Amadeus IT Compliance Reports and Certificates Repository
In this portal, our independent audit reports and certificates which provide information about Amadeus’ IT Compliance requirements, such as International Organization for Standardization (ISO), Payment Card Industry Standards (PCI) and System and Organization Controls (SOC), are available. Customers may request copies of these reports and certificates through this portal. Please note that some reports require internal Amadeus approval and signature of a non-disclosure agreement.
SOC Audit Report
The System and Organization Controls (SOC) framework was developed by the American Institute of Certified Public Accountants (AICPA). SOC reports are internal control reports that are generated by Certified Public Accountants (CPAs) after they audit the services provided by a service organization. SOC reports can help companies assess and address the risks that are associated with vendors who provide an outsourced service.
At Amadeus we provide:
- SOC 1 - audit of the internal controls at a service organization, implemented to protect data that is relevant for financial reporting. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
- SOC 2 - audit that is based on the AICPA Trust Service Principles and Criteria to gauge service organization internal controls that are implemented to protect customer-owned data. SOC 2 reports provide details about the nature of those internal controls
Customers can request Amadeus’ SOC1 and SOC2 reports using the button at the top or bottom of this page.
| Document | Description |
|---|---|
| SOC1 Type II Central Systems - JAN-SEP | Document the details the assessment performed by a third-party independent auditor on Amadeus Central Systems platform controls (design, and operating effectiveness) under SSAE No. 18, Attestation Standards covering current January to September period |
| SOC1 Type II Central Systems - JAN-DEC | Document the details the assessment performed by a third-party independent auditor on Amadeus Central Systems platform controls (design, and operating effectiveness) under SSAE No. 18, Attestation Standards covering current January to December period |
| SOC2 Type II Airline IT and AirOps - JAN-DEC | Document the details the assessment performed by a third-party independent auditor on Amadeus Airline IT and AirOps Systems platform controls (design, and operating effectiveness) under SOC 2, AT 101, AICPA Trust Service objectives and principles covering current January to December period NOTE: this document applies only to Airline IT customers |
| SOC1 Type II Hospitality ACRS Subscription Service - JAN-SEP | Document the details the assessment performed by a third-party independent auditor on Amadeus Central Reservation System (ACRS) Subscription Services (ACRS, ACMD, PCG) controls (design, and operating effectiveness) under SSAE No. 18, Attestation Standards covering current January to September period |
| SOC2 Type II Hospitality ACRS Subscription Service JAN-DEC | Document the details the assessment performed by a third-party independent auditor on Amadeus Central Reservation System (ACRS) Subscription Services (ACRS, ACMD, PCG) controls (design, and operating effectiveness) under SSAE No. 18, Attestation Standards covering current January to December period |
| SOC1 Type II Cytric Solutions | Document the details the assessment performed by a third-party independent auditor on Amadeus Cytric Travel, Expense and Easy platform controls (design, and operating effectiveness) under SSAE No. 18, Attestation Standards |
| SOC2 Type II Cytric Solutions | Document the details the assessment performed by a third-party independent auditor on Amadeus Cytric Travel, Expense and Easy platform controls (design, and operating effectiveness) under SOC 2, AT 101, AICPA Trust Service objectives and principles |
| JAN-MAR Bridge Letter - SOC 1 Central Systems and SOC 2 Airline IT | Amadeus SOC1 and SOC 2 Bridge Letter for the period January to March |
| OCT-DEC Bridge Letter – SOC 1 Central Systems | Amadeus SOC1 and SOC 2 Bridge Letter for the period October to December |
| OCT-DEC Bridge Letter – SOC 1 ACRS Subscription Service | Amadeus SOC1 Bridge Letter for the period October to December |
ISO/IEC 27001 Certification
The ISO/IEC 27000 family of standards establishes a comprehensive framework for information risk management, with ISO/IEC 27001 specifying the requirements for implementing, monitoring, and continually improving an Information Security Management System (ISMS) to protect organizational information assets and support compliance with regulatory and legal requirements.
The ISO/IEC 27001 security standard specifies an ISMS consisting of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets. As a formal specification, it mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. Certification to ISO/IEC 27001 helps organizations comply with numerous regulatory and legal requirements that relate to information security.
Customers can also request Amadeus’ ISO 27001 Certificate using the button at the top or bottom of this page.
| Document | Description |
|---|---|
| ISO 27001 Certificate Amadeus IT Group | Amadeus IT Group ISO/IEC 27001:2022 certificate for processes of operation and promotion of systems in the Production environment performed by Technology, Security, Innovation and Agility (TSI) |
| ISO 27001 Certificate Amadeus IT Group - Hospitality | ISO/IEC 27001:2022 certificate - Amadeus Information Security Management System (ISMS) covering the processes to operation and promotion of the Amadeus Hospitality Products: ACRS, Central Sales, Delphi, Delphi API's and MeetingBroker |
| ISO 27001 Certificate Amadeus IT Group - Cytric | ISO/IEC 27001:2022 certificate - Amadeus Information Security Management System (ISMS) covering the processes to develop, operate and promote Amadeus Cytric Travel, Cytric Expense, Cytric Mobile and Cytric Easy solutions in the Production and Test environments |
| ISO 27001 Certificate - Vision-Box | ISO/IEC 27001:2022 certificate for Commercialisation, Development, Production, Deployment and Technical Support of Products fo Biometric Identity Management, Automted Border Control and Intelligent Video Surveillance |
| ISO 27001 Certificate - Voxel | ISO/IEC 27001:2022 certificate for the design and implementation of electronic transaction solutions to digitize back-office processes for Voxel |
PCI DSS Certification
Launched in 2006, the Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
Amadeus is a PCI DSS Certified Service Provider since 2009 and is certified with the current version of PCI DSS. Compliance validation is performed by an external Qualified Security Assessor (QSA) and certification needs to be revalidated on a yearly basis.
Amadeus is listed on the VISA Global Registry of Service Providers and in the Mastercard SDP Compliant Registered Service Provider list, which can be found at the link below:
Customers can also request the latest Amadeus PCI DSS Certificates and Attestations of Compliance using the button at the top or bottom of this page.
| Document | Description |
|---|---|
| Amadeus PCI DSS Certificate | Report that certifies that Amadeus has successfully validated the PCI DSS compliance |
| PCI DSS AOC Amadeus Central Products | PCI DSS Attestation of Compliance (AOC) report for Amadeus Central Products |
| PCI DSS AOC Amadeus Leisure It GmbH | PCI DSS Attestation of Compliance (AOC) report for Amadeus Leisure It GmbH |
| Sell Connect (SECO) Customization and Amadeus Robotics hosted on Amazon Web Services | PCI DSS Attestation of Compliance (AOC) report for Sell Connect (SECO) Customization and Amadeus Robotics hosted on Amazon Web Services |
| PCI DSS AOC Hospitality ACRS, Booking Tool, and AHP | PCI DSS Attestation of Compliance (AOC) report for Amadeus Hospitality Central Reservations System (ACRS), IHG Booking Tool and Amadeus Hotel Platform (AHP) |
| PCI DSS AOC Amadeus Channel Management - RezExchange, Amadeus Property Management Advanced | PCI DSS Attestation of Compliance (AOC) report for PCI DSS AOC Amadeus Channel Management - RezExchange, Amadeus Property Management Advanced |
| PCI DSS AOC iHotelier and Channel Management | PCI DSS Attestation of Compliance (AOC) report for iHotelier and Channel Management |
| PCI DSS Quarterly Attestation of Scan Compliance (AOSC) | Quarterly Attestation of Scan Compliance (AOSC) for all components which should be in scope for PCI DSS |
| PCI DSS AOC Cytric Travel, Expense and Mobile | PCI DSS Attestation of Compliance (AOC) report for Amadeus Cytric Travel, Expense and Mobile applications |
| PCI DSS Certificate Cytric Travel Expense and Mobile | Certificate of successfully verified compliance with the Payment Card Industry Data Security Standard (PCI DSS) |
| PCI DSS AOC Outpayce | PCI DSS Attestation of Compliance (AOC) report for Outpayce |
| PCI DSS Certificate Outpayce | Certificate of successfully verified compliance with the Payment Card Industry Data Security Standard (PCI DSS) |
| PCI DSS - Matrix of Responsibilities Amadeus Central Products | Matrix of Responsibilities for Amadeus Central Products |
| Amadeus PCI PIN AOC | Declaration of the results of the assessment of the subject entity compliance with the Payment Card Industry PIN Security Requirements and Test Procedures (PCI PIN) |
| PCI DSS AOC SAQ-D | This document must be completed as a declaration of the results of the entity’s self-assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures reflecting the results documented in an associated Self-Assessment Questionnaire (SAQ) |
ISO 9001 / 14001 Certifications
The ISO 9001 and ISO 14001 standards provide internationally recognized frameworks for establishing, implementing, and continually improving an organization’s Quality Management System (QMS) and Environmental Management System (EMS).
