What are your data privacy policies? Will you be acting as a data processor/provider of vendor’s data (with vendor as data controller or business)?   

Our data privacy policy is here https://www.appbind.com/privacy.

Almost all sensitive data in AppBind belongs to your channel partners and your mutual customers, not Vendor. We only share individuated or PII data with Vendor with the owners’ opt-in consent. Otherwise, we report to you only anonymous, aggregated, deindividuated market data about general activity on the AppBind platform about Vendor.

Where we do act as a data processor of Vendor data (user accounts, financial records), this data belongs to Vendor and will not be shared without your explicit consent.

We don’t track PII or sensitive data in third-party analytics tools. Security and activity monitors use anonymized tokens where necessary.

Do you follow any compliance frameworks (HIPAA, PCI DSS, etc) or obtain security related compliance reporting/certifications (SOC1/2, ISO 27000, etc.)?  If so, please provide the most recent report.  

We rely on third party platforms that have security certifications:

Marqeta (PCI DSS level 1 and SSAE-18. )
Stripe (PCI DSS level 1)
Dwolla (SOC 2)

Auth0 (SOC 2, PCI DSS)

AWS (PCI DSS level 1, SOC 1+2+3)

Do you have formally adopted incident response policy?  If so, please provide a brief description.  

We monitor all activity on the system. We notify key personnel (escalating Slack, SMS, phone). We contact affected customers to confirm suspicious behavior. We progressively lock accounts through layers (AppBind, Marqeta, Stripe, Dwolla). After the event is complete, we do a post-mortem then make a critical priority any updates to our security model to automatically mitigate future incidents.

Do you have a SOC (Security Operations Center) or any dedicated security personnel?  Please describe your organization’s security program and approach to information security.  

CTO is directly responsible.

Please describe the integration.  Which Vendor system will your solution integrate with?  

Options.
1. None. AppBind can live entirely outside of Vendor
2. ACH connection to your bank account to manage payouts to channel partners

3. ACH connection to your bank account + update partner-customer relationship data in CRM of your choice + push transaction data into accounting system of your choice

How will you store information about Vendor, and is it stored safely? (Is encryption at-rest & in-transit implemented, etc.)? What is the geographic location of your data storage?

Data is encrypted in transit and at rest. Payment credentials are encrypted and stored in compliant platforms, entirely separate from AppBind systems.

What type of Vendor data will your company be storing (financial, PII, etc.)?  

Either none as the data will belong to Vendor partners and your mutual customers, or transaction data between Vendor channel partner commissions, rebates or credits we manage.

If you are placing a marketing pixel, please describe what cookies or trackers your solution will drop. This would include any sub-vendor cookies, entity tags, and local storage items.  

No trackers.

Please describe your approach to access control as it relates to your company’s internal production systems as well as the production systems and databases potentially housing Vendor data.  

Only key personnel have access to production servers and databases.

How will Vendor’s authentication credentials be stored?

We used a third-party provider Auth0 to securely manage authentication credentials.

What is your data retention policy for Vendor’s data? Do you offer the ability to delete Vendor data sooner than the default policy (e.g., if a Vendor customer requests deletion, can we do so via APIs or set a precise period in our account settings)?

AppBind is committed to comply with privacy regulations common to the US, EU, and Canada including GDPR, PIPEDA, and other laws similar to the OECD Privacy Framework. 

A key principle of AppBind functionality is that users own their own data. Users can request destruction of their own data unless limited by law. Where data involves financial transactions or records of contract authorizations, we must comply with record keeping regulations. 

Have you ever been compromised? Can you provide details of the situations and what the response consisted of?

No.

If there is a compromise in the future how and when will Vendor be notified?

Vendor will be notified within 24 hours after a compromise affecting Vendor has been confirmed at the email address of the administrator account on file.

Do you have a regular penetration testing schedule? If not, are there plans to establish one?

Yes. We use Probely.com

What are your patching processes (including timelines) for addressing vulnerabilities in your software and other third party technologies used?  

We push all critical updates to our own software as soon as possible. We keep track of all dependencies. We update dependencies at least once a quarter. 

Do you have Business Continuity and Disaster Recovery (BCDR) plans documented and implemented?  How frequently are plans tested?  

Yes 

Does your solution enforce 2FA? 

2FA is available, but optional.


Does your solution integrate with SAML systems such as Okta?  

We use Auth0. This functionality is available. https://auth0.com/docs/protocols/saml/identity-providers/okta

Do you offer a Bug Bounty program to security researchers?  

No.

Is secret management in house or do you use 3rd party solutions?  

Amazon KMS

Would it be possible to work with a dedicated security contact from the vendor?  

Yes.

Is there a place to check up/down time of Appbind?
Not yet. However, our biggest risk on down time are the credit card authorizations. The Marqeta system handles automatic fallover cases automatically.

Where’s your datacenter? Do you have a backup one?
AWS US east 2 (Ohio) with multiple availability zones (i.e. AWS handles failover to back up data centers in US east 2)