Data Protection & Data Security
Why data security is critical?
The importance of Data Security especially in context of your app building platform is paramount. The platform you choose would be the common link between your products and services, customers, and payments.
The app building platform you subscribe to, would store within and handle the flow of sensitive information about your business processes and revenue details. This is why the security of the app building subscription platform needs to be exceptionally strong.
Your app building platform occasionally collects payment information (when required), personal information like shipping address, phone numbers etc. You owe your customers the assurance that their data would be safe, handled ethically, and will never be shared with anyone without their knowledge or consent.
What does data security mean at Appy Pie?
Customers using our services in the European Economic Area (EEA), would be processing personal data/information of their customers. In providing our service, we do not own, control or direct the use of the information stored or processed on our platform at the direction of our customers, in fact we are unaware of most of the information that is being stored on our platform. The information is only accessed when it is reasonably necessary to be able to provide the service (including responding to support requests), when authorized by our customers or required by law. We act as data processors for our end customers, but as data controllers for those customers from whom we gather data via our platform for purposes of the European Union (EU) Directive 95/46/EC on Data Protection (“EU Directive”) and the Swiss Federal Act on Data Protection. Our customers from EEA or Switzerland, who control their customer data and send it to Appy Pie for processing, are the “controllers” of that data, hence it is they who are responsible for compliance with the Directive. To put it simply, it is our customers who are responsible for complying with the Directive and relevant data protection legislation in their respective EEA member state before they send any personal information to Appy Pie for processing.
In our role as processors of personal information on our customers’ behalf, we follow their instructions for the information they control, as long as it complies with our services & functionality. In doing so, we employ industry-standard security taking technical, physical, and administrative measures against unauthorized processing of such information and against loss, destruction of, or damage to personal information.
Listed below are the major reasons why Appy Pie has to process customer data outside the EU in connection with provision of our services, particularly:
- Customer data is processed within the Appy Pie group i.e. Appy Pie LLC, Appy Pie LLP & Appy Pie Ltd.
- We use multiple third-party cloud providers as part of our architecture for the purposes of logging, billing, and system monitoring. Third party providers for the following are currently based in regions outside the EEA:
- As the phone feature is not EU specific, the phone data may be stored anywhere
- Chat feature service providers are based in the US
- App integrations
- Third-party payment processor
We work with you to help you send out notices to your customers about what you plan to do with the personal information being collected and sign Model Contract Clauses (for data processors) with them to legitimize transfers of personal data from EU to processors established in third countries as may be required under the EU Directive.
TRUSTe Privacy Seal
PCI DSS Compliance
The payment gateway used by Appy Pie is a PCI DSS compliant. We have entered 2019 with concern and trepidation about data vulnerability, breaches, and leaks. This is why security continues to be a hot-topic and a matter of public concern.
Appy Pie takes it upon themselves to make sure that their customer’s payment information is protected at all times. Stripe, Appy Pie’s PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.
SOC 2 Attestation
Our clients trust our platform enough to let us handle their critical processes like billing, invoicing, and more, and in return we assure them that their interests and their customers’ privacy are valued and protected.
The SOC 2 attestation ensures that SaaS service providers like Appy Pie manage your data securely so that your interest and your clients’ privacy is always protected.
Appy Pie’s SOC compliance is particularly suited for businesses that need to control their financial reporting internally, and to showcase the vendors who have deployed internal controls during audits.
You can get Appy Pie’s SOC 2 report right to your email by clicking here.
ISO 27001 certification is a certification for an information security management system (ISMS) – which is essentially a framework of policies and procedures. It includes all the legal, physical, and technical controls related to an organization’s information risk management process aimed at keeping the information secure.
We are ISO 27001:2013 certified and are committed to risk identification, implications assessment, and to put in place systemized controls that inspire trust in all that we do.
Business Continuity Planning with ISO 22301
Business continuity planning is the process of developing systems of prevention and recovery to deal with any perceivable threats to a company.
Appy Pie has ISO 22301 certification for the same and cares about their clients even in times of distress or attack.
EU-US Privacy Shield
Appy Pie is in compliance with the EU-US Privacy Shield as it adheres to the principle of protecting the rights of anyone in the EU whose personal data is transferred to the US while bringing legal clarity and transparency for companies that need to rely on transatlantic transfer of data.
Enforceable since May 25, 2018, GDPR or General Data Protection Regulation is a European data privacy law which replaced the EU Data Protection Directive.
