Certification Policy

This “Certification Policy” sets forth the processes and procedures that the Parties will follow to permit and validate connections between any Subscription Service and any Customer Licensee or third-party system (e.g., API, SFTP) (such validated connection, a “Certified Connection”). This Certification Policy also sets forth the terms and conditions governing Customer’s and its third parties’ use of Connections (as defined below).  For clarity, all references herein to Customer may apply to or include each applicable Customer Licensee.

Capitalized terms used herein but not defined will have the meaning assigned to them in the governing agreement between Amadeus and Customer (“Agreement”). If there is any inconsistency between this Certification Policy and the Agreement, the Agreement will control.

1.       General.   All connections between any Subscription Service and any Customer, Customer Licensee or third-party system must be validated as a Certified Connection by Amadeus in its sole discretion, in accordance with the terms hereof.  No other connections are permitted to be made, directly or indirectly, to any Subscription Service, whether by Customer, a Customer Licensee, a User or any third party.

2.       Definitions. The following definitions shall apply to this Certification Policy:

    1. Amadeus Data” means any Data owned or licensed by Amadeus under the Agreement.
    2. “APIs” means the application programming interface which enables Data to be called or transferred between Amadeus’ systems and non-Amadeus systems.
    3. “Connection” means any API and non-API connection (including but not limited to SFTP and data extract), which enables Data to be called or transferred between Amadeus’ systems and non-Amadeus systems.
    4. “Customer Subcontractor” means a third-party developer, consultant or other third party hired by Customer and approved by Amadeus to develop to or otherwise assist in the development or testing of the Connections.
    5. “Certification” means Amadeus’s standard process to validate connections between a Subscription Service and a Customer or third-party system, as described in more detail in Section 3 (Certification) below.
    6. “Data” means any data, including images, text or other information, passed to or from Connections.
    7. “Development” means the code and software which directly or indirectly interacts with the Amadeus systems, or the Connections developed by Customer or its third parties in accordance with the terms of Section 4 (General Terms and Conditions) and Section 5 (Third Party Systems).
    8. “Intellectual Property” or “IP” means any and all patents, utility models, registered and unregistered trade and service marks, registered designs, unregistered designs, trade and business names, domain names, copyrights and moral rights, object code or source code, database rights, inventions, know-how, trade secrets, and other Confidential Information, and all other intellectual property of a similar or corresponding character, whether or not registered or capable of registration and whether subsisting in any country, territory, or part of the world together with all or any goodwill relating thereto.
    9. “Law” means any statute, regulation, by-law, ordinance or subordinate legislation in force from time to time to which a party is subject, or any court order, judgment or decree that is binding on a party.
    10. “PCI DSS” means the Payment Card Industry Data Security Standard as published and mandated by the PCI Security Standards Council, including any change, consolidation, replacement, enactment or extension of such standard.
    11. “Third Party” means a provider of a Third-Party System.
    12. “Third Party System” means any third-party system, including any Third Party Offering, that connects to a Subscription Service.

3.       Certification.

a.       Certification Required.  For each Development, Customer must request Certification from Amadeus in writing. Customer agrees to pay for all fees and costs, if any, related to Certification by Amadeus, including Certification for a Third-Party System.

    1. Certification may also be required for Developments previously certified by Amadeus that are modified by Customer or its third parties. Customer and/or Customer Subcontractor will provide information regarding any modification, and Amadeus will advise whether an additional Certification is needed.   Modifications that only affect the functional layers of the Development may not require Certification if, in Amadeus’s determination, the modifications do not impact Amadeus systems.

b.       Certification Process.  Customer will adhere to the following high-level process to achieve Certification for any Connection:

    1. Request and Approval.  Customer will request and obtain Amadeus’ approval of the proposed Connection and each Customer Subcontractor or Third Party involved therewith;
    2. Contract Execution & Requirements. Each third party will execute all required contracts (including a non-disclosure agreement) and provides all required information as further set forth below;
    3. Access.  Each third party is granted access to the API Portal and/or other appropriate Documentation; and
    4. Development and Testing.   Customer and its third parties will develop and test the Development.  The Parties will test the Development to confirm it complies with Amadeus’[MLL1]  Certification standards. If Amadeus provides Customer with notice specifying the standard(s) (i.e., acceptance criteria) that the Development did not meet, Customer (or its third party, as applicable) shall correct the Development to meet such acceptance criteria and resubmit the Development for Certification to Amadeus. Any resubmission may be subject to additional fees.

