Solutions
- Airlines
  - Amadeus for Airlines
  - Products
- Airports
  - Amadeus for Airports
  - Products
- Border Authorities
  - Amadeus for Border Authorities
  - Products
- Corporate Travel & Expense
  - Products
  - Capabilities
  - Integrations
    - Travel & Expense Solution for Microsoft Teams
- Travel Sellers
  - Products
  - Content
- Hospitality
- Payments & e-invoicing
  - Outpayce
  - Voxel: B2B Payments and e-Invoicing
- Traveler behavior is changing at every touchpoint.
  
  Explore bold ideas, lead with cutting-edge tech, build powerful partnerships, and contribute to lasting impact.
  Discover more
Support & Training
- Support
- Training
- Already a customer?
  
  Log into Amadeus Service Hub for product news, learning materials, and customer support.
  Login
Partners
- Amadeus Partners
  
  At Amadeus, we value strong partnerships with different players across the travel ecosystem. Gain access to our solutions to develop your portfolio, reach new customers and add to your bottom line.
- Landmark partnership between Amadeus and Google Cloud
  
  Learn how this collaboration strengthens Amadeus' multi-cloud approach and AI innovation to improve efficiency, reliability and growth in travel.
  Read more
Resources
- Trending Topics
- Connected journeys: How will technology transform travel in the next decade?
  
  From AI-driven planning and biometric check-ins to smarter disruption management.
  Read the report
- Six travel trends that will redefine how we travel in 2026 and beyond
  
  Amadeus, in collaboration with Globetrender, unveils the tech, policy and innovation coming to transform the face of travel.
  Discover now
Company
- About Amadeus
  - About us
  - Leadership
  - Awards
  - Locations
- Careers
- Innovation
- Sustainability (ESG)
  
  Learn how we’re working to make travel a force for good.
- Amadeus Global Report 2024
  
  Get an overview of our company in 2024 from a business, financial and sustainability perspective.
  Access report
- Latest financial results
  
  Amadeus published its financial results for Q3 2025.
  View the results

Security policy

Last updated - March 2025

Introduction

Information is at the core of Amadeus business. It determines its success, as the leading provider of IT services to the travel industry, and it serves marketing, sales, distribution and operational needs.

This requires the protection of processes, services (and their underlying assets: applications, platforms, infrastructures, including networks, etc.) and information (e.g., company proprietary data, customer data, data provided by the customer) in the following 3 security dimensions:

Confidentiality: Ensuring information access and disclosure to only authorized individuals and parties.
Integrity: Maintaining the accuracy and completeness of information and its processing methods.
Availability: Access to information and systems treating it by its authorized users when required.

Within Amadeus, information security activities follow a risk-based approach, with a focus in priority on critical assets. Adequate protection of critical assets, in compliance with applicable laws, regulations and contractual obligations are essential for Amadeus to maintain the trust & confidence relationship with our customers.

In order to ensure a systematic and coherent approach, Amadeus has established an Information Security Management System (ISMS), that includes a set of Security Policies and Standards (SPS) to comply with.

Amadeus Policies and Standards

The Amadeus Security Policies and Standards (SPS) addresses the following areas:

Information Security Management System
Organization of information security
Human resources security
Information classification and asset management
Access control
Cryptography
Physical and environmental security
Operations security

9. Communications security

10. System acquisition, development and maintenance

11. Supplier relationship

12. Information security incident management

13. ICT Business Continuity security

14. Compliance

15. Acceptable Use Policy

The SPS is reviewed on a regular basis and in case of major events.

Amadeus information security objectives

The Amadeus Security Strategy is built around nine key security objectives:

Risk based approach

Security risks affecting Amadeus owned & managed assets are identified, assessed, evaluated and treated through a consistent methodology, in order to be able to compare them and to achieve a risk level in line with Amadeus risk appetite.

Visibility via monitoring and compliance

Monitoring and periodical audits are performed to ensure applicable security policies, standards, controls and processes are effectively implemented and maintained across Amadeus units and sites. Necessary actions for compliance improvement are defined, approved and implemented.

Security addressed by suppliers

Amadeus owned and managed assets that are administrated and/or accessed by third party suppliers are properly protected according to security requirements in contract and regular monitoring.

Security by design

Security is embedded from the start in a systematic manner. It applies to all layers (physical, infrastructure, platform, application) for all Amadeus assets. Amadeus Products follow the Staged Gates and Secure Development Lifecycle methodologies

Security resilience and incident response

Effective response to zero-day vulnerabilities, security alerts and incidents with adequate recovery capabilities.

People centric security

Amadeus employees and contractors are aware and accountable of their security roles and responsibilities (which might include delegation of authority) and have the necessary security competences for their job function (e.g., awareness & training on applicable security policies and standards).

