Security at Appcues

Appcues does not handle PCI data. Appcues relies on third parties for payment card processing, therefore compliance is not required for Appcues.

Appcues has several integrations, as well as a fully-featured API, which means that you or a third party can build integrations with many other systems. Appcues will pass the data in a secure fashion, but cannot control what happens to the data once it leaves Appcues's system. If you are working with ePHI, and you have a BAA in place with Appcues, you are still responsible for ensuring HIPAA compliance for data once it leaves Appcues, whether it be through our official integrations or our API. HIPAA compliance with your own app or any unofficial third party app will be up to your privacy and security team to investigate.

Yes, our assessment includes classifying different types of data, and risk assessing each type individually. More information about the types of data we collect can be found on our Privacy Policy

Appcues performs background checks via checkr on criminal activity for all new employees.

Appcues conducts a SOC-2 Type 2 audit annually. Appcues also complies with regulatory privacy frameworks, including GDPR and CCPA.

Appcues maintains an incident response plan, and a business continuity and disaster recovery plan, which are reviewed and tested at least annually.

Appcues does not conduct TIAs. Any impact will depend on what data customers choose to send us. Please refer to our subprocessors page which describes how Appcues will transfer data onward.

Appcues conducts a SOC 2 audit annually rather than an ISO 27001 certification. The SOC 2 report is available upon request.

ePHI is handled with the same access controls as customer data, except that it is stored in a dedicated, hardened, and HIPAA-approved analytics database.

GLBA does not apply to Appcues as Appcues is not a financial instiution, nor deals with financial products.

Since Appcues is a data processor, we are exempt from registering with the ICO. Data controllers must register with the UK's ICO.

Since Appcues uses data for core functionality of the product, data is retained for the life of the contract with the customer. Data is deleted upon request from the customer, or in accordance with the EU’s GDPR law. Deletion requests should be sent to support@appcues.com

Our self-certification application has been submitted and is under review by the DPF, so we will be registered soon. We remain GDPR compliant in the meantime, as the SCCs in our DPA are still a valid mechanism for data transfer.

Given the architecture of Appcues, your users will connect to our servers in the United States, and so in some way, we would have access to IP address data. Specifically, your users will connect to servers operated by AWS and the Fastly CDN. We do not log or store IP addresses. You can find the full details regarding how we handle personal data in our Privacy Policy and our Data Processing Addendum.

Appcues requires, at minimum, a unique user ID to identify each user. By default, Appcues will also collect non-identifying data about the user's device, such as user agent and operating system. Any additional data received by Appcues is sent at the discretion of the customer and is used for audience targeting and personalization. PII or other sensitive data types are not required for Appcues to run. Please see our Privacy Policy for more information.

As of version 5.0.0, the Appcues SDK does not use cookies for any purpose. To check what version of the SDK you're using, refer to the Appcues Debugger.

Appcues does not conduct TIAs. Any impact will depend on what data customers choose to send us. Please refer to our subprocessors page which describes how Appcues will transfer data onward.

All customer data is stored in the United States.

Since Appcues is a data processor, we are exempt from registering with the ICO. Data controllers must register with the UK's ICO.

Since Appcues uses data for core functionality of the product, data is retained for the life of the contract with the customer. Data is deleted upon request from the customer, or in accordance with the EU’s GDPR law. Deletion requests should be sent to support@appcues.com

Appcues does not have a data retention window. By default, data sent to Appcues will be retained indefinitely.

This is necessary because of the nature of the Appcues product. If a user sees a flow that is configured to only display to the user once, Appcues needs to remember that the user has already seen the flow, so that we don't show the flow to that user again. If we allowed data to expire out of our platform, then we would show that content to that user each time the record expired.

Appcues can delete any data upon request. To request a data deletion, please refer to our GDPR Deletion API or write to us at support@appcues.com

Due to confidentiality obligations with our customers, we can not share the specific details of any findings reported by a third party.

If you would like to discuss specific findings, Appcues can provide written guidelines for conducting your own pen test assessment of the Appcues platform. Appcues will track and communicate the status of any reported vulnerabilities according to our vulnerability disclosure policy.

Appcues encourages responsible disclosure. Vulnerabilities may be reported to security@appcues.com.

Appcues does not have a bug bounty program, and does not pay bounties for reported vulnerabilities.

Appcues supports Google SSO, and SAML for enterprise accounts.

To report a security vulnerability, please email the details to security@appcues.com

All systems are backed up at least every 24 hours. When possible data stores are backed up continuously, and may be restored to any point in time.

Appcues maintains a comprehensive information security policy. An information security training session is held at least annually, and all new personnel attend an information security training session.

Appcues is a fully remote company and does not manage any physical locations.

All software is peer reviewed before release. Appcues maintains multiple fully functional environments for the purposes of testing and validation outside of the production environment. Software changes are accepted to production only after peer review of source code and passage of the software’s automated test suite.

Appcues does not publish a general SLA on when remediations will be resolved. Instead, we publish a timeline on when we will begin work on remediation.

Appcues commits to beginning work on security vulnerabilities according to the following timeline:

• Critical severity: Begin remediation immediately.
• High severity: Begin remediation within 30 days.
• Medium severity: Begin remediation within 90 days.

RTO 3 hours, RPO 5 minutes or less

Yes, Appcues has completed a BIA as a part of our risk managment program.

Service health is monitored continuously, using metrics collected from actual requests. Additionally, external systems make periodic requests to the systems, to provide external visibility into system health.

Appcues does not have regularly scheduled maintenance windows. In the event of service unavailability due to service maintenance, the window would be communicated to all customers well in advance of the event. Appcues strives to provide 24/7/365 service to all customers.

Appcues does not provide a contractually guaranteed service-level agreement as a standard part of the service offering. Appcues strives to provide 24/7/365 service to all customers. Status.appcues.com will provide updates on the status of the system and product.