Submit Article Requests

Do you have a suggestion for an article you would like to see created?
Feel free to submit this form and add your suggestions to our document board.

Please fill out the contact form below and we will reply as soon as possible.

  • Appcues Certifications & Training
  • Integration Hub
  • Contact Us
  • Docs home
  • Installation & Developers
  • Installation Overview

Shared Responsibility Model for Security and Privacy

Gain a better understanding of how you and Appcues should share responsibility when it comes to the security of your data.

Updated at July 8th, 2025

Submit Article Requests

Do you have a suggestion for an article you would like to see created?
Feel free to submit this form and add your suggestions to our document board.

Please fill out the contact form with the details about the help content you'd like to see.

  • Home

  • Installation & Developers

    • Web Experiences

      • Mobile Experiences

        • Workflows

          • Analytics & Data

            • Account Management

              • Best Practices

                • Integrations

                  • System Status

                    Table of Contents

                    Appcues Responsibilities Customer Responsibilities

                    As described in the Appcues Trust Center, Appcues invests heavily and continually monitors the Appcues platform to protect the security and privacy of our customer data. However, if your organization uses certain Appcues features, you also have a responsibility to take action to fully protect the security and privacy of the data managed by Appcues.  This is commonly referred to as a shared responsibility model. This document describes the shared responsibility of certain Appcues features and their benefits.  As new capabilities are introduced, or responsibilities are identified, this page will be updated or expanded.

                    Appcues Responsibilities

                    Appcues maintains comprehensive documentation regarding the security of the Appcues platform and the Appcues Security Program in our Trust Center.  Security is ever-evolving, and Appcues regularly makes updates or improvements documented there.  A few notable aspects of our security program include:

                    • All customer data is encrypted both in transit and at rest.
                    • Documentation is maintained to ensure an Appcues installation is compatible with Content Security Policies.
                    • A SOC-2 audit and report is performed annually by a professional 3rd party auditor. 
                    • A Penetration Test and report is conducted annually by a professional 3rd party security research firm.
                    • Within 48 hours of discovering any security incident, notice will be sent to impacted Appcues account administrators.
                    • For accounts enabled for HIPAA compliance, Appcues also ensures all data is processed according to HIPAA regulations.

                    Customer Responsibilities

                    The following items are not required to operate Appcues, but by following these responsibilities, customers can improve their security posture using Appcues. 

                    • Customers are responsible for what data they send to Appcues. While Appcues implements many controls to secure customer data while in transit and stored, Appcues cannot determine the sensitivity of the data you send.  Appcues also cannot control what data you export from Appcues or send to 3rd party integrations. To limit the data received by Appcues, you can use Appcues Ingest Filtering.
                    • If the data you send to Appcues or the Experiences you display are sensitive (e.g. contains PII or confidential information that must be shown only to the appropriate user),  you can leverage Identity Verification to digitally sign your UserIDs to ensure that only intended users can see Appcues experiences.   This is required if you want HIPAA compliance to protect PHI.
                    • To process data deletion requests according to GDPR, CCPA, or other similar privacy laws, Appcues requires you to confirm the identity of the user, and once confirmed, forward the request to Appcues by contacting support@appcues.com.  Appcues cannot handle requests directly from your end users since we cannot verify their identity.
                    • Customers that use content integrity tags should follow the guidance in the Appcues Content Integrity Tags documentation. 
                    security privacy shared responsibility

                    Was this article helpful?

                    Yes
                    No
                    Give feedback about this article

                    Related Articles

                    • Identity Verification
                    • Content Security Policies
                    • Installation Guide for Developers
                    Appcues logo

                    Product

                    Why Appcues How it works Integrations Security Pricing What's new

                    Use cases

                    Appcues Integration Hub User Onboarding Software Feature Adoption Software NPS & Surveys Announcements Insights Mobile Adoption

                    Company

                    About
                    Careers

                    Support

                    Developer Docs Contact

                    Resources

                    The Appcues Blog Product Adoption Academy GoodUX Case studies Webinar Series Made with Appcues Appcues University

                    Follow us

                    Facebook icon Twitter icon grey Linkedin icon Instagram icon
                    © 2022 Appcues. All rights reserved.
                    Security Terms of Service Privacy Policy

                    Knowledge Base Software powered by Helpjuice

                    Expand