AppsClicks
Trust & security

Security
you can audit.

Defense-in-depth isn't a slogan on AppsClicks — it's six layers of independent controls, written in code, reviewed in public, and tested against real adversaries. This page documents exactly how we keep your data safe.

Request security reviewSee the controls
6
defense layers
24/7
monitoring
AES-256
at rest
Identity
Network
Data
Audit
IAM
Monitor
Defense in depth

Six layers. Every request.

No single control stands alone. A request entering AppsClicks crosses six independent checkpoints before it can touch a single byte of your data. Each layer is owned, tested and versioned separately.

Identity & SSO

SAML 2.0 and OIDC single sign-on with your IdP. Mandatory WebAuthn for admins, hardware-key enforcement for break-glass, no shared logins anywhere.

Network isolation

Per-tenant virtual networks, private egress only, mTLS between every internal service. Public surface is exactly three endpoints, behind a hardened edge.

Encryption at rest & in transit

AES-256-GCM at rest with per-tenant data keys. TLS 1.3 for every hop, including intra-region replication. Key material never leaves a FIPS 140-2 module.

Least-privilege IAM

Zero standing access. Engineers request scoped, time-bound credentials per task; production changes require a second reviewer and leave a signed record.

Immutable audit logs

Every authenticated action is logged to an append-only, hash-chained store. Logs are exported in real time to your SIEM on enterprise plans.

Continuous monitoring

Behavioural detections on API traffic, identity events and workload anomalies. Paging rotation 24/7, mean time to acknowledge under 5 minutes.

Data handling

Less data, held closer to home.

The safest data is the data we never collect. Everything we do collect follows a documented lifecycle — minimized at ingest, stored in the region you choose, and retired on a clock you can read.

Collection

Minimize, then measure.

We collect only the signals required to attribute a campaign and score for fraud. Device identifiers are hashed at ingest, IPs are truncated before storage, and personally identifying fields are rejected at the edge unless explicitly scoped.

PII fields accepted
0 by default
IP truncation
last octet dropped
Hashing
SHA-256, salted
Residency

Where your data lives.

Singapore is our primary region; Dubai is our warm-standby secondary. You choose which region holds primary and whether secondary replication is enabled. Regional failover is automatic, cross-region exit requires a signed change request.

Primary region
Singapore
Secondary region
Dubai (opt-in)
Cross-region transit
mTLS 1.3
Retention

Short windows, long aggregates.

Raw event payloads expire on a 90-day rolling window. Aggregated metrics (cohorts, fraud scores, performance curves) are retained for the life of the tenancy so reporting and historical benchmarks keep working after the raw events are purged.

Raw events
90 days
Aggregates
tenancy lifetime
Deletion
cryptographic erasure
Infrastructure controls

Controls we operate every hour of every day.

A platform is only as strong as the rails it runs on. These are the operational controls that sit under the product — always on, fully automated, and exercised continuously.

Tenant isolation

Each customer gets a dedicated logical stack: separate data keys, separate queues, separate observability streams. Cross-tenant queries are architecturally impossible, not merely blocked.

Secret rotation

All credentials, API tokens and signing keys rotate on a 90-day maximum. Emergency rotation is one command, propagates under 60 seconds, and is exercised in staging weekly.

Zero-trust access

No VPN. Every engineer session re-authenticates via device posture, hardware key and per-request authorization. Production is inaccessible from an unmanaged endpoint.

Infrastructure as code

100% of production infra is declarative and peer-reviewed in version control. Drift is detected hourly and auto-reverted. Manual console changes trigger an incident.

Dependency scanning

Every build is SBOM-generated and scanned for CVEs and license risk. Critical findings block the pipeline; high findings open a ticket before the PR merges.

Vulnerability management

External quarterly penetration tests and continuous internal red-team exercises. Findings are triaged within one business day and tracked to remediation on a public SLA.

Compliance roadmap

Certifications shipped
on a public schedule.

We publish the roadmap because procurement teams deserve real dates, not intentions. Milestones move when the evidence moves — not when marketing decides.

  • Live · Today

    GDPR-aligned practices

    Lawful basis documented per data category, DPA templates on every enterprise contract, subject-access and erasure APIs shipping with every tenant.

  • Live · Today

    PDPA (Singapore) alignment

    Notification, consent and access obligations met for our Singapore primary region. DPO contact on file and breach-notification workflow tested.

  • In progress · Reporting 2026

    SOC 2 Type I

    Readiness assessment complete, evidence collection automated, Type I audit window open with an independent CPA firm. Report available under NDA.

  • Planned · Targeting H2 2026

    SOC 2 Type II

    Operating-effectiveness observation period begins immediately after Type I. Annual attestation from there on, published on the trust portal.

  • Planned · Targeting 2027

    ISO 27001

    Formal ISMS scoped, Annex A controls mapped to current practice, gap-assessment scheduled. Certification body selection after SOC 2 Type II.

Responsible disclosure

Find something? Tell us first.

We welcome reports from independent security researchers. If you follow the rules below, we will not pursue legal action, we will credit you publicly (if you want), and we will keep you updated until the issue is resolved.

  • Give us reasonable time to triage and remediate before any public disclosure.
  • Do not access, modify or delete data that does not belong to you.
  • Do not run automated scanners against production at a rate that degrades service.
  • Encrypt your report with our PGP key if the vulnerability is sensitive.
Report a vulnerabilityRequest PGP key
PGP fingerprint
8F3A 2C91 4E7D 1B62 5A09 FE48 3D7C B104 6921 A5DE
Fingerprint rotates annually. Current key published at appsclicks.com/.well-known/security.txt.
Response SLA

What happens after you hit send

SeverityTriageFix target
Critical1 business day< 7 days
High1 business day< 30 days
Medium3 business days< 90 days
Low5 business daysNext release

SLA clock starts when the report is acknowledged by a member of the on-call security rotation. Progress updates are sent every 7 days until closure.

Enterprise security review

Your security team,
meet ours.

Procurement, vendor risk and CISO reviews are a normal part of rolling us out. Request our trust pack, the latest vendor questionnaire, or a live call with our security engineers.

Book a security reviewRequest vendor questionnaire
What's in the trust pack
  • Architecture and data-flow diagrams
  • Current SOC 2 Type I evidence memo
  • Sub-processor list with regions
  • Latest penetration-test summary
  • Signed DPA template, ready for counsel
  • Incident-history disclosure (3 years)
security@appsclicks.com · Response within 1 business day