Security Practices

Effective: 1-Jan-2016

This document is an electronic record in terms of the Information Technology Act, 2000 and rules made thereunder. Further, this electronic record is generated by a computer system and does not require any physical or digital signatures. This electronic record is published in accordance with the relevant provisions of the Information Technology Act, 2000 and rules made thereunder.

We take the security of your data very seriously at Appify. As transparency is one of our core principles, we aim to be as clear and open as we can about the way we handle security.

If you have additional questions regarding security, we are happy to answer them. Please write to legal@sarvasv.in and we will respond as quickly as we can.

Confidentiality

We place strict controls over our employees’ access to the data you and your users make available via the Appify services, as more specifically defined in your agreement with Appify covering the use of the Appify services ("Customer Data"), and are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. The operation of the Appify services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the Appify services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.

All of our employees and contract personnel are bound to our policies regarding Customer Data and we treat these issues as matters of the highest importance at Appify.

Personnel Practices

Appify conducts background checks on all employees before employment, and employees receive security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the Appify services.

Compliance

The following security-related audits and certifications are applicable to the Appify services:

The environment that hosts the Appify services maintains PCI DSS and HIPAA certifications for its data centers. For more information about their certification and compliance, please visit the Linode compliance and the Linode security.

Security Features for Team Members & Administrators

In addition to the work we do at the infrastructure level, in future, we may provide Team Administrators of paid versions of the Appify services with additional tools to enable their own users to protect their Customer Data.

Access Logging

Web framework level detailed access logs are available both to users and administrators of paid teams. We log every time an account signs in, noting the type of device used and the IP address of the connection.

Team Administrators and owners of paid teams can review consolidated access logs for their whole team. We also make it easy for administrators to remotely terminate all connections and sign out all devices authenticated to the Appify services at any time, on-demand.

Team-Wide Two-Factor Authentication

User can setup two-factor authentication (2FA) using the third-party authetication mechanisms available at Appify. For example: A user can login to Appify Services using its Google account where 2FA is activated. In future, we plan to activate the features for Team Administrators to require all users to set up two-factor authentication on their accounts using Appify platform directly, in addition to third-party 2FA solutions.

Single Sign On

All teams whether paid of free can integrate their Appify services instance with a variety of single-sign-on providers. Teams can use Facebook, Twitter, Linkedin, Google Apps for Domains as their authentication provider.

Data Retention

Owners of paid Appify teams can configure custom data retention policies on a team-wide and per-service basis. Setting a custom duration for retention means that data or files older than the duration you set will be deleted periodically. If such feature is not available due to any reason, we retain all available data in the Appify platform.

Deletion of Customer Data

Appify provides the option for Team Owners to delete Customer Data at any time during a subscription term. Within 24 hours of Team Owner initiated deletion, Appify hard deletes all information from currently-running production systems (excluding team and service names, and search terms embedded in URLs in web server access logs). Appify services backups are destroyed within 30 days.

Return of Customer Data

The Appify services include the following export capabilities:

Data Encryption In Transit and At Rest

Appify services implemented the best available Transport Layer Security (TLS) with the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. We proudly sport A+ rating at ssllabs, HTTP Strict Transport Security (HSTS) for robust security. Customer Data will be encrypted at rest, in future if not already implemented in an update.

We monitor the changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older clients.

Availability

We understand that you rely on the Appify services to work. We're committed to making Appify a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centers. Our operations team tests disaster-recovery measures regularly and have an around-the-clock on-call expert technician team to quickly resolve unexpected incidents.

Disaster Recovery

Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up in nightly, weekly, fortnightly and monthly sets. The Operations team is alerted in case of a failure with this system. Backups can be fully restored to working systems in the quickest time possible subject to the size of the data.

Network Protection

In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment. Firewalls are configured according to industry best practices and all ports are blocked by configuration except the mandatory ports. We have also implemented the automated process to block and ban the IP addresses that attempt any supicious activity. Network administrators at Appify are alerted on email with all the details of any such suspicious activity as soon as it is auto-blocked and auto-banned.

Host Management

We perform automated vulnerability scans on our production hosts and remediate any findings that present a risk to our environment. We enforce screens lockouts and the usage of anti-malware, anti-virus software on all devices with vulnerable operating systems.

Logging

Appify maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Appify services. These logs are analyzed for security events via automated monitoring software, overseen by the security team.

Incident Management & Response

In the event of a security breach, Appify will promptly notify you of any unauthorized access to your Customer Data. Appify has incident management policies and procedures in place to handle such an event.

Product Security Practices

New features, functionality, and design changes go through a security review process facilitated by the security team. In addition, our code is audited with automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production. The security team works closely with development teams to resolve any additional security concerns that may arise during development.

Appify also plans to operate a security bug bounty program. Security researchers around the world can continuously test the security of the Appify services, and report issues via the program.