Security and Privacy

Protecting your data is the very fabric of our business which is why we have comprehensive security and compliance processes in place.

Our dedicated security & privacy team delivers a security framework that incorporates and aligns to industry best practices such as ISO 27001, NIST and OWASP Top 10 and is constantly evolving with updated guidance and new industry best practices. 

Our approach to security is underpinned by Secure by Default & Defense in Depth principles ensuring that security controls are embedded, frictionless and proportionate in their application.

We’re committed to being transparent about our security practices and helping you understand our approach. 

We seek regular external validation on the
effectiveness of our security controls and is ISO 27001 and
Cyber Essentials certified. 
The scope of our certification encompasses all employees, listed office locations, our owned technology and data assets, and business processes that deliver our associated products and services.

Frequently asked questions

Useful documents

You can be assured HolidayActivities will keep your data safe and meet your compliance requirements.

Security & Vulnerability Disclosure

Maintaining the security of our network and the data we hold is important to us. We actively endorse and support working with the research and security practitioner community to improve our online security.
We welcome investigative work into security vulnerabilities, carried out by well-intentioned and ethical security researchers.

If you believe you have found a security issue, please send your report to us using Initial reports should include a brief description of the type of vulnerability and the system or service this has been found in (e.g. the website address or application name).

Researchers may submit reports anonymously. We may contact you to request clarification on reported security issues, or other technical details to aid in the accurate identification and/or remediation.

We are committed to prompt correction of vulnerabilities. We ask that you refrain from sharing or publishing information about any discovered vulnerabilities for 90 calendar days from receipt of acknowledgment of your report. We reserve the right to request further time before you make any published disclosure.

Regrettably, we can’t offer a paid bug bounty programme. We will, however, make efforts to show our appreciation on our website to security researchers who take the time and effort to improve the security posture of our services.


Our privacy programme was created because we recognise the importance of keeping you informed and in control of any information relating to you as an individual. 

Our privacy team are committed to being as transparent as possible  to help you understand our approach to managing your data.

You can find our Privacy FAQs and DPIA Support sheets below or for further support please contact our DPO on:

Contact us

If you have a DPO / general data query, please get in touch.

Furlong House, 2 King’s Court
Newmarket CB7 8SG

Send us a message