Trust Center

Governance, Risk & Compliance

How IncentiveTrips is governed, how we manage risk, and how we stay compliant — written plainly, for the partners and platforms that need to know.

Last updated July 5, 2026

Governance

Corporate

IncentiveTrips is operated as a property of Woodring Ventures. Ownership and accountability for the business, its data, and its editorial standards rest with the company’s leadership.

Editorial governance

Editorial and commercial functions are kept distinct. Rankings are produced under published methodologies; commercial relationships never alter organic scores. Sponsored and promoted content is labeled and separated. Affiliations that could present a conflict — such as our founder’s industry ties — are disclosed on the relevant pages.

Data governance

We practice data minimization (collect only what a feature needs), purpose limitation (use it only for that feature), and defined retention. A current list of subprocessors is maintained in our Privacy Policy.

Risk management

  • Data & privacy risk — mitigated by minimization, access controls, encryption, and honoring deletion requests.
  • Security risk — reduced by using managed, audited infrastructure, isolating secrets, and least-privilege access to production.
  • Payment risk — fully outsourced to Stripe; card data never touches our systems.
  • Editorial & reputational risk — managed through published methodologies, clear labeling, disclosure, and a right for organizations to submit verified data.
  • Vendor risk — we rely on established providers (below) and limit the data each one processes to its function.

Compliance

Privacy laws

We align our practices with the EU/UK GDPR and the California CCPA/CPRA, including rights of access, deletion, correction, and portability, and a commitment not to sell personal information. Requests are handled per our Data Deletion process.

Payment security

Payments are processed by Stripe, a PCI-DSS Level 1 certified provider. IncentiveTrips does not store or transmit raw cardholder data.

Platform compliance

Where we integrate third-party platforms, we adhere to their terms — including the Meta Platform Terms and Developer Policies for any connected Facebook or Instagram account. Platform Data is used only to deliver requested features and is never sold.

Security controls

ControlPractice
EncryptionTLS in transit; encryption at rest via infrastructure providers
AuthenticationManaged auth with hashed credentials (Supabase)
Access controlLeast-privilege access to production; service-role keys server-side only
SecretsStored in encrypted environment configuration, never in source code
PaymentsPCI-DSS Level 1 processing by Stripe; no card data on our systems
Data isolationRow-level security enabled; public and privileged data separated

Subprocessors

Vercel (hosting), Supabase (database, auth, storage), Stripe (payments), Resend (email), Meta Platforms (Facebook/Instagram, when connected), Anthropic (AI features), and Google/SerpAPI (public ranking data). See the Privacy Policy for purposes.

Reporting a concern

To report a security issue, data concern, or compliance question, email security@incentivetrips.com. We acknowledge reports promptly and investigate in good faith.

© 2026 IncentiveTrips · A Woodring Ventures propertyIndependent trade media for corporate incentive travel · hello@incentivetrips.com1% of revenue to carbon removal, via Stripe Climate