As an distributor, safeguarding data and ensuring secure integration is not just a technical requirement - it’s a core part of your obligations under the Distribution Licence Agreement. Protecting both your business and the broader tourism network relies on robust security and privacy practices.
Why Security and Data Privacy Matter
Our content is a valuable asset, and the API is a critical channel for delivering that content to your customers. Security breaches, unauthorised access, or data leaks can compromise your reputation, disrupt your services, and put sensitive information at risk. By following best practices, you help maintain trust and ensure compliance with our standards.
Key Security Considerations
To ensure secure and reliable integration with our API, all distributors must follow these best practices:
Implement HTTPS
Always use HTTPS to encrypt data transmitted between your application and the API. This protects sensitive information from being intercepted or tampered with.
Manage API Keys Securely
Keep your API keys confidential. Do not hard-code them in your application code or expose them in client-side scripts. Store them securely in your server environment and restrict their usage to specific IP addresses or environments whenever possible.
Access Controls
Ensure only authorised users and systems can access the API. Implement role-based access and the principle of least privilege.
Logging and Monitoring
Monitor API usage and log all access attempts. This helps detect and respond to suspicious activity or potential breaches.
Encryption
Use encryption to protect sensitive data both in transit and at rest.
Rate Limiting and Throttling
Implement rate limiting to prevent abuse and ensure fair usage for all distributors. This helps protect against denial-of-service attacks and system overloads.
Regular Security Audits
Conduct regular security reviews and vulnerability assessments. Remove outdated or unused APIs (“zombie APIs”) to reduce risk.
Error Handling
Avoid exposing sensitive technical details in error messages. Use generic error responses and log details internally.
Compliance with Standards
Familiarise yourself with ATDW’s distributor guidelines and the Distribution Licence Agreement to ensure your integration remains compliant.
API Key Management
Confidentiality
Your API key is confidential and must not be shared, sublicensed, or used across multiple domains. It is issued for your exclusive use as a registered distributor and is considered Confidential Information under your agreement with ATDW.
Single Domain Use
API keys are authorised for use on a single domain only. Sharing or using your API key on multiple domains is a breach of your licence and may result in access being revoked.
Storage
Store API keys securely on your server, never in public repositories or client-side code.
Data Privacy
ATDW expects all distributors to handle data responsibly and in accordance with privacy best practices. This includes:
Regularly reviewing and updating your security policies.
Implementing robust access controls.
Monitoring and logging all data access and API usage.
Encrypting sensitive data at all stages.
Complying with all relevant privacy legislation and ATDW’s policies.
Practical Integration Tips
Pagination and Size Limits
The API enforces a maximum of 5,000 profiles per page. If you need to access more, implement pagination in your integration. Learn more about size restrictions.
Delta Updates
Use delta updates to retrieve only new or changed data, reducing unnecessary load and improving efficiency.
Support and Documentation
For technical support, integration changes, and best practice updates, visit the ATDW Support Portal.
Non-Compliance
Failure to follow these security and privacy requirements can result in revoked access, reputational damage, and potential legal or financial penalties. The Distribution Licence Agreement outlines your obligations in detail.
Need Help?
If you have questions about security, data privacy, or integration best practices, please contact our support team. We’re here to help you build a secure, reliable, and compliant tourism platform.