Data Protection & Data Security

Why data security is critical?

The importance of Data Security especially in context of your app building platform is paramount. The platform you choose would be the common link between your products and services, customers, and payments.

The app building platform you subscribe to, would store within and handle the flow of sensitive information about your business processes and revenue details. This is why the security of the app building subscription platform needs to be exceptionally strong.

Your app building platform occasionally collects payment information (when required), personal information like shipping address, phone numbers etc. You owe your customers the assurance that their data would be safe, handled ethically, and will never be shared with anyone without their knowledge or consent.

What does data security mean at Appy Pie?

Customers using our services in the European Economic Area (EEA), would be processing personal data/information of their customers. In providing our service, we do not own, control or direct the use of the information stored or processed on our platform at the direction of our customers, in fact we are unaware of most of the information that is being stored on our platform. The information is only accessed when it is reasonably necessary to be able to provide the service (including responding to support requests), when authorized by our customers or required by law. We act as data processors for our end customers, but as data controllers for those customers from whom we gather data via our platform for purposes of the European Union (EU) Directive 95/46/EC on Data Protection (“EU Directive”) and the Swiss Federal Act on Data Protection. Our customers from EEA or Switzerland, who control their customer data and send it to Appy Pie for processing, are the “controllers” of that data, hence it is they who are responsible for compliance with the Directive. To put it simply, it is our customers who are responsible for complying with the Directive and relevant data protection legislation in their respective EEA member state before they send any personal information to Appy Pie for processing.

In our role as processors of personal information on our customers’ behalf, we follow their instructions for the information they control, as long as it complies with our services & functionality. In doing so, we employ industry-standard security taking technical, physical, and administrative measures against unauthorized processing of such information and against loss, destruction of, or damage to personal information.

Listed below are the major reasons why Appy Pie has to process customer data outside the EU in connection with provision of our services, particularly:

  1. Customer data is processed within the Appy Pie group i.e. Appy Pie LLC, Appy Pie LLP & Appy Pie Ltd.
  2. We use multiple third-party cloud providers as part of our architecture for the purposes of logging, billing, and system monitoring. Third party providers for the following are currently based in regions outside the EEA:
  • As the phone feature is not EU specific, the phone data may be stored anywhere
  • Chat feature service providers are based in the US
  • Plugins
  • App integrations
  • Third-party payment processor

We work with you to help you send out notices to your customers about what you plan to do with the personal information being collected and sign Model Contract Clauses (for data processors) with them to legitimize transfers of personal data from EU to processors established in third countries as may be required under the EU Directive.

PCI DSS Compliance

The payment gateway used by Appy Pie is a PCI DSS compliant. We have entered 2019 with concern and trepidation about data vulnerability, breaches, and leaks. This is why security continues to be a hot-topic and a matter of public concern.

Appy Pie takes it upon themselves to make sure that their customer’s payment information is protected at all times. Stripe, Appy Pie’s PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.

SOC 2 Attestation

Our clients trust our platform enough to let us handle their critical processes like billing, invoicing, and more, and in return we assure them that their interests and their customers’ privacy are valued and protected.

The SOC 2 attestation ensures that SaaS service providers like Appy Pie manage your data securely so that your interest and your clients’ privacy is always protected.

Appy Pie’s SOC compliance is particularly suited for businesses that need to control their financial reporting internally, and to showcase the vendors who have deployed internal controls during audits.

You can get Appy Pie’s SOC 2 report right to your email by clicking here.

ISO 22301:2012

Societal security – Business continuity management systems – Requirements, is a management system standard that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

We are ISO 22301:2012 certified and are prepared to handle and recover from any disruptive incident, if one should arise.

  • Appy-Pie-LLCAppy-Pie-LLC

ISO 27001:2013

ISO 27001 certification is a certification for an information security management system (ISMS) – which is essentially a framework of policies and procedures. It includes all the legal, physical, and technical controls related to an organization’s information risk management process aimed at keeping the information secure.

We are ISO 27001:2013 certified and are committed to risk identification, implications assessment, and to put in place systemized controls that inspire trust in all that we do.

  • Appy-Pie-LLCAppy-Pie-LLC
  • Appy-Pie-LtdAppy-Pie-Ltd
  • ISO27001-LLP-1ISO27001-LLP-1
  • eu-us-shield-certificate

EU-US Privacy Shield

Appy Pie is in compliance with the EU-US Privacy Shield as it adheres to the principle of protecting the rights of anyone in the EU whose personal data is transferred to the US while bringing legal clarity and transparency for companies that need to rely on transatlantic transfer of data.

GDPR

Enforceable since May 25, 2018, GDPR or General Data Protection Regulation is a European data privacy law which replaced the EU Data Protection Directive.

