Why Data Security is critical and what it means at Appy Pie?
In the digital world the importance of data security is critical, not just for our clients, but their customers as well. The vulnerabilities of data at any stage may bring about serious consequences for the entire ecosystem.
As a business owner, when you choose a service or a platform to offer your products and services to your customers, you are essentially choosing the link between you and the customers. This is why it is important that the platform adheres to optimum security standards and has the right certification to provide protection to all that sensitive data you are collecting from your data. This data may include the email addresses, physical addresses, contact numbers, payment information, or any other such sensitive data.
You have a responsibility towards your customers that any such data they provide during the course of business is kept safe, handled ethically and is never shared with anyone without their knowledge or consent.
At Appy Pie, we take stringent security measures and are dedicated to make sure that there are no vulnerabilities in our processes at any stage. AppyPie.com helps you deliver enterprise-class security and compliance to your customers through every interaction.
Listed below are the certifications and compliance measures taken by AppyPie.com to ensure that our clients and your customers are protected from any unscrupulous activities.
PCI DSS Compliance
The payment gateway used by Appy Pie is a PCI DSS compliant. We have entered 2019 with concern and trepidation about data vulnerability, breaches, and leaks. This is why security continues to be a hot-topic and a matter of public concern.
Appy Pie takes it upon themselves to make sure that their customer’s payment information is protected at all times. Stripe, Appy Pie’s PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.
You can place a ‘Do not sell my data’ request by filling in this form.
SOC 2 Attestation
Our clients trust our platform enough to let us handle their critical processes like billing, invoicing, and more, and in return we assure them that their interests and their customers’ privacy are valued and protected.
The SOC 2 attestation ensures that SaaS service providers like Appy Pie manage your data securely so that your interest and your clients’ privacy is always protected.
Appy Pie’s SOC compliance is particularly suited for businesses that need to control their financial reporting internally, and to showcase the vendors who have deployed internal controls during audits.
You can place a ‘Do not sell my data’ request by filling in this form.
ISO 22301:2019
Societal security – Business continuity management systems – Requirements, is a management system standard that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
We are ISO 22301:2019 certified and are prepared to handle and recover from any disruptive incident, if one should arise.
ISO 27001:2013
ISO 27001 certification is a certification for an information security management system (ISMS) – which is essentially a framework of policies and procedures. It includes all the legal, physical, and technical controls related to an organization’s information risk management process aimed at keeping the information secure.
We are ISO 27001:2013 certified and are committed to risk identification, implications assessment, and to put in place systemized controls that inspire trust in all that we do.
Voluntary Product Accessibility Template (VPAT)
Appy Pie has created a Voluntary Product Accessibility Template (VPAT) which is in accordance with the Section 508 Standards. It details each aspect of the Section 508 requirements and how we support each criterion.
Our VPAT contains documentation on Section 508 (2017 Refresh), Web Content Accessibility Guidelines (WCAG) 2.0 Success Criteria & Conformance Requirements (Levels A, AA, AAA) as well as the European Accessibility standards EN 301. You can view the entire report here.
HIPAA Privacy Disclosure
The HIPAA Privacy Rule establishes federal guidelines to protect the confidentiality of personal health data and grants patients various entitlements regarding this information, such as the right to review and acquire copies of their medical records and to ask for corrections if needed.
GDPR
Appy Pie is in compliance with GDPR and processes all personal data in accordance with the guidelines set forth by the regulation that are applicable to Appy Pie’s services and the platform.
GDPR refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
You can place a ‘Do not sell my data’ request by filling in this form.
EU data transfer mechanism
GDPR applies primarily to controllers and processors located in the European Economic Area or EEA and if the personal data is transferred out of the EEA, there is a risk of losing GDPR protection. It is for this reason that GDPR restricts the transfer of personal data outside the EEA, unless the rights of the individuals are protected in some way.
Appy Pie LLC, serving as AP’s third-party payment processor in the USA, is an active participant and adheres to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), having self-certified its commitment to the Data Privacy Framework Principles with the U.S. Department of Commerce. This commitment covers personal information received from countries within the European Economic Area, Switzerland, and the United Kingdom. Additionally, under the terms of the Data Processing Agreement (DPA), AP provides the Standard Contractual Clauses in Schedule 3 to the DPA for online transfer of Personal Data from the EU, EEA, Switzerland, and the UK to countries without adequate data protection, as governed by Data Protection Laws and Regulations. In instances of conflict, the Data Privacy Framework Principles will take precedence.
U.S. Data Privacy Compliance Policy
Our privacy policy is designed to enhance privacy rights and consumer protection for all residents of the United States. Appy Pie is committed to transparency regarding the collection and use of personal data from our clients through our platform. For detailed information on our privacy practices, please click here.
Residents who wish to exercise their privacy rights, including opting out of data selling, can do so by completing this form.”
Penetration test, Vulnerability Scanning & Patching
As a practice, we, at Appy Pie, check and apply patches for third-party software/services. In case any vulnerabilities are ever discovered we apply the fixes on the highest priority. Also, vulnerability scanning is carried out every month using the services of Amazon Inspector.
