keys are only decrypted server-side at the moment of use
- Each advisor manages their own keys — the platform never shares keys between users
- Key storage is tenant-isolated and role-restricted
Impersonation Safety
- Only platform owners can generate impersonation tokens
- Tokens are JWT-signed and short-lived
- Every impersonation event is audit-logged with both user identities
- Console logging tracks impersonation sessions
12. Infrastructure & Platform Security
⚡ Powered by the Abacus AI Platform: Travel Office Suite Pro's infrastructure is built on and hosted by the Abacus AI Platform — providing enterprise-grade managed hosting, automated scaling, DDoS protection, and managed database services. Abacus AI is listed as the platform's cloud hosting provider in our Privacy Policy (Section 5 — Service Providers).
| Layer | Provider | Security Features |
|---|---|---|
| Application Hosting | Abacus AI Platform | Managed infrastructure, automatic scaling, DDoS protection, edge caching |
| Database | Managed Database (via Abacus AI) | Encrypted at rest, automated backups, connection pooling, statement timeouts |
| File Storage | AWS S3 | Server-side encryption, bucket policies, presigned URLs |
| SSL/TLS | Auto-provisioned (via Abacus AI) | Automatic renewal, TLS 1.2/1.3, HSTS |
| DNS & CDN | Managed (via Abacus AI) | DDoS mitigation, edge caching, automatic failover |
| Payment Processing | Stripe / External Providers / PCI Vault Provider | External redirect model for transactions; PCI Vault for tokenized card-on-file storage via PCI-DSS L1 provider — zero raw card data on platform (see Section 5) |
Abacus AI Infrastructure Benefits
- Managed Hosting — no self-managed servers; Abacus AI handles provisioning, patching, and uptime
- DDoS Protection — infrastructure-level protection against distributed denial-of-service attacks
- Automated Scaling — resources scale automatically based on demand
- Managed Database — encrypted at rest, automated backups, connection pooling, and statement timeouts managed by the platform
- SSL/TLS Management — certificates auto-provisioned and auto-renewed
- Continuous Monitoring — platform-level health monitoring and alerting
Maintenance Mode
The platform includes a maintenance mode system that:
- Locks out all users (except platform owners) during maintenance
- Displays estimated completion time to users
- Applies to both advisor dashboard and client-facing portals
- Controlled via admin API with immediate effect
Database Security
- Connection Pooling — max 25 concurrent connections with idle timeout
- Statement Timeout — 5-second query timeout prevents long-running queries
- Idle Transaction Timeout — 30-second limit prevents connection leaks
- Encrypted at Rest — database storage encrypted
- Automated Backups — regular snapshots for disaster recovery
13. Compliance Summary Matrix
| Standard / Practice | Status | Details |
|---|---|---|
| Third-Party Payment Model | ✅ Zero Raw Card Data | External redirect for transactions; PCI Vault tokenization via PCI-DSS L1 provider — no raw card data on platform |
| HTTPS / TLS Enforcement | ✅ Enforced | TLS 1.2/1.3 with auto-renewed certificates |
| Data Encryption at Rest | ✅ AES-256 | Database and file storage encrypted |
| Data Encryption in Transit | ✅ TLS | All traffic encrypted end-to-end |
| Role-Based Access Control | ✅ Enforced | Dual-layer RBAC on all 329 API routes |
| Multi-Tenant Isolation | ✅ Database-Level | Tenant ID on every query; zero cross-tenant visibility |
| Audit Logging | ✅ Comprehensive | All sensitive actions with actor, IP, timestamp |
| Consent Management | ✅ Full Lifecycle | Immutable consent records with legal metadata |
| Session Security | ✅ JWT / HttpOnly | Cryptographically signed, secure cookie storage |
| Password Security | ✅ bcrypt + Rotation | Salted hashing, complexity rules, 180-day mandatory rotation |
| Two-Factor Auth | ✅ TOTP | Optional 2FA via Google Authenticator, Authy, Microsoft Authenticator |
| Login Protection | ✅ Rate Limited | 5-attempt lockout with 30-minute cooldown |
| Input Validation | ✅ Server-Side | Parameterized queries, XSS protection, path sanitization |
| Email Security | ✅ Tracked | Full delivery logging with status tracking |
| File Security | ✅ S3 + Presigned | Direct upload, time-limited access, tenant namespacing |
| Token Security | ✅ Time-Limited | All tokens have defined expiry and validation |
| Infrastructure | ✅ Abacus AI | Managed hosting, DDoS protection, automated backups |
Travel Office Suite Pro • travelofficesuitepro.ai • The Business Operating System for Travel Advisors
Powered by the Abacus AI Platform • This document was generated from a live platform audit and updated Saturday, June 7, 2026. All security features listed are built and operational.
© 2026 Tech For Travel Agents LLC. All Rights Reserved. | Classification: Prospect & Customer