Security

Last updated: May 22, 2026

Samba handles bookings and payments for tour operators. We take security seriously because we have to — your business and your travelers depend on us getting this right.

This page describes what we do today. We don't have formal certifications like SOC 2 or ISO 27001 yet, and we'd rather tell you that honestly than pretend otherwise. What follows is what's actually in place.

Hosting and infrastructure

Samba runs on Laravel Cloud for the application and Vercel for our marketing site, both with EU-region hosting. Our database and application servers are managed services with infrastructure-level security maintained by our hosting providers.

All traffic to and from Samba is encrypted with TLS 1.2 or higher. Data at rest is encrypted using industry-standard encryption (AES-256 or equivalent) by our hosting providers.

Payments

Samba never sees or stores raw card numbers. All payments are processed by Stripe, which is PCI-DSS Level 1 certified. Samba's PCI scope is limited to SAQ-A — we redirect cardholder data entry to Stripe's secure infrastructure and never touch it.

Authentication

Operators authenticate using:

  • Email + password (passwords are hashed using a modern algorithm; we never store plaintext passwords)
  • Two-factor authentication (optional but recommended)
  • Sign in with Google (single sign-on)

We don't have plaintext access to your password. Password reset is handled via secure, time-limited links sent to your verified email address.

Travelers access their booking portal via time-limited magic links sent to the email address used at booking. No password to manage, nothing to leak.

Access controls

Production data access today is limited to Samba's founding team. As we grow, access will be role-based, granted on a least-privilege principle, and logged.

We don't share production credentials with vendors, contractors, or anyone outside Samba. Access to subprocessor systems (Stripe, hosting providers, etc.) follows the same principles.

Backups and resilience

Database backups are managed by Laravel Cloud with automated daily snapshots. We test our ability to restore from backup periodically.

In the event of a serious outage, our priority is restoring service quickly and communicating clearly with affected operators.

Vulnerability management

  • Dependency monitoring: we use automated tooling to track vulnerabilities in our software dependencies and apply patches promptly.
  • Application security: we follow standard secure development practices, including input validation, parameterized queries, output encoding, and protections against common web vulnerabilities (OWASP Top 10).
  • Responsible disclosure: if you believe you've found a security issue in Samba, please email security@sambahq.com. We'll respond promptly, investigate, and credit researchers who report issues responsibly.

We do not currently run a paid bug bounty program, but we welcome security reports and take them seriously.

Incident response

If a security incident occurs that affects personal data, we will:

  • Investigate and contain it as quickly as possible.
  • Notify the relevant supervisory authority within 72 hours, as required by GDPR Article 33.
  • Notify affected operators (and, where required, traveler data subjects) without undue delay.
  • Provide a clear explanation of what happened, what data was affected, and what we're doing to prevent recurrence.

Data location and retention

Operator and traveler data is stored in the European Union. Some subprocessors (notably Stripe and Google Analytics) operate from the US under appropriate safeguards. See our Privacy Policy for the full list of subprocessors and how international transfers are handled.

Data retention is documented in our Privacy Policy. In short: we keep data only as long as needed to deliver the Service and comply with legal obligations.

Subprocessor security

We use a small number of vendors to operate Samba. Each is selected with security in mind. The current list is published in our Privacy Policy.

Reporting a security concern

If you spot something that looks wrong — a security vulnerability, suspicious account activity, anything that worries you — please tell us:

security@sambahq.com

We read every report and respond as quickly as we can.

Honest disclosure

We're a small, independent company. Our security program is appropriate for our current scale, and it will grow with the business. We'd rather earn your trust by being straight with you about where we are than by overstating things.

If you have specific security or compliance questions — your own risk assessment, vendor due diligence, anything else — email us at security@sambahq.com and we'll answer directly.