Appy Pie has gotten the penetration testing done by third party experts – Bishop Fox and the relevant report can be obtained by sending an email to [email protected]
Physical and Network Security
Appy Pie has its development center in NSEZ, Noida (India), and sales / support offices in Warrenton, Virginia (USA) & London (UK) & Noida (India). The office is equipped with surveillance cameras and their footage is monitored periodically by authorized personnel. Fire alarms and water sprinklers are in place to detect and mitigate damage in the unlikely event of a fire. Additionally, regular fire drills are conducted by the premises management team to educate the employees about emergency evacuation procedures. The office is equipped with 24×7 power supply, supported by an alternative uninterrupted power supply system to ensure smooth functioning in the event of power failure.
All the apps at Appy Pie are created and hosted on Amazon Web Services & the infrastructure for databases and application servers is managed and maintained by Amazon.
The first layer of protection for the application is provided by AWS’s firewall which is equipped to counter regular DDoS attacks and other network related intrusions. The second layer of protection is offered by Appy Pie’s own application firewall which monitors offending IPs, users, and spam. It is worth noting that all account passwords that are stored in the application are one-way hashed and salted.
Appy Pie uses a multi-tenant data model to host all its applications. It is through an individual virtual private cloud that Appy Pie services each application wherein a unique tenant ID is assigned to each customer. The application is engineered and verified to ensure that only the data for the tenant who is logged-in may be fetched. It is this strategic design that ensures that no customer can access another customer’s data. Access to the application by the Application development team is also controlled, managed, and audited. Each time the application and the infrastructure are accessed, a detailed log is created which are then subsequently audited.
You are welcome to come to our physical location and examine the security measures taken at the site by setting up an appointment with us through email at [email protected].
Administrative Operations
Being a responsible & respected organization, we are extremely vigilant about protecting our data & keeping our clients’ data secure. The employees of the organization are granted access to the office only after authorization using smart cards and the sensitive areas of the office can be accessed only by authorized personnel.
Data Loss Protection
As a measure to provide optimum Data Loss Protection, we at Appy Pie use the world leader in data loss protection – Endpoint Protector by CoSoSys which prevents any inappropriate transmission of data through physical or digital means. It means that the data from the company cannot be copied to any other mass storage device, nor can it be sent out through email as attachment or any other form using their powerful Security.
Data Storage
The protection and security of the customers’ data is a serious matter for Appy Pie, hence, they manage the security of its application and customers’ data with sincerity & responsibility. However, provisioning and access management of individual apps created using the platform is at the discretion of individual app owners.
The Development team at Appy Pie does not have access to data on production servers, however any changes to the application, infrastructure, web content and deployment processes are documented extensively as part of an internal change control process.
Our platform collects limited information about our customers that includes their name, email address and phone and these details are retained only for account creation. Stripe, Appy Pie’s PCI compliant payment processor for billing requests & retains the customers’ postal address, along with the date of expiry of credit card and CVV.
Appy Pie takes the integrity and protection of customers’ data very seriously & maintains two kinds of data history: application logs from the system, and application & customers’ data. All this data is stored in Amazon’s state of the art cloud computing platform, AWS & backups are taken every six hours at multiple locations.
Database backups are backed up daily and maintained for a duration of 35 days. The customers’ data is backed up in two ways:
A continuous backup is maintained in different datacenters in the event of a system failover in the primary datacenter. It is due to the robust backup, that in case of an unlikely catastrophe in any one of the datacenters, our customers would lose only five minutes of data.
Data is backed up to persistent storage every day and retained for 15 days.
In Europe & United States, AES 256bit standards (key strength – 1024) is used to encrypt the data at rest, with AWS Key Management Service managing the keys. FIPS-140-2 standard encryption over a secure socket connection, is used to encrypt all the data in transit, for all accounts hosted on appypie.com. Furthermore, there is an option available for the accounts that are hosted on independent domains, that enables a secure socket connection.
Diverse environments are used for the purpose of development and testing, a strict management system for access to systems is in place on a need to do/know basis according to the information classification, where the Segregation of Duties are built-in, & reviewed on a quarterly basis.
Mobile Security
As a practice, we, at Appy Pie, use Quokka’s Mobile Application Security Testing (MAST) solution to make all Appy Pie apps secure and ensure data privacy for all our platform users.
We use Quokka to continuously assess the security and privacy of any mobile device against the highest internationally recognized software assurance standards published by
– The National Institute of Standards and Technologies (NIST)
– National Information Assurance Partnership (NIAP)
– Open Web Application Security Project (OWASP)
Data Deletion or Redundancy
Upon deletion of an account, all data associated with it is destroyed within 14 business days. If, however, an account holder wants the backup of their data, Appy Pie products offer data export options.
Data Classification
In the context of information or data security, data classification involves categorizing data according to its sensitivity level and the potential impact on Appy Pie if unauthorized disclosure, modification, or destruction were to occur. This classification process plays a crucial role in determining the requisite baseline security measures for safeguarding data.
Reporting issues and threats
In the event, that you encounter any issues, security incidents (like breaches and potential vulnerabilities) or flaws that might affect the data security or privacy of Appy Pie users, please do reach out to us and write to [email protected] citing your concerns & details, so that we can get working on it at the earliest.
Your request will be looked into immediately, where we might reach out to you & ask for your guidance in identifying or replicating the issue and determining means or devising strategies to resolve the threat right away.
The company has a privacy policy, approved by an internal legal counsel, available publicly at https://www.appypie.com/privacy-policy & the payment gateway (Stripe) used by Appy Pie is PCI compliant.