ISO 9001 defines the policies, processes, and controls needed to consistently deliver products and services that meet customer and regulatory requirements, while ISO 14001 specifies the structured approach and operational practices required to manage environmental responsibilities, reduce impacts, and ensure compliance with applicable environmental laws. As formal specifications, both standards outline requirements for how these management systems must be planned, operated, monitored, and improved over time. Certification to ISO 9001 and ISO 14001 demonstrates an organization’s commitment to quality, customer satisfaction, sustainability, environmental stewardship, and adherence to relevant legal and regulatory obligations.
Customers can request Amadeus’ SOC1 and SOC2 reports using the button at the top or bottom of this page.
| Document | Description |
|---|---|
| ISO 14001 Certificate - Vision-Box | ISO 14001 certificate - Design, development, commercialization, production, implementation and support of computer vision systems, biometric and electronic security systems |
| ISO 9001 Certificate - Vision-Box | ISO 9001 certificate - Production and deployment of products for biometric identity management and security by intelligent video surveillance |
Frequently asked questions
Customers will fill in a document request form with their contact details, the Point of Contact (PoC) at Amadeus, and the reports/certificates requested.
It is very important that the correct details (name and email address) of your Amadeus Point of Contact (typically the account manager) are entered in the form.
To ensure that the request is legitimate, Amadeus will review the request and approve it if all the necessary conditions for the secure distribution of the documents are met. In some cases, an NDA will need to be signed.
Customers will then receive the requested documents in their inbox, with their Amadeus Point of Contact always in copy.
SOC 1 Type Il interim (JAN-SEP) and full-year (JAN-DEC) reports / SOC 2 Type II / SOC Bridge Letters / PCI DSS Attestations of Compliance (AOC) / PCI DSS Quarterly Attestation of Scan Compliance (AOSC) / PCI DSS Certificate _ ISO 27001 Certificate
Please keep in mind that not all the reports are applicable to all types of customers. In the Form, the requestor will see the types of reports distributed by the type of customers that can request them. If you have any questions, do not hesitate to contact your Amadeus Point of Contact.
If multiple documents are requested and Amadeus determines that you, as a customer, are not entitled to receive one of them, the whole request will be rejected
ISO 27001 and PCI DSS certificates do not require approval, but if they are requested in conjunction with other reports that require approval (e.g., SOC 1), the distribution of the ISO 27001 or PCI DSS certificate will be done once the whole request is ap- proved.
If multiple documents are requested and at least one of them requires an NDA, the other documents will not be distributed until the NDA has been signed.
Amadeus takes security aspects and the protection of confidential information very seriously, that's why all requests are reviewed to ensure they are legitimate. Amadeus could determine that a customer is not entitled to receive a particular document due to various reasons (e.g., the scope of an audit report does not apply to products that a customer has contracted with Amadeus). In those cases, the customer will receive an email notifying them that the request has not been approved, so please get in touch with your usual Amadeus point of contact and/or submit another request.
The documents' delivery time will vary depending on the number of legal checks that need to be performed internally to ensure the legitimacy of the request and the applicability of the reports requested. It usually takes a couple of working days depending on the reviewer's availability. However, if more details need to be checked, the expected time may increase.