Appcues does not handle PCI data. Appcues relies on third parties for payment card processing, therefore compliance is not required for Appcues.
Appcues has several integrations, as well as a fully-featured API, which means that you or a third party can build integrations with many other systems. Appcues will pass the data in a secure fashion, but cannot control what happens to the data once it leaves Appcues's system. If you are working with ePHI, and you have a BAA in place with Appcues, you are still responsible for ensuring HIPAA compliance for data once it leaves Appcues, whether it be through our official integrations or our API. HIPAA compliance with your own app or any unofficial third party app will be up to your privacy and security team to investigate.
Yes, our assessment includes classifying different types of data, and risk assessing each type individually. More information about the types of data we collect can be found on our Privacy Policy
Appcues performs background checks via checkr on criminal activity for all new employees.
Appcues conducts a SOC-2 Type 2 audit annually. Appcues also complies with regulatory privacy frameworks, including GDPR and CCPA.
Appcues maintains an incident response plan, and a business continuity and disaster recovery plan, which are reviewed and tested at least annually.
Appcues does not conduct TIAs. Any impact will depend on what data customers choose to send us. Please refer to our subprocessors page which describes how Appcues will transfer data onward.
Appcues conducts a SOC 2 audit annually rather than an ISO 27001 certification. The SOC 2 report is available upon request.
ePHI is handled with the same access controls as customer data, except that it is stored in a dedicated, hardened, and HIPAA-approved analytics database.
GLBA does not apply to Appcues as Appcues is not a financial instiution, nor deals with financial products.
Since Appcues is a data processor, we are exempt from registering with the ICO. Data controllers must register with the UK's ICO.
Since Appcues uses data for core functionality of the product, data is retained for the life of the contract with the customer. Data is deleted upon request from the customer, or in accordance with the EU’s GDPR law. Deletion requests should be sent to support@appcues.com
In order to implement Appcues, you will need to provide some data about your users. At minimum, we require a unique user ID.
By default, Appcues will also collect certain non-identifying data points about the user's device, such as the screen size, operating system version, or device type. We call these data points Auto-Properties.
You may also provide custom profile attributes and track events associated with the activities of your users. This data can be used to target and tailor Appcues content to your audience. Any data collected this way is sent to us explicitly by you, at your discretion.
Given the architecture of Appcues, your users will connect to our servers in the United States, and so in some way, we would have access to IP address data. Specifically, your users will connect to servers operated by AWS and the Fastly CDN. We do not log or store IP addresses. You can find the full details regarding how we handle personal data in our Privacy Policy and our Data Processing Addendum.
Appcues requires, at minimum, a unique user ID to identify each user. By default, Appcues will also collect non-identifying data about the user's device, such as user agent and operating system. Any additional data received by Appcues is sent at the discretion of the customer and is used for audience targeting and personalization. PII or other sensitive data types are not required for Appcues to run. Please see our Privacy Policy for more information.
As of version 5.0.0, the Appcues SDK does not use cookies for any purpose. To check what version of the SDK you're using, refer to the Appcues Debugger.
Appcues does not conduct TIAs. Any impact will depend on what data customers choose to send us. Please refer to our subprocessors page which describes how Appcues will transfer data onward.
All customer data is stored in the United States.
Since Appcues is a data processor, we are exempt from registering with the ICO. Data controllers must register with the UK's ICO.
Since Appcues uses data for core functionality of the product, data is retained for the life of the contract with the customer. Data is deleted upon request from the customer, or in accordance with the EU’s GDPR law. Deletion requests should be sent to support@appcues.com
Appcues does not have a data retention window. By default, data sent to Appcues will be retained indefinitely.
This is necessary because of the nature of the Appcues product. If a user sees a flow that is configured to only display to the user once, Appcues needs to remember that the user has already seen the flow, so that we don't show the flow to that user again. If we allowed data to expire out of our platform, then we would show that content to that user each time the record expired.
Appcues can delete any data upon request. To request a data deletion, please refer to our GDPR Deletion API or write to us at support@appcues.com
In order to implement Appcues, you will need to provide some data about your users. At minimum, we require a unique user ID.
By default, Appcues will also collect certain non-identifying data points about the user's device, such as the screen size, operating system version, or device type. We call these data points Auto-Properties.
You may also provide custom profile attributes and track events associated with the activities of your users. This data can be used to target and tailor Appcues content to your audience. Any data collected this way is sent to us explicitly by you, at your discretion.
Due to confidentiality obligations with our customers, we can not share the specific details of any findings reported by a third party.
If you would like to discuss specific findings, Appcues can provide written guidelines for conducting your own pen test assessment of the Appcues platform. Appcues will track and communicate the status of any reported vulnerabilities according to our vulnerability disclosure policy.
Appcues encourages responsible disclosure. Vulnerabilities may be reported to security@appcues.com.
Appcues does not have a bug bounty program, and does not pay bounties for reported vulnerabilities.
Appcues supports Google SSO, and SAML for enterprise accounts.
To report a security vulnerability, please email the details to security@appcues.com
All systems are backed up at least every 24 hours. When possible data stores are backed up continuously, and may be restored to any point in time.
Appcues maintains a comprehensive information security policy. An information security training session is held at least annually, and all new personnel attend an information security training session.
Appcues is a fully remote company and does not manage any physical locations.
All software is peer reviewed before release. Appcues maintains multiple fully functional environments for the purposes of testing and validation outside of the production environment. Software changes are accepted to production only after peer review of source code and passage of the software’s automated test suite.
Appcues does not publish a general SLA on when remediations will be resolved. Instead, we publish a timeline on when we will begin work on remediation.
Appcues commits to beginning work on security vulnerabilities according to the following timeline:
The Appcues chrome extension is designed to be able to build content for all of our customers across any of their web properties. In order for our extension to inspect the page and place content, Google Chrome requires permissions to access this browser data, and in order to accommodate all of our customers' use cases, that permission has to be granted across all websites.
RTO 3 hours, RPO 5 minutes or less
Yes, Appcues has completed a BIA as a part of our risk managment program.
Service health is monitored continuously, using metrics collected from actual requests. Additionally, external systems make periodic requests to the systems, to provide external visibility into system health.
Appcues does not have regularly scheduled maintenance windows. In the event of service unavailability due to service maintenance, the window would be communicated to all customers well in advance of the event. Appcues strives to provide 24/7/365 service to all customers.
Appcues does not provide a contractually guaranteed service-level agreement as a standard part of the service offering. Appcues strives to provide 24/7/365 service to all customers. Status.appcues.com will provide updates on the status of the system and product.
Appcues uses role-based access controls to grant access to customer data according to business needs. Access is granted to Appcues personnel for the purposes of support, operations, and maintenance.