c.       Certification Requirements.  To obtain Certification, Customer, Customer Subcontractor and/or Third Party, as applicable, must timely provide, conform to, and/or otherwise agree to the following requirements, which may be specified in more detail by Amadeus:

      1. limit the integration to versions of the integrated Connection specified by Amadeus;
      2. provide appropriate sample payloads of the Connection messages;
      3. provide documentation reasonably requested by Amadeus, including a field level mapping document of the sample payloads;
      4. identify fields containing personally identifiable information within the sample payloads;
      5. document in reasonable detail the use cases the integration will support;
      6. provide appropriate resources to partner with Amadeus on development of test cases and a test plan;
      7. provide appropriate resources to document the activation and deactivation flows to onboard and disable a user of the integration;
      8. accept Amadeus’s definition of L1, L2, L3 support for the Amadeus side of the integration and define and demonstrate its own L1, L2, L3 support model that is reasonably acceptable to Amadeus;
      9.  provide a response time SLA reasonably acceptable to Amadeus to address issues that arise across the integration;
      10. provide appropriate resources to document the troubleshooting steps between Amadeus and Customer (or Customer’s third party) when issues arise across the integration;
      11. provide appropriate resources to mutually define and document with Amadeus an escalation & notification path, including a RACI matrix of ownership for support, product and development;
      12. confirm the Connection conforms to Amadeus’s security and data privacy requirements and promptly participate in a security assessment when requested by Amadeus;
      13. provide appropriate resources to mutually develop with Amadeus a lifecycle management plan for the integration, including management of any deprecation of such integration;
      14. mutually define with Amadeus and comply with a mutual break/fix change control process and communication protocol;
      15. provide a good faith estimation of anticipated volume and velocity of Connection calls;
      16. mutually agree on performance levels;
      17. agree to and comply with expectations for re-certification, including upon Connection version changes;
      18. partner with Amadeus to functionally test the integration end to end; and
      19. support up to three Pilot implementations of the integration as part of the Certification process as requested by Amadeus.

4.       General Terms and Conditions

a.       Generally. This Section 4 applies to access and development to one or more Connections by Customer or its third parties, including but not limited to Customer Subcontractors and Third Parties (as defined below), to enable Customer to transfer Data to and/or from the applicable Subscription Service.

b.       Licenses and Restrictions.

    1. Subject to the terms and conditions set forth in this Certification Policy, including Section 4, Amadeus hereby grants to Customer a limited, nonexclusive, non-transferrable, revocable license (with the right to sublicense only to Amadeus-approved Customer Subcontractors in accordance with the terms of this Section 4) to access and develop to the Connections during the term of the Agreement.
    2. Customer understands that this license is subject to the following restrictions with which Customer agrees to comply:

1.       Customer may only use, and may only allow Customer Subcontractors to use, the Connections for internal development of a connection between Customer systems and Amadeus systems for Data sharing;

2.       Customer will not connect, and will not allow any Customer Subcontractor to connect, any third-party system to APIs or Amadeus’s systems without Amadeus’s prior written consent, which will be provided in Amadeus’s sole discretion;

3.       The Connections and the Amadeus API portal will only be accessed and used by authorized Customer employees or employees of Amadeus-approved Customer Subcontractors. Customer may not provide access to any third party, including a Customer Subcontractor, without the prior written consent of Amadeus;

4.       Neither Customer nor a Customer Subcontractor may use the Connections or the Amadeus API portal for a purpose not intended for that environment (e.g., Customer or Customer Subcontractor may not use the sandbox or testing environments for production purposes or penetration or similar testing purposes);

5.       Customer or a Customer Subcontractor may only obtain and push Customer’s own Data via Connections and only in accordance with Amadeus’s authorization to Customer and Customer’s authorization to such Customer Subcontractor; and

6.       Before permission or access to the Connections is granted to any Customer Subcontractor, Customer must comply with the terms of Section 4(c).

c.       Customer Subcontractors.

