Data Protection & Data Security

Why Data Security is critical and what it means at Appy Pie?

In the digital world the importance of data security is critical, not just for our clients, but their customers as well. The vulnerabilities of data at any stage may bring about serious consequences for the entire ecosystem.

As a business owner, when you choose a service or a platform to offer your products and services to your customers, you are essentially choosing the link between you and the customers. This is why it is important that the platform adheres to optimum security standards and has the right certification to provide protection to all that sensitive data you are collecting from your data. This data may include the email addresses, physical addresses, contact numbers, payment information, or any other such sensitive data.

You have a responsibility towards your customers that any such data they provide during the course of business is kept safe, handled ethically and is never shared with anyone without their knowledge or consent.

At Appy Pie, we take stringent security measures and are dedicated to make sure that there are no vulnerabilities in our processes at any stage. AppyPie.com helps you deliver enterprise-class security and compliance to your customers through every interaction.

Listed below are the certifications and compliance measures taken by AppyPie.com to ensure that our clients and your customers are protected from any unscrupulous activities.

PCI DSS Compliance

The payment gateway used by Appy Pie is a PCI DSS compliant. We have entered 2019 with concern and trepidation about data vulnerability, breaches, and leaks. This is why security continues to be a hot-topic and a matter of public concern.

Appy Pie takes it upon themselves to make sure that their customer’s payment information is protected at all times. Stripe, Appy Pie’s PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.

You can place a ‘Do not sell my data’ request by filling in this form.

SOC 2 Attestation

Our clients trust our platform enough to let us handle their critical processes like billing, invoicing, and more, and in return we assure them that their interests and their customers’ privacy are valued and protected.

The SOC 2 attestation ensures that SaaS service providers like Appy Pie manage your data securely so that your interest and your clients’ privacy is always protected.

Appy Pie’s SOC compliance is particularly suited for businesses that need to control their financial reporting internally, and to showcase the vendors who have deployed internal controls during audits.

You can place a ‘Do not sell my data’ request by filling in this form.

ISO 22301:2012

Societal security – Business continuity management systems – Requirements, is a management system standard that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

We are ISO 22301:2012 certified and are prepared to handle and recover from any disruptive incident, if one should arise.

  • Appy-Pie-LLCAppy-Pie-LLC

ISO 27001:2013

ISO 27001 certification is a certification for an information security management system (ISMS) – which is essentially a framework of policies and procedures. It includes all the legal, physical, and technical controls related to an organization’s information risk management process aimed at keeping the information secure.

We are ISO 27001:2013 certified and are committed to risk identification, implications assessment, and to put in place systemized controls that inspire trust in all that we do.

  • Appy-Pie-LLCAppy-Pie-LLC
  • Appy-Pie-LtdAppy-Pie-Ltd
  • ISO27001-LLP-1ISO27001-LLP-1
  • eu-us-shield-certificate

EU-US Privacy Shield

Appy Pie is in compliance with the EU-US Privacy Shield as it adheres to the principle of protecting the rights of anyone in the EU whose personal data is transferred to the US while bringing legal clarity and transparency for companies that need to rely on transatlantic transfer of data.

The policies of certification do not allow displaying the link, hence you can request for the link by sending us an email at security@appypie.com

GDPR

Appy Pie is in compliance with GDPR and processes all personal data in accordance with the guidelines set forth by the regulation that are applicable to Appy Pie’s services and the platform.

GDPR refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Appy Pie’s compliance with GDPR has been assessed by Trust Arc, who have awarded due certification in this regard.

You can place a ‘Do not sell my data’ request by filling in this form.

CCPA

California Consumer Privacy Act is a state statute that is aimed at enhancing the privacy rights and consumer protection for California residents.

Appy Pie is in compliance with CCPA and is transparent about all or any personal data collected from the clients through the platform. To read Appy Pie’s CCPA policy, please click here.

You can place a ‘Do not sell my data’ request by filling in this form.

Penetration test, Vulnerability Scanning & Patching

As a practice, we, at Appy Pie, check and apply patches for third-party software/services. In case any vulnerabilities are ever discovered we apply the fixes on the highest priority. Also, vulnerability scanning is carried out every month using the services of Amazon Inspector.