Secure cloud solutions

Cloud-hosted assets owned or managed by Amadeus are protected in line with Amadeus' risk appetite while maintaining compliance with applicable legal, statutory, regulatory and contractual requirements.

Data security governance

Security processes, access and protection mechanisms to confidential data are developed and implemented according to applicable legal, statutory, regulatory and contractual requirements.

Security services for customers

Raise the security of the industry ecosystem by offering and delivering our security expertise (platform & consultancy based) to our customers.

Amadeus Corporate Information Security Charter

Overview

Amadeus Corporate Information Security Charter, signed by the company’s CEO, General Counsel, CTO, and Group CISO, defines the philosophy of information security within Amadeus.

It represents the endorsement of Amadeus' executive management team, and identifies the motivation for information security, describes information security principles and terms. It more specifically supports “security policy governance” and provides the empowerment related to definition and maintenance of Amadeus security policies and standards.

The charter gives authority to the Group CISO to ensure that appropriate security controls are in place and enforced throughout the enterprise, and to request the appointment of security representatives in Regions, Business Units and Domains.

Content

Objective — Amadeus recognizes that information and IT assets are critical business assets. It is the responsibility of all users to ensure the safeguarding of business assets. Amadeus implements, maintains and monitors a comprehensive corporate information security policy and compliance program appropriate to:

The risks of the business
Generally accepted information security practices
Applicable legal and regulatory requirements

Motivation — Amadeus values the ability to openly communicate and share information. Amadeus information (whether belonging to Amadeus or held in trust on behalf of its customers and business partners) is an important asset that shall be protected according to its value and the degree of damage that could result from its misuse, unavailability, destruction, unauthorized disclosure or modification. Improper disclosure or destruction of these assets may result in harm to the business. Information assets are identified, valued, assessed for risk and protected as appropriate to the needs and risks of the business. Users are required to abide by this Corporate Information Security Charter and subsequent policies and procedures.

Principle Goals — Information security is a risk management discipline addressing the preservation of information confidentiality, integrity and availability. The information security effort is established via a hierarchical set of policies, standards, and procedures that help users and administrators to define and mitigate risks, maintaining a trade-off between information value and cost of risk mitigation. Policies are high-level requirements documents used to put information security principles into practice. Standards define the actual controls (specific behavior and actions) to be followed and enforced to satisfy the policies. Procedures are specific and prescriptive documents containing a series of related activities aimed at achieving a set of objectives in a measurable and repeatable manner.

Principle 1 — Information security policies, standards, and procedures are developed to communicate security requirements and guide the selection and implementation of security control measures.
Principle 2 — Personal accountability and responsibility for information security are incorporated in roles and responsibilities that ensure that every individual applies the applicable information security policies and principles, standards, procedures and practices in their daily work-related activities.
Principle 3 — Information security education, training and awareness programs ensure that users are aware of security threats and concerns and are equipped to apply organizational security policies and principles.
Principle 4 — Information assets are classified according to their criticality to the organization enabling an appropriate level of protection.
Principle 5 — Information assets are to be used for the intended business purpose only.
Principle 6 — Legal, regulatory and contractual requirements are identified, documented and followed.

Scope — It is intended that information is protected in whatever form, including, but not limited to, paper documents, electronic data and the spoken word. Information should be protected while at rest and when it is handled, transmitted or conveyed. IT assets include all devices and hardware/software components of the IT infrastructure, applications and data stores, encompassing on-premises, virtual, and cloud IT environments.

Action — All employees and contractors have a responsibility to report suspected security failures or policy violations.

Roles and Responsibilities

Executive Management - Amadeus Corporate Information Security Charter, signed by the company’s CEO, General Counsel, CTO, and Group CISO, defines the philosophy of information security within Amadeus.
Information Security Leadership - The Group CISO (Chief Information Security Officer) is responsible for ensuring that appropriate security controls are in existence and in force throughout the enterprise. The Group CISO is responsible for determining methods of implementing and enforcing security policies and for advising the enterprise on security-related issues. The leader ensures, in particular, that information security awareness is increased, and audits are performed and reported regularly. The Group CISO appoints and manages suitably skilled people to staff information security teams as deemed appropriate, and the Group CISO has the authority to request the appointment of security representatives in business units.
Security Policy Governance - Security policy governance is provided by a multidisciplinary group that reviews and endorses information security policy objectives and strategies. They agree to the roles and responsibilities for information security across the enterprise as defined in specific policies. They visibly promote and provide business support for information security initiatives throughout the enterprise. The governance group is led by the information security leader and includes representatives from all major business units.
Enforcement - Any violation of this policy will be subject to disciplinary action, up to and including termination of employment.

For U.S. residents:

Please refer to ourUnited States Supplemental Privacy Noticefor additional information applicable to individuals residing in the United States.