Appy Pie processes all personal data in accordance with the GDPR requirements that are directly applicable to Appy Pie’s services and platform.
Read More…

Physical and Network Security

Appy Pie has its development center in NSEZ, Noida (India), and sales / support offices in Warrenton, Virginia (USA) & London (UK) & Noida (India). The office is equipped with surveillance cameras and their footage is monitored periodically by authorized personnel. Fire alarms and water sprinklers are in place to detect and mitigate damage in the unlikely event of a fire. Additionally, regular fire drills are conducted by the premises management team to educate the employees about emergency evacuation procedures. The office is equipped with 24×7 power supply, supported by an alternative uninterrupted power supply system to ensure smooth functioning in the event of power failure.

All the apps at Appy Pie are created and hosted on Amazon Web Services & the infrastructure for databases and application servers is managed and maintained by Amazon.

The first layer of protection for the application is provided by AWS’s firewall which is equipped to counter regular DDoS attacks and other network related intrusions. The second layer of protection is offered by Appy Pie’s own application firewall which monitors offending IPs, users, and spam. It is worth noting that all account passwords that are stored in the application are one-way hashed and salted.

Appy Pie uses a multi-tenant data model to host all its applications. It is through an individual virtual private cloud that Appy Pie services each application wherein a unique tenant ID is assigned to each customer. The application is engineered and verified to ensure that only the data for the tenant who is logged-in may be fetched. It is this strategic design that ensures that no customer can access another customer’s data. Access to the application by the Application development team is also controlled, managed, and audited. Each time the application and the infrastructure are accessed, a detailed log is created which are then subsequently audited.

Administrative Operations

Being a responsible & respected organization, we are extremely vigilant about protecting our data & keeping our clients’ data secure. The employees of the organization are granted access to the office only after authorization using smart cards and the sensitive areas of the office can be accessed only by authorized personnel.

Vulnerability Scanning & Patching

As a practice, we, at Appy Pie, check and apply patches for third-party software/services. In case any vulnerabilities are ever discovered we apply the fixes on the highest priority. Also, periodic vulnerability scanning is carried out using the services of Alert Logic.

Data Loss Protection

As a measure to provide optimum Data Loss Protection, we at Appy Pie use the world leader in data loss protection – Indefend which prevents any inappropriate transmission of data through physical or digital means. It means that the data from the company cannot be copied to any other mass storage device, nor can it be sent out through email as attachment or any other form using their powerful Secure Email Gateway or SEG feature.

Data Storage

The protection and security of the customers’ data is a serious matter for Appy Pie, hence, they manage the security of its application and customers’ data with sincerity & responsibility. However, provisioning and access management of individual apps created using the platform is at the discretion of individual app owners.

The Development team at Appy Pie does not have access to data on production servers, however any changes to the application, infrastructure, web content and deployment processes are documented extensively as part of an internal change control process.

Our platform collects limited information about our customers that includes their name, email address and phone and these details are retained only for account creation. Stripe, Appy Pie’s PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.

Appy Pie takes the integrity and protection of customers’ data very seriously & maintains two kinds of data history: application logs from the system, and application & customers’ data. All this data is stored in Amazon’s state of the art cloud computing platform, AWS & backups are taken every six hours at multiple locations.

Application data are maintained for a duration of 35 days & the customers’ data is backed up in two ways:

A continuous backup is maintained in different datacenters in the event of a system failover in the primary datacenter. It is due to the robust backup, that in case of an unlikely catastrophe in any one of the datacenters, our customers would lose only five minutes of data.

Data is backed up to persistent storage every day and retained for 6 months.

In Europe & United States, AES 256bit standards (key strength – 1024) is used to encrypt the data at rest, with AWS Key Management Service managing the keys. FIPS-140-2 standard encryption over a secure socket connection, is used to encrypt all the data in transit, for all accounts hosted on appypie.com. Furthermore, there is an option available for the accounts that are hosted on independent domains, that enables a secure socket connection.

Diverse environments are used for the purpose of development and testing, a strict management system for access to systems is in place on a need to do/know basis according to the information classification, where the Segregation of Duties are built-in, & reviewed on a quarterly basis.

Data Deletion or Redundancy

Upon deletion of an account, all data associated with it is destroyed within 14 business days. If, however, an account holder wants the backup of their data, Appy Pie products offer data export options.

Reporting issues and threats

In the event, that you encounter any issues, security incidents (like breaches and potential vulnerabilities) or flaws that might affect the data security or privacy of Appy Pie users, please do reach out to us and write to security@appypie.com citing your concerns & details, so that we can get working on it at the earliest.

Your request will be looked into immediately, where we might reach out to you & ask for your guidance in identifying or replicating the issue and determining means or devising strategies to resolve the threat right away.

The company has a privacy policy, approved by an internal legal counsel, available publicly at https://www.appypie.com/terms-of-use-privacy-policy & the payment gateway (Stripe) used by Appy Pie is PCI compliant.