Appy Pie has gotten the penetration testing done by third party experts – Bishop Fox and the relevant report can be obtained by sending an email to security@appypie.com

Physical and Network Security

Appy Pie has its development center in NSEZ, Noida (India), and sales / support offices in Warrenton, Virginia (USA) & London (UK) & Noida (India). The office is equipped with surveillance cameras and their footage is monitored periodically by authorized personnel. Fire alarms and water sprinklers are in place to detect and mitigate damage in the unlikely event of a fire. Additionally, regular fire drills are conducted by the premises management team to educate the employees about emergency evacuation procedures. The office is equipped with 24×7 power supply, supported by an alternative uninterrupted power supply system to ensure smooth functioning in the event of power failure.

All the apps at Appy Pie are created and hosted on Amazon Web Services & the infrastructure for databases and application servers is managed and maintained by Amazon.

The first layer of protection for the application is provided by AWS’s firewall which is equipped to counter regular DDoS attacks and other network related intrusions. The second layer of protection is offered by Appy Pie’s own application firewall which monitors offending IPs, users, and spam. It is worth noting that all account passwords that are stored in the application are one-way hashed and salted.

Appy Pie uses a multi-tenant data model to host all its applications. It is through an individual virtual private cloud that Appy Pie services each application wherein a unique tenant ID is assigned to each customer. The application is engineered and verified to ensure that only the data for the tenant who is logged-in may be fetched. It is this strategic design that ensures that no customer can access another customer’s data. Access to the application by the Application development team is also controlled, managed, and audited. Each time the application and the infrastructure are accessed, a detailed log is created which are then subsequently audited.

You are welcome to come to our physical location and examine the security measures taken at the site by setting up an appointment with us through email at security@appypie.com.

Administrative Operations

Being a responsible & respected organization, we are extremely vigilant about protecting our data & keeping our clients’ data secure. The employees of the organization are granted access to the office only after authorization using smart cards and the sensitive areas of the office can be accessed only by authorized personnel.

Data Loss Protection

As a measure to provide optimum Data Loss Protection, we at Appy Pie use the world leader in data loss protection – Indefend which prevents any inappropriate transmission of data through physical or digital means. It means that the data from the company cannot be copied to any other mass storage device, nor can it be sent out through email as attachment or any other form using their powerful Secure Email Gateway or SEG feature.

Data Storage

The protection and security of the customers’ data is a serious matter for Appy Pie, hence, they manage the security of its application and customers’ data with sincerity & responsibility. However, provisioning and access management of individual apps created using the platform is at the discretion of individual app owners.

The Development team at Appy Pie does not have access to data on production servers, however any changes to the application, infrastructure, web content and deployment processes are documented extensively as part of an internal change control process.

Our platform collects limited information about our customers that includes their name, email address and phone and these details are retained only for account creation. Stripe, Appy Pie’s PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.

Appy Pie takes the integrity and protection of customers’ data very seriously & maintains two kinds of data history: application logs from the system, and application & customers’ data. All this data is stored in Amazon’s state of the art cloud computing platform, AWS & backups are taken every six hours at multiple locations.

Database backups are backed up daily and maintained for a duration of 35 days. The customers’ data is backed up in two ways:

  1. A continuous backup is maintained in different datacenters in the event of a system failover in the primary datacenter. It is due to the robust backup, that in case of an unlikely catastrophe in any one of the datacenters, our customers would lose only five minutes of data.

  2. Data is backed up to persistent storage every day and retained for 2 months.

In Europe & United States, AES 256bit standards (key strength – 1024) is used to encrypt the data at rest, with AWS Key Management Service managing the keys. FIPS-140-2 standard encryption over a secure socket connection, is used to encrypt all the data in transit, for all accounts hosted on appypie.com. Furthermore, there is an option available for the accounts that are hosted on independent domains, that enables a secure socket connection.

Diverse environments are used for the purpose of development and testing, a strict management system for access to systems is in place on a need to do/know basis according to the information classification, where the Segregation of Duties are built-in, & reviewed on a quarterly basis.

Data Deletion or Redundancy

Upon deletion of an account, all data associated with it is destroyed within 14 business days. If, however, an account holder wants the backup of their data, Appy Pie products offer data export options.

Reporting issues and threats

In the event, that you encounter any issues, security incidents (like breaches and potential vulnerabilities) or flaws that might affect the data security or privacy of Appy Pie users, please do reach out to us and write to security@appypie.com citing your concerns & details, so that we can get working on it at the earliest.

Your request will be looked into immediately, where we might reach out to you & ask for your guidance in identifying or replicating the issue and determining means or devising strategies to resolve the threat right away.

The company has a privacy policy, approved by an internal legal counsel, available publicly at https://www.appypie.com/terms-of-use & the payment gateway (Stripe) used by Appy Pie is PCI compliant.