Appy Pie has its development center in NSEZ, Noida (India), and sales / support offices in Warrenton, Virginia (USA) & London (UK) & Noida (India). Being a responsible & respected organization, we are extremely vigilant about protecting our data & keeping our clients’ data secure. The employees of the organization are granted access to the office only after authorization using smart cards and the sensitive areas of the office can be accessed only by authorized personnel.
The office is equipped with surveillance cameras and their footage is monitored periodically by authorized personnel. Fire alarms and water sprinklers are in place to detect and mitigate damage in the unlikely event of a fire. Additionally, regular fire drills are conducted by the premises management team to educate the employees about emergency evacuation procedures. The office is equipped with 24×7 power supply, supported by an alternative uninterrupted power supply system to ensure smooth functioning in the event of power failure.
All the apps at Appy Pie are created and hosted on Amazon Web Services & the infrastructure for databases and application servers is managed and maintained by Amazon.
The first layer of protection for the application is provided by AWS’s firewall which is equipped to counter regular DDoS attacks and other network related intrusions. The second layer of protection is offered by Appy Pie’s own application firewall which monitors offending IPs, users, and spam. It is worth noting that all account passwords that are stored in the application are one-way hashed and salted.
Appy Pie uses a multi-tenant data model to host all its applications. It is through an individual virtual private cloud that Appy Pie services each application wherein a unique tenant ID is assigned to each customer. The application is engineered and verified to ensure that only the data for the tenant who is logged-in may be fetched. It is this strategic design that ensures that no customer can access another customer’s data. Access to the application by the Application development team is also controlled, managed, and audited. Each time the application and the infrastructure are accessed, a detailed log is created which are then subsequently audited.
The protection and security of the customers’ data is a serious matter for Appy Pie, hence, they manage the security of its application and customers’ data with sincerity & responsibility. However, provisioning and access management of individual apps created using the platform is at the discretion of individual app owners.
The Development team at Appy Pie does not have access to data on production servers, however any changes to the application, infrastructure, web content and deployment processes are documented extensively as part of an internal change control process.
Our platform collects limited information about our customers that includes their name, email address and phone and these details are retained only for account creation. Stripe, Appy Pie’s PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.
Appy Pie takes the integrity and protection of customers’ data very seriously & maintains two kinds of data history: application logs from the system, and application & customers’ data. All this data is stored in Amazon’s state of the art cloud computing platform, AWS & backups are taken every five minutes at multiple locations.
Application logs are maintained for a duration of 90 days & the customers’ data is backed up in two ways:
- A continuous backup is maintained in different datacenters in the event of a system failover in the primary datacenter. It is due to the robust backup, that in case of an unlikely catastrophe in any one of the datacenters, our customers would lose only five minutes of data.
- Data is backed up to persistent storage every day and retained for seven days.
In Europe & United States, AES 256bit standards (key strength – 1024) is used to encrypt the data at rest, with AWS Key Management Service managing the keys. FIPS-140-2 standard encryption over a secure socket connection, is used to encrypt all the data in transit, for all accounts hosted on appypie.com. Furthermore, there is an option available for the accounts that are hosted on independent domains, that enables a secure socket connection.
Diverse environments are used for the purpose of development and testing, a strict management system for access to systems is in place on a need to do/know basis according to the information classification, where the Segregation of Duties are built-in, & reviewed on a quarterly basis.
Upon deletion of an account, all data associated with it is destroyed within 14 business days. If, however, an account holder wants the backup of their data, Appy Pie products offer data export options.
Reporting issues and threats
In the event, that you encounter any issues, security incidents (like breaches and potential vulnerabilities) or flaws that might affect the data security or privacy of Appy Pie users, please do reach out to us and write to firstname.lastname@example.org citing your concerns & details, so that we can get working on it at the earliest.
Your request will be looked into immediately, where we might reach out to you & ask for your guidance in identifying or replicating the issue and determining means or devising strategies to resolve the threat right away.
Customers using our services in the European Economic Area (EEA), would be processing personal data/information of their customers. In providing our service, we do not own, control or direct the use of the information stored or processed on our platform at the direction of our customers, in fact we are unaware of most of the information that is being stored on our platform. The information is only accessed when it is reasonably necessary to be able to provide the service (including responding to support requests), when authorized by our customers or required by law. We act as data processors for our end customers, but as data controllers for those customers from whom we gather data via our platform for purposes of the European Union (EU) Directive 95/46/EC on Data Protection (“EU Directive”) and the Swiss Federal Act on Data Protection. Our customers from EEA or Switzerland, who control their customer data and send it to Appy Pie for processing, are the “controllers” of that data, hence it is they who are responsible for compliance with the Directive. To put it simply, it is our customers who are responsible for complying with the Directive and relevant data protection legislation in their respective EEA member state before they send any personal information to Appy Pie for processing.
In our role as processors of personal information on our customers’ behalf, we follow their instructions for the information they control, as long as it complies with our services & functionality. In doing so, we employ industry-standard security taking technical, physical, and administrative measures against unauthorized processing of such information and against loss, destruction of, or damage to personal information.
Listed below are the major reasons why Appy Pie has to process customer data outside the EU in connection with provision of our services, particularly:
- Customer data is processed within the Appy Pie group i.e. Appy Pie LLC, Appy Pie LLP & Appy Pie Ltd.
- We use multiple third-party cloud providers as part of our architecture for the purposes of logging,billing,
and system monitoring. Third party providers for the following are currently based in regions outside the EEA:
- As the phone feature is not EU specific, the phone data may be stored anywhere
- Chat feature service providers are based in the US
- App integrations
- Third-party payment processor
We work with you to help you send out notices to your customers about what you plan to do with the personal information being collected and sign Model Contract Clauses (for data processors) with them to legitimize transfers of personal data from EU to processors established in third countries as may be required under the EU Directive.
Appy Pie privacy practices are TRUSTe certified and we are ISO 27001:2013 compliant. We are working towards SSAE-16 attestation and a SOC II report will be available shortly. Our data centers are hosted in AWS who are ISO 27001, SSAE-16 and HIPAA compliant.
Appy Pie has now, also self-certified its compliance with the EU-US Privacy Shield to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants.
Our products include functionalities provided by third parties, that do not offer regional hosting, making it impossible to restrict the transfer of data from the European Union, but the EU-US Privacy Shield acts as a way to legitimize such data transfer to the U.S. Our certification states that we comply with the Privacy Shield principles for the transfer of personal data from the European Union to the United States.
Having complied with the requirements of TRUSTe, Privacy Shield Framework, and ISO 27001, the platform has been comfortably set for Appy Pie to further work on GDPR compliance and achieve it by the time its regulations take effect.