    1. Customer may sub-license its right to access and develop to the Connections to a Customer Subcontractor for the sole purpose of development of an interface between Customer’s systems to Amadeus systems for internal Data sharing, subject to the following terms and conditions:

1.       For each Customer Subcontractor, Customer must send a written request (email acceptable) to Amadeus whereby it notifies Amadeus of (i) the proposed Customer Subcontractor, (ii) the Connections to which Customer wishes the Customer Subcontractor to be permitted access, and (iii) the nature, purpose and scope of such Customer Subcontractor’s intended development and activities using the Connections and the Amadeus API portal. Such written notice shall serve as Customer’s explicit authorization to provide the referenced Customer Subcontractor with access to the Connections and the Amadeus API portal once such Customer Subcontractor has executed all documentation required by Amadeus. For clarity, Customer may not sub-license or disclose the Development or Connections or give access to the Amadeus API portal until Amadeus countersigns the Amadeus NDA and the Vendor API Access Agreement (defined below).

2.       Amadeus will notify Customer in the event it withholds its consent to Customer’s request.

3.       If Amadeus consents to the request, Customer will be responsible for ensuring that each Customer Subcontractor signs:

a.       an Amadeus non-disclosure agreement (“Amadeus NDA”), which will be provided by Amadeus upon request prior to and as a condition precedent to such Customer Subcontractor being granted access to the Amadeus API portal, and

b.       an agreement in a form to be provided by Amadeus (“Vendor API Access Agreement”) upon Customer’s request, which must also bear the countersignature of Customer, such signature to serve as authorization to Amadeus to commence Certification and to share Data through the Connection with the Customer Subcontractor.

4.       Customer will ensure that Customer Subcontractor does not, without the prior written approval of Amadeus, (i) resell or sublicense the Connections or the Amadeus API portal, or (ii) license or use the Development for its own benefit or the benefit of any party other than Customer or other customers of the Amadeus Subscription Service(s).

5.       Use of the Connections or the Amadeus API portal by a Customer Subcontractor shall be deemed in all respects as use of the same by Customer, and Customer shall remain responsible and liable toward Amadeus for any breach of the terms of this Certification Policy or the Vendor API Access Agreement caused by or attributable to Customer Subcontractor. Amadeus reserves the right to suspend or terminate Customer’s right to sub-license to a Customer Subcontractor and the Vendor API Access Agreement, with immediate effect, in the event Customer or a Customer Subcontractor defaults on the terms of the sub-license, this Certification Policy, the Vendor API Access Agreement or any other agreement between Customer and Amadeus or the Customer Subcontractor and Amadeus.

6.       Customer understands and agrees it is solely responsible for all costs and expenses of Customer Subcontractors and is responsible for Customer Subcontractors’ failure to pay any fees owed to Amadeus pursuant to the Vendor API Access Agreement.

d.       Additional Terms of Use

    1. Customer will notify Amadeus reasonably in advance of any plans, projects, events or activities that are reasonably likely to result in excessive or irregular resource usage of Connections.
    2. Amadeus reserves the right to withhold access to the Connections if such access would present a material adverse effect on Amadeus.
    3. Amadeus may turn off or limit certain features and functionalities of Connections to any party (including Customer) at any time and for any reason. Customer understands and agrees that Amadeus: (i) controls in its sole discretion access to each aspect of the Amadeus API portal and environment (e.g., sandbox, testing, production); (ii) has the right to control, in its sole discretion, access to the Connections, Amadeus systems and Subscription Services; and (iii) Amadeus may, in its sole discretion, slow the processing of the call or push of Data that may in its opinion cause excessive resource usage, and Amadeus may impose volume restrictions from time to time in Amadeus’ sole discretion and/or charge Customer fees for excessive usage of Connections.   Amadeus will use commercially reasonable efforts to notify Customer in the case of temporary message blocking or processing speed limitations being applied.
    4. Customer acknowledges and agrees that Amadeus will not be responsible for the implementation, maintenance and/or support of any Development. Customer, Customer Subcontractors or Third Parties, as applicable, are responsible for the implementation, maintenance and support of any Developments.
    5. Customer acknowledges and agrees that (i) Amadeus shall have no liability with respect to the provision or use of the Connections to Customer, any Customer Subcontractor, any Third Party or any Development or application, software or services that uses the Development; and (ii) Developments may not be used by Customer, a Customer Subcontractor or a Third Party for the purpose of providing access to the Amadeus systems to any third party without Amadeus’s prior written consent.
    6. Notwithstanding anything to the contrary in the Agreement, Amadeus’ Service Levels exclude any unavailability or additional response time related to (i) processing non-Native messaging (e.g., message transformation, protocol adaptation and code mapping), (ii) tokenization of credit card, PII or other data, or (iii) any dependency on a Customer or Customer third parties (including but not limited to Third Parties and Customer Subcontractors).

e.       Additional Customer Obligations.

