As described in the Appcues Trust Center, Appcues invests heavily and continually monitors the Appcues platform to protect the security and privacy of our customer data. However, if your organization uses certain Appcues features, you also have a responsibility to take action to fully protect the security and privacy of the data managed by Appcues.  This is commonly referred to as a shared responsibility model. This document describes the shared responsibility of certain Appcues features and their benefits.  As new capabilities are introduced, or responsibilities are identified, this page will be updated or expanded.

Appcues Responsibilities

Appcues maintains comprehensive documentation regarding the security of the Appcues platform and the Appcues Security Program in our Trust Center.  Security is ever-evolving, and Appcues regularly makes updates or improvements documented there.  A few notable aspects of our security program include:

• All customer data is encrypted both in transit and at rest.
• Documentation is maintained to ensure an Appcues installation is compatible with Content Security Policies.
• A SOC-2 audit and report is performed annually by a professional 3rd party auditor. 
• A Penetration Test and report is conducted annually by a professional 3rd party security research firm.
• Within 48 hours of discovering any security incident, notice will be sent to impacted Appcues account administrators.
• For accounts enabled for HIPAA compliance, Appcues also ensures all data is processed according to HIPAA regulations.

Customer Responsibilities

The following items are not required to operate Appcues, but by following these responsibilities, customers can improve their security posture using Appcues. 

• Customers are responsible for what data they send to Appcues. While Appcues implements many controls to secure customer data while in transit and stored, Appcues cannot determine the sensitivity of the data you send.  Appcues also cannot control what data you export from Appcues or send to 3rd party integrations. To limit the data received by Appcues, you can use Appcues Ingest Filtering.
• If the data you send to Appcues or the Experiences you display are sensitive (e.g. contains PII or confidential information that must be shown only to the appropriate user),  you can leverage Identity Verification to digitally sign your UserIDs to ensure that only intended users can see Appcues experiences.   This is required if you want HIPAA compliance to protect PHI.
• To process data deletion requests according to GDPR, CCPA, or other similar privacy laws, Appcues requires you to confirm the identity of the user, and once confirmed, forward the request to Appcues by contacting support@appcues.com.  Appcues cannot handle requests directly from your end users since we cannot verify their identity.
• Customers that use content integrity tags should follow the guidance in the Appcues Content Integrity Tags documentation.