Appy Pie processes all personal data in accordance with the GDPR requirements that are directly applicable to Appy Pie’s services and platform.
Physical and Network Security
Appy Pie has its development center in NSEZ, Noida (India), and sales / support offices in Warrenton, Virginia (USA) & London (UK) & Noida (India). The office is equipped with surveillance cameras and their footage is monitored periodically by authorized personnel. Fire alarms and water sprinklers are in place to detect and mitigate damage in the unlikely event of a fire. Additionally, regular fire drills are conducted by the premises management team to educate the employees about emergency evacuation procedures. The office is equipped with 24×7 power supply, supported by an alternative uninterrupted power supply system to ensure smooth functioning in the event of power failure.
All the apps at Appy Pie are created and hosted on Amazon Web Services & the infrastructure for databases and application servers is managed and maintained by Amazon.
The first layer of protection for the application is provided by AWS’s firewall which is equipped to counter regular DDoS attacks and other network related intrusions. The second layer of protection is offered by Appy Pie’s own application firewall which monitors offending IPs, users, and spam. It is worth noting that all account passwords that are stored in the application are one-way hashed and salted.
Appy Pie uses a multi-tenant data model to host all its applications. It is through an individual virtual private cloud that Appy Pie services each application wherein a unique tenant ID is assigned to each customer. The application is engineered and verified to ensure that only the data for the tenant who is logged-in may be fetched. It is this strategic design that ensures that no customer can access another customer’s data. Access to the application by the Application development team is also controlled, managed, and audited. Each time the application and the infrastructure are accessed, a detailed log is created which are then subsequently audited.
Being a responsible & respected organization, we are extremely vigilant about protecting our data & keeping our clients’ data secure. The employees of the organization are granted access to the office only after authorization using smart cards and the sensitive areas of the office can be accessed only by authorized personnel.
Vulnerability Scanning & Patching
As a practice, we, at Appy Pie, check and apply patches for third-party software/services. In case any vulnerabilities are ever discovered we apply the fixes on the highest priority. Also, periodic vulnerability scanning is carried out using the services of Alert Logic.
The protection and security of the customers’ data is a serious matter for Appy Pie, hence, they manage the security of its application and customers’ data with sincerity & responsibility. However, provisioning and access management of individual apps created using the platform is at the discretion of individual app owners.
The Development team at Appy Pie does not have access to data on production servers, however any changes to the application, infrastructure, web content and deployment processes are documented extensively as part of an internal change control process.
Our platform collects limited information about our customers that includes their name, email address and phone and these details are retained only for account creation. Stripe, Appy Pie’s PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.
Appy Pie takes the integrity and protection of customers’ data very seriously & maintains two kinds of data history: application logs from the system, and application & customers’ data. All this data is stored in Amazon’s state of the art cloud computing platform, AWS & backups are taken every five minutes at multiple locations.
Application logs are maintained for a duration of 90 days & the customers’ data is backed up in two ways:
A continuous backup is maintained in different datacenters in the event of a system failover in the primary datacenter. It is due to the robust backup, that in case of an unlikely catastrophe in any one of the datacenters, our customers would lose only five minutes of data.
Data is backed up to persistent storage every day and retained for seven days.
In Europe & United States, AES 256bit standards (key strength – 1024) is used to encrypt the data at rest, with AWS Key Management Service managing the keys. FIPS-140-2 standard encryption over a secure socket connection, is used to encrypt all the data in transit, for all accounts hosted on appypie.com. Furthermore, there is an option available for the accounts that are hosted on independent domains, that enables a secure socket connection.
Diverse environments are used for the purpose of development and testing, a strict management system for access to systems is in place on a need to do/know basis according to the information classification, where the Segregation of Duties are built-in, & reviewed on a quarterly basis.
Data Deletion or Redundancy
Upon deletion of an account, all data associated with it is destroyed within 14 business days. If, however, an account holder wants the backup of their data, Appy Pie products offer data export options.
Reporting issues and threats
In the event, that you encounter any issues, security incidents (like breaches and potential vulnerabilities) or flaws that might affect the data security or privacy of Appy Pie users, please do reach out to us and write to firstname.lastname@example.org citing your concerns & details, so that we can get working on it at the earliest.
Your request will be looked into immediately, where we might reach out to you & ask for your guidance in identifying or replicating the issue and determining means or devising strategies to resolve the threat right away.