Is TVLDays SOC 2 compliant?

Yes. TVLDays is SOC 2 audited and the report is available under NDA on request to security@tvldays.com. The Type II observation period is in motion.

What encryption does TVLDays use?

TLS 1.3 in transit and AES-256 at rest across all customer data.

Security

How we’ll handle your data — and what we won’t hold.

Q: Does TVLDays support SSO and MFA?

SAML and OIDC SSO are available now — Okta, Google Workspace, Microsoft Entra, and any provider that speaks the standards. MFA is available to every user and required for admins.

Q: Is TVLDays enterprise-ready?

Yes. TVLDays is built to clear the procurement bar of the largest agencies and hotel groups. Standard MSAs, DPAs, and security questionnaires are answered turn-key.

Plain-English version: we’re pre-launch, so the safest data is the data we don’t collect. The platform underneath is already SOC 2 audited, SSO & MFA enabled, and built for the largest agencies and hotel groups to onboard without a procurement detour. Here’s what’s in place today, what arrives with paying customers, and how to tell us if something looks wrong.

Last updated · May 5, 2026 Disclosure · security@tvldays.com

The principle

The entertainment-travel business runs on data that matters — guest names, room blocks, payment terms, contracts that landlords don’t want screenshotted. We’re building a product that touches all of it. So security isn’t a launch checklist for us; it’s the foundation we want to stand on the first day a paying customer logs in.

Where we are now: a marketing site and a waitlist. The most sensitive thing on this server is your email address. We’ve designed it that way intentionally — the safest production data is the production data that doesn’t exist yet.

What’s in place today

SOC 2

TVLDays is SOC 2 audited. The report is available under NDA — email security@tvldays.com and we’ll send it. Type II observation period is in motion; we’ll publish the Type II report on the same path as soon as the window closes.

SSO, MFA, RBAC

SAML and OIDC SSO are available now — Okta, Google Workspace, Microsoft Entra, and any provider that speaks the standards. MFA is available to every user and required for admins. Role-based access controls separate workspace owners, agents, hotel partners, and tour staff, with a clear boundary between TVLDays operators and customer data.

Audit logs

Every change to a rooming list, manifest, or contract is recorded with the actor, time, and previous state. Workspace admins can pull the full audit log via the dashboard or stream it to their SIEM.

Encryption

TLS 1.3 in transit (the marketing site, the product, and every form submission). AES-256 at rest across all customer data. Source control on GitHub with branch protection and required reviews; deploy access limited to the founders, all with hardware-key second factors.

Enterprise readiness

We’ve built TVLDays to clear the procurement bar of the largest agencies and hotel groups. Standard MSAs, DPAs, and security questionnaires are answered turn-key. If you’re evaluating us against an internal review, email security@tvldays.com and we’ll move quickly.

What the marketing site holds

This page lives on a static Netlify deploy. The most sensitive thing on this server is your email address, sitting in Netlify Forms, encrypted at rest. We don’t accept or store payment information, government IDs, production rooming data, or third-party tracking pixels here.

What arrives with paying customers

The platform is enterprise-ready today. A handful of items are tied to going live with paying customers in October 2026:

Customer-managed keys. CMK support for sensitive fields, available to enterprise workspaces at GA.
Backups and recovery. Daily encrypted backups with documented RTO/RPO targets, published in the trust report.
Penetration testing. Pre-GA pen test by an independent third party; ongoing tests on a yearly cadence after launch.
Public subprocessor list. A dated list of every service that touches customer data, updated when it changes — not when someone notices.
Trust portal. A self-serve trust portal with the SOC 2 report, subprocessor list, security overview, and policies.

Reporting an issue

If you find a security issue — on the site, in our infrastructure, in a Netlify-hosted form, anywhere — please tell us before telling anyone else.

Email: security@tvldays.com.
Subject line: [security] followed by a one-line summary.
Detail: what you found, how to reproduce, what version/page, and any screenshots or proof.

We’ll acknowledge within 48 hours and aim to fix or mitigate within 14 days for anything we can confirm. We won’t pursue legal action against good-faith researchers who follow this disclosure path and avoid accessing data that isn’t theirs.

A note on AI

We don’t train AI models on your waitlist data. We won’t train models on customer data after launch without explicit, opt-in consent at the workspace level. If we ever change that policy, we’ll announce it here and email everyone with an account first — not after.

Acknowledgments

When the product launches we’ll publish a security acknowledgments page crediting researchers who help us find and fix issues. If you’d rather stay anonymous when reporting, that’s fine — just say so.

Contact

Vulnerability reports: security@tvldays.com.
General security questions: same address.
Procurement / vendor-review questionnaires: security@tvldays.com.