Travories operates a marketplace that handles bookings, payments, identity documents, and the trust between travelers and Nepali travel agencies. Security is not a feature we add at the end — it is built into our infrastructure, our development workflow, and the daily practices of every engineer on our team. This page describes the safeguards we currently have in place to keep your account, payments, and personal data safe.
All traffic between your browser or mobile app and our servers is encrypted using TLS 1.2 or higher, with HTTP Strict Transport Security (HSTS) preloaded to prevent downgrade attacks. Personal data at rest in our databases and object storage is encrypted using AES-256 with keys managed through our cloud provider's hardware-backed key management service. Backups are encrypted with the same standard.
Access to production systems is limited to a small number of authorised engineers and operations staff. Every engineer authenticates through single sign-on with mandatory multi-factor authentication. Access to user records is logged, least-privileged by role, and reviewed on a regular cadence. We use just-in-time elevation for sensitive operations rather than standing administrative access.
Card payments are processed by PCI-DSS-compliant payment partners. Card numbers are never transmitted to or stored on Travories servers — we hold only an opaque token returned by the processor, which we use solely to initiate refunds or follow-up charges authorised by you. 3D Secure is enforced where supported by the issuing bank, and high-risk transactions are reviewed before settlement.
Production systems emit structured logs to a centralised observability platform. Anomalous sign-in patterns, brute-force attempts, suspicious payment behaviour, and unusual data-access patterns trigger automated alerts that our team investigates around the clock. We rate-limit authentication endpoints and automatically lock accounts after repeated failed attempts.
We maintain an incident-response plan that defines how we triage, contain, investigate, and communicate about security events. If a confirmed breach affects your personal data, we will notify you and the relevant supervisory authority within the timeframes required by applicable law, with a clear description of what happened, what data was involved, and the steps we are taking in response.
The strongest platform-level controls cannot protect an account with a guessable password. We recommend a unique, long passphrase for your Travories account, enabling multi-factor authentication, never sharing your sign-in credentials, and signing out of shared devices. If you suspect your account has been accessed without authorisation, contact us immediately so we can investigate and lock the session.
While no system can ever be completely risk-free, the combination of platform engineering, operational discipline, and informed user practices keeps Travories a secure place to plan, book, and travel.
If you have questions about our security measures or how we protect your data, our support team will be happy to assist you.
Contact Us