Cyber Security

Cyber Security

theklicker has put in place technical and organizational measures to ensure that we maintain IT security across operations at theklicker. An overview of some of the technical and organizational measures theklicker has implemented are listed below.


As of July 10th, 2022, theklicker is compliant with the EU’s General Data Protection Regulations (GDPR). theklicker has undergone the appropriate measures to be compliant. You can find more details in our privacy policy.

IT Security policies

theklicker has established written IT Security Policies to give guidance on various areas of IT Security. Further technical and organizational measures are contained in these policies, and they are based on best practice and international standards, e.g., ISO27k1 and NIST. These policies are regularly reviewed and take into account, among other things, the state of the art and risks faced by trivago so as to provide adequate IT Security which protects against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed at theklicker.

Vendor assessments

theklicker ensures a high level of IT Security across its operations by choosing vendors which are ISO27K1 certified or SOC certified for critical vendors or vendors which can provide an otherwise equally high level of IT Security.


theklicker’s Cloud Computing storage is encrypted by default. The key management sovereignty is held within trivago and cannot be accessed by third parties.
theklicker’s workstations and laptops are encrypted to protect from data theft. Encryption and decryption are centrally managed by the IT Support Team.

Penetration testing

theklicker conducts penetration testing by third-party experts once a quarter throughout all customer-facing systems. Results and issues are logged, assessed, and are managed centrally by the Incident and Response Team.

Vulnerability disclosure program

theklicker offers a bug bounty program to attract hackers to find IT Security bugs in theklicker’s products with the goal to continually improve the level of IT Security of theklicker products. If you would like to participate in this program, please send an email to


theklicker makes use of network segmentation supported by state-of-the-art firewall technologies for on-premise systems as well as cloud systems.

DDoS attack prevention

theklicker makes use of extensive services that prevent and mitigate DDoS attacks.

Pseudonymization or anonymization

Where possible, theklicker has automated pseudonymization or alternatively anonymization processes in systems handling personal data.

Access control

theklicker has processes and procedures for access control, including on- and offboarding of employees as well as granting, revoking, and reviewing user access rights. User access rights are centrally managed in the Active Directory. Every user retrieves a unique user account; shared user accounts are prohibited.
Physical access controls are realized via ID-badges. The details of visitors to theklicker offices are recorded and visitors are provided with least-access ID-badges. Offices are supervised 24/7 by trained security personnel.

Need-to-know restrictions

theklicker’s rights management system corresponds the Least-Privilege Access principle where users receive the least possible set of privileges on a computer system necessary to execute their responsibilities.

Segregation of duties

theklicker’s software operation pipelines include the segregation of duties to effectively prevent software engineers from publishing and committing code changes without the review of colleagues.
To further improve code quality, theklicker implemented two testing stages prior to production environment. theklicker user personal data is only available on production level systems and restricted to non-human access.

Awareness and training

theklicker continually trains its staff. Courses are updated regularly to cover individual learning objectives and trivago has compulsory baseline knowledge areas such as IT Security and Data Protection.


All contracts with theklicker employees and freelancers working for theklicker include confidentiality provisions. theklicker makes extensive use of non-disclosure agreements to ensure that confidentiality is maintained when working with third parties.

Incident response

theklicker has an incident response team which consists of members from the following three organizational teams:

  • Legal Team and Data Protection Officer
  • IT Security Team
  • Incident Team


All incident reports, penetration test results, and bug bounty submissions are centrally assessed, documented, tracked, and monitored.

How to contact us

We take IT Security seriously. If you have any additional questions that aren’t answered above or by the theklicker help center, please email and we’ll reply as quickly as we can.

For complete information, you may also want to review the following: