Appinio

Security

At Appinio, we prioritize the security of your data and take numerous measures to ensure its confidentiality, integrity, and availability. Our team of experts monitors our systems and adapts to the changing landscape of online security to provide the highest level of protection. We are committed to maintaining your trust through our dedication to the security of your data.

Trusted and loved by 3,000+ clients

Measures to keep your data safe

Data Security

To ensure the security of the data of our customers and app users, Appinio employs encryption methods for data at rest and in transit. We utilize tools and hardware security modules to manage encryption keys and follow industry-standard best practices to maximize security.

Infrastructure Security

Appinio uses Amazon Web Services to host our application. We make full use of the security products embedded within the AWS ecosystem, including GuardDuty, CloudWatch and CloudTrail. In addition, we deploy our application using containers run on AWS managed services, meaning we typically do not manage servers or EC2 instances in production.

Application Security

To keep our product secure, Appinio employs high-quality tools to analyze code and search for vulnerabilities during every stage of the development process. Traffic within and between our applications is always SSL secured.

Information Security

Appinio follows the principle of least privilege in every critical part of our infrastructure and systems. We enforce multi-factor authentication on every tool that we use and train our personnel in security awareness on a monthly basis.

Trusted and Trustworthy

GDPR

We are fully GDPR compliant and committed to protecting personal data.
Technical & organisational measures

To read more about the technical and organisational measures we take to protect personal data, please refer to our trust center.
SOC 2 Type II

We’ve successfully completed the SOC 2 Type 2 examination. More in our trust center.

Discovered a security issue?

If you are a security expert or researcher and believe you have discovered a security-related issue on Appinio’s websites and products, we appreciate your help. Please notify us about the issue.

Read more about our bug bounty program below.

security@appinio.com

Appinio Bug Bounty Program

Welcome to the Appinio Bug Bounty Program! We value the security of our applications and appreciate the contributions of security researchers who help us identify and address potential vulnerabilities.

What is a Bug Bounty Program?

A bug bounty program invites security researchers to test our applications for vulnerabilities. If you discover a security flaw and report it responsibly, following our rules, you may be eligible for a reward. This program is designed to foster collaboration between Appinio and the security community in an effort to improve the overall security posture of Appinio.

Scope

The scope of this program includes the following domains:

Out of Scope

The following vulnerabilities are explicitly out of scope and will not be eligible for to receive bug bounties.

Denial-of-Service (DoS) attacks
Email-related vulnerabilities (e.g., SPF, DKIM, DMARC misconfigurations)
Social engineering

Reporting Vulnerabilities

To report a vulnerability, please send an email to security@appinio.com. Your report should include the following information:

A clear and concise description of the vulnerability, incl. the potential impact
Steps to reproduce the vulnerability.
The affected URL.
Any supporting materials (e.g., screenshots, proof-of-concept code).

Timelines

We will acknowledge the receipt of your report as soon as possible and will begin triaging your report immediately upon receipt. We aim to provide you with confirmation of whether we consider your report valid and will award a bounty at the end of the process within one week and aim to provide you with regular updates throughout the remediation development process. Bounties will be paid out after a fix for the reported vulnerability has been developed.

Bounty Rewards

The amount of the bounty we award to your reports will depend on the severity and impact of the vulnerability, as determined by our security team. We use the CVSS (Common Vulnerability Scoring System) to help us determine the severity of vulnerabilities.

If duplicate reports for the same vulnerabilities are submitted, a bounty will only be awarded to the first submission.

Terms

We ask that you do not disclose your findings to anyone else until the vulnerability has been remediated. Please be aware that you will not be eligible to receive a bounty if you publicly share your findings before we can remediate it.

Avoid disruptive testing that could cause disruptions in our systems. Denial-of-Service vulnerabilities are considered out of scope and will not be awarded with a bounty.

You are only permitted to test the systems in scope of this bug bounty program. Please do not test any systems outside the scope of this program.

Once you have confirmed that you have found a vulnerability, we ask that you do not attempt further exploitation, but instead report it immediately to us.

Please make sure that your report contains all relevant information to verify your findings. This will help us in quickly triaging your issue and result in a faster payout of your bounty.