Submit Article Requests

Do you have a suggestion for an article you would like to see created?
Feel free to submit this form and add your suggestions to our document board.

Please fill out the contact form below and we will reply as soon as possible.

  • Appcues Certifications & Training
  • Integration Hub
  • Contact Us
  • Docs home
  • Installation & Developers
  • Installing Appcues Web

Shared Responsibility Model for Security and Privacy

Gain a better understanding of how you and Appcues should share responsibility when it comes to the security of your data.

Updated at September 14th, 2023

Submit Article Requests

Do you have a suggestion for an article you would like to see created?
Feel free to submit this form and add your suggestions to our document board.

Please fill out the contact form with the details about the help content you'd like to see.

  • Installation & Developers
    Installing Appcues Web Installing Appcues Mobile API & Data Troubleshooting Extras
  • Web Experiences
    Building Web Experiences Targeting Studio Customization & Styling Use Cases Troubleshooting FAQ
  • Mobile Experiences
    Installation & Overview Building Mobile Experiences Mobile Analytics & Integrations Troubleshooting
  • Account Management
    Subscription Users & Data
  • Analytics
    Experience and Event Analytics Data
  • Best Practices
    Best Practices Use Cases Pro Tips Product-led Growth
  • Integrations
    Integration Documents Use Cases Extras
  • System Status
    System Status & Incidents
+ More

Table of Contents

Appcues Responsibilities Customer Responsibilities

As described in the Appcues Trust Center, Appcues invests heavily and continually monitors the Appcues platform to protect the security and privacy of our customer data. However, if your organization uses certain Appcues features, you also have a responsibility to take action to fully protect the security and privacy of the data managed by Appcues.  This is commonly referred to as a shared responsibility model. This document describes the shared responsibility of certain Appcues features and their benefits.  As new capabilities are introduced, or responsibilities are identified, this page will be updated or expanded.

Appcues Responsibilities

Appcues maintains comprehensive documentation regarding the security of the Appcues platform and the Appcues Security Program in our Trust Center.  Security is ever-evolving, and Appcues regularly makes updates or improvements documented there.  A few notable aspects of our security program include:

  • All customer data is encrypted both in transit and at rest.
  • Documentation is maintained to ensure an Appcues installation is compatible with Content Security Policies.
  • A SOC-2 audit and report is performed annually by a professional 3rd party auditor. 
  • A Penetration Test and report is conducted annually by a professional 3rd party security research firm.
  • Within 48 hours of discovering any security incident, notice will be sent to impacted Appcues account administrators.
  • For accounts enabled for HIPAA compliance, Appcues also ensures all data is processed according to HIPAA regulations.

Customer Responsibilities

The following items are not required to operate Appcues, but by following these responsibilities, customers can improve their security posture using Appcues. 

  • Customers are responsible for what data they send to Appcues. While Appcues implements many controls to secure customer data while in transit and stored, Appcues cannot determine the sensitivity of the data you send.  Appcues also cannot control what data you export from Appcues or send to 3rd party integrations. To limit the data received by Appcues, you can use Appcues Ingest Filtering.
  • If the data you send to Appcues or the Experiences you display are sensitive (e.g. contains PII or confidential information that must be shown only to the appropriate user),  you can leverage Identity Verification to digitally sign your UserIDs to ensure that only intended users can see Appcues experiences.   This is required if you want HIPAA compliance to protect PHI.
  • To process data deletion requests according to GDPR, CCPA, or other similar privacy laws, Appcues requires you to confirm the identity of the user, and once confirmed, forward the request to Appcues by contacting support@appcues.com.  Appcues cannot handle requests directly from your end users since we cannot verify their identity.
  • Customers that use content integrity tags should follow the guidance in the Appcues Content Integrity Tags documentation. 
security privacy shared responsibility

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Identity Verification
  • Content Security Policies
  • Installation Overview (for Developers)
Appcues logo

Product

Why Appcues
How it works
Integrations
Security
Pricing
What's new

Use cases

Appcues Integration Hub
User Onboarding Software
Feature Adoption Software
NPS & Surveys
Announcements
Insights
Mobile Adoption

Company

About
Careers
we're Hiring

Support

Developer Docs
Contact

Resources

The Appcues Blog
Product Adoption Academy
GoodUX
Case studies
Webinar Series
Made with Appcues
Appcues University

Follow us

Facebook iconTwitter icon greyLinkedin iconInstagram icon
© 2022 Appcues. All rights reserved.
SecurityTerms of ServicePrivacy Policy
Expand