    1. Customer will, at its sole cost and expense, develop to the Connections in accordance with Amadeus requirements and is responsible for any costs of provisioning the network connection up to the relevant point of connection (i.e., Amadeus data center(s)), including upgrades to bandwidth, network switches and routers. Customer also agrees that it will, at its sole cost and expense, develop and implement the system capabilities to support any changes or enhancements to the Connections within one hundred and twenty (120) days of written notification by Amadeus.
    2. If any development needs to be performed by Amadeus to enable Certification, and Amadeus agrees in its sole discretion to perform such development, Customer will pay the applicable costs to Amadeus.
    3. Customer will comply, and will ensure Customer Subcontractors and Third Parties comply, with: (i) user instructions communicated by Amadeus in relation to Certification, interfaces, or use of environments; (ii) any Connection limits of use (including functional limits of transactional volume limits) set by Amadeus; and (iii) any Connection versioning requirements, including upgrading to the supported Connection version, when required by Amadeus.
    4. Customer represents and warrants that (i) Customer, Customer Subcontractors and Third Parties will comply with all applicable Laws (including antitrust laws) and PCI DSS requirements and (ii) if Customer processes cardholder data, Customer will maintain PCI level 1 certification and will only use PCI Level 1 certified vendors and upon request will provide Amadeus with copies of all relevant certifications.
    5. If Customer has experienced or suspects or has any reason to believe that it (or its third parties, including Customer Subcontractors and Third Parties) has experienced a data or security breach of any kind, Customer will immediately provide written notice to Amadeus at infosec@Amadeus.com with a copy to Hospitality.Legal@amadeus.com.
    6. Neither Customer nor Customer Subcontractor nor Third Parties will transmit any virus, malicious code, time-bomb or other harmful code to Amadeus.
    7. Customer represents and warrants that it has all rights to provide or request the Data transmitted or accessed via the Connections.
    8. Customer represents and warrants that all development to the Connections and all other actions pursuant to this Certification Policy will not violate any intellectual property rights of Amadeus or any third party.
    9. Customer will, and will ensure that its third parties, including Customer Subcontractors and Third Parties, use the Amadeus systems through the Connections solely in accordance with the terms of this Certification Policy and the Acceptable Use Policy and shall avoid any acts or omissions that may damage the interests of Amadeus. Customer will and will ensure its third parties, including Customer Subcontractors and Third Parties, take all precautions necessary to prevent unauthorized access to the Amadeus systems and to prevent the introduction of any viruses into the Amadeus systems through its use of the Connections.
    10. Breach of Customer’s obligations under this Section will be deemed a breach of the Agreement. Customer agrees that Amadeus may immediately suspend access to any integration between Customer or a Third-Party System and the Subscription Services in the event of such breach and terminate such integration if the breach is not cured within thirty (30) days of notice (“Integration Termination Right”). Customer understands and agrees that Amadeus’ exercise of the Integration Termination Right will not affect any other obligations in the Agreement. For clarity, the exercise of the Integration Termination Right will not change Customer’s payment obligations or the term of the Agreement.
    11. Customer agrees to be solely responsible and liable for all acts and omissions of its employees, contractors and vendors accessing or using the Connections or the Amadeus API portal or otherwise accessing or using the Data therefrom. Customer agrees to have the same liability for such parties as it does with respect to its own acts and omissions.

f.        Intellectual Property.

    1. Amadeus and its third-party licensors own and will own all right, title and interest to Amadeus’s Intellectual Property, including but not limited to the Connections, Amadeus API portal, all Amadeus services and systems, Amadeus data, all specifications, documentation, requirements, and other information related to Connections.
    2. Customer, Customer Subcontractors and Third Parties shall not: (a) remove or alter any copyright notices or other proprietary legends contained in any Amadeus IP or related documentation; (b) disassemble, decompile, or reverse engineer any Amadeus IP; (c) use any Amadeus IP in order to develop or operate any product or service competitive with any Amadeus product; (d) use any Amadeus IP to support interfaces between computing devices of functions other than as part of the certified Development; (e) modify, translate, or create any derivative work of any Amadeus IP except as expressly licensed; (f) disclose any portion of the Amadeus IP to any person except to employees and contractors of Customer, Customer Subcontractor or a Third Party who are required to use such Amadeus IP in order for Customer to develop and distribute the Development as expressly licensed; or (g) use any Amadeus IP in violation of any law or regulation. Customer shall promptly notify Amadeus of any known or suspected use of any Amadeus IP in breach of this Certification Policy.

g.       Data Processing.

    1. As between Customer and Amadeus, the Parties’ respective data protection obligations related to Connections shall be as set forth in the Agreement. The data protection obligations of any Customer Subcontractor or Third Party shall be set forth in the respective agreements referenced herein.

3.       Third Party Systems.

a.       General . Section 5 applies to access and development to one or more Connections by a Third Party to enable Customer to transfer Data to and/or from the applicable Subscription Service.

b.       Certification. Each Third-Party System must complete Certification in accordance with Section 3 prior to enabling a connection to a Subscription Service.

c.       Customer Obligations.  With respect to a Third-Party System, Customer shall, in addition to satisfying its other obligations applicable to third parties as set forth in this Certification Policy (including but not limited to Section 4):

    1. request in writing (email acceptable) that Amadeus provide access to the Connections to the Third Party and inform Amadeus of the nature, purpose and scope of the proposed Third-Party System;
    2. enter into a binding connectivity agreement (“Connectivity Agreement”) with the Third Party with all necessary terms, including (i) a data processing agreement to process and transfer among Amadeus, Customer and Third Party applicable personal information of Customer’s consumers, (ii) security obligations obligating such Third Party to secure its computing environments and implement appropriate technical and organizational measures to securely transmit, process, manage and store personal data, and (iii) compliance obligations including requiring such Third Party comply with all applicable data security and privacy laws and regulations;
    3. provide Amadeus with the appropriate credentials issued by the Third Party for implementation;
    4. define the necessary business rules relating to the Third-Party System within the applicable Subscription Service;
    5. where applicable, provide appropriate notice to consumers that the applicable Subscription Service and Third-Party System stores their personal information (e.g., credit card information) on the Customer’s behalf to enable the Customer to process consumers’ reservations, charges and other applicable transactions; and
    6. be responsible for all costs and expenses of its Third Parties and any failure of its Third Parties to pay any fees owed to Amadeus.

d.       Customer Representations.  Customer further acknowledges and agrees that, with respect to a Third-Party System:

    1. Amadeus makes neither a warranty nor a commitment that a Third Party System will be able to perform or support any or all of the purposes for which Data shall be made available and, as between Customer and Amadeus, all the Third Party System and Third Party’s services are provided “AS-IS” and as available through integrations established between Amadeus and the Third Party;
    2. Amadeus is not obligated to Certify or provide access to the Connections to any Third Party determined by Amadeus, in its reasonable judgment, to be a competitor.
    3. Amadeus is not liable in any way to Customer for claims, losses or delays arising from or related to (directly or indirectly) the Third Party’s services or any act or omission by the Third Party, its violation of applicable law or regulation, data or security incidents, or any violation of PCI DSS or other applicable industry standard; and
    4. If there are any liabilities, obligations, damages, penalties, claims, actions, liens, costs, charges, losses or expenses (including, without limitation, reasonable fees and expenses of attorneys, expert witnesses and consultants) arising from or related to (directly or indirectly) the Third Party or the Third Party System, then Customer will pursue the Third Party under its Connectivity Agreement with the Third Party. However, if the Third Party violates law or regulation or PCI requirements or causes or experiences a data breach, then Customer agrees that it will include all costs, expenses and losses of Amadeus in seeking compensation, including but not limited to indemnification, from the Third Party under the Connectivity Agreement.

e.        Additional Terms and Conditions Applicable to Specific Third-Party Systems.

    1. In addition to the terms set forth in this Section 5 (Third Party Systems) above, the following terms and conditions will apply to certain Third-Party Systems, as applicable: https://www.amadeus-hospitality.com/legal/mssa/3P.
    2. In the event of a conflict between this Certification Policy and the service-specific terms and conditions referenced in Section 5(e)(i), the service-specific terms and conditions will control.

Amadeus reserves the right to amend, alter, or modify the Certification Policy at any time. Amadeus may deliver notice of such updated Certification Policy to Customer via e-mail,  through the Subscription Services or as otherwise set forth in the Agreement.Customer’s continued access to and use of the Subscription Services following issuance of such updated Certification Policy shall constitute Customer’s acceptance thereof.

Last Updated: January 2026

 

Take a trip to other Amadeus sites

Corporate site

We’re creating a more connected travel industry, underpinned by sustainability and long-term investor relations.

Careers site

At Amadeus, we’re always on the lookout for talented, passionate people to join our team. Interested?