Platform Security & Compliance

Appfarm uses a combination of enterprise-class security features, industry best practices, and comprehensive audits to ensure data protection.


Security compliance

ISO 27001:2022 Certification

Appfarm is ISO 27001:2022 certified for a three-year period from December 2023–December 2026


We can provide our ISO 27001 certificate upon request. Please contact Appfarm's Security department.

Cloud Security

Data center physical security


Appfarm hosts all Service Data in Google Cloud data centers. Google Cloud Platform has been certified as ISO27001, PCI DSS level 4, and SOC 2 compliant. Read more about compliance at Google Cloud.

On-site security

Google Cloud on-site security includes features such as security guards, fencing, intrusion detection systems, security feeds, comprehensive camera coverage, and other security measures. Read more about Google Cloud on-site security.

Data hosting location

Appfarm leverages services at Google Cloud running in Belgium.

Vendor security

Appfarm minimizes the risk associated with third-party service providers by performing reviews on all vendors with any level of access to Appfarm's systems or data. These reviews are revised annually.

Network security


Our cloud network is protected by several Google Cloud Platform security services, regular security audits, and network intelligence technologies, which monitor and/or block unknown malicious traffic and network attacks.


Our network security architecture is set up through layers of security using the principle of least privilege. Services run with only the privileges required to perform the tasks intended. Our Kubernetes clusters run in a zero-trust environment, allowing only intended functionality and communication and isolating customers from each other. Strict network policies further isolate services from each other.

Third-party security audits

In addition to an in-house security team that performs regular security audits in the development cycle, Appfarm also employs annual security audits by third-party security specialists. The audit consists of a complete whitebox audit of the Service, including access to the cloud environment.

Network vulnerability scanning

Security Health Analytics, Rapid Vulnerability Detection, Workload Vulnerability Scanner, and Web Security Scanner give Appfarm comprehensive knowledge and insight to quickly identify out-of-compliance or potentially vulnerable systems and services.

Intrusion detection and prevention

Ingress and egress traffic is monitored, detecting anomalous behavior. The systems are configured to generate alerts when incidents and values exceed predetermined thresholds.

Threat intelligence program

Appfarm participates in several threat intelligence programs, and our information security team is active in the cyber security community. Threats that occur are monitored, and action is taken based on risk.

DDoS mitigation

All Appfarm services running in Google Cloud Platform run behind Google load balancers. These load balancers are protected by Google Cloud Armor, which has many security features, including DDoS protection.

Logical access

Appfarm runs a least-privileged environment, where access to the Appfarm production network is restricted to only personnel who require access to maintain the running of the Service. Multi-factor authentication is required for all services connected to Appfarm systems.

Security incident response

In case of a system alert, events are escalated to our Cloud or Security team. Employees are trained on security incident response processes, including communication channels and escalation paths.

Logging and monitoring

Appfarm collects extensive access and traffic logs on the service and cloud environment, and log retention is set to 30 or 400 days depending on the log type. Alerts are set up to detect suspicious behavior or performance issues and are immediately handled by the cloud or development teams.


Encryption in transit

All communication with Appfarm endpoints is encrypted via industry-standard HTTPS/TLS over a public network. Appfarm regularly performs scans on our public endpoints, evaluates TLS configurations, and upgrades them if needed to maintain the highest level of information security in transit.

Encryption at Rest

Service data is encrypted at rest in Google Cloud using AES-256 key encryption.

Availability and continuity


Appfarm maintains a publicly available status page, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.


By running in Google Cloud Platform on a regional basis, Appfarm is protected through Google's redundancy services in multiple geographical locations. Our strict backup regime, including regular backup tests, and our business continuity plan allow us to deliver a high service availability in compliance with agreed-upon SLAs.

Business continuity and disaster recovery

Our Business Continuity and Disaster Recovery Plan ensures that our services remain available and are easily recoverable in case of a disaster. The plan is tested regularly to identify areas of improvement and provide training to personnel.

Application Security

Secure Development Lifecycle

Secure code training

All engineers go through mandatory secure coding training based on the OWASP Top 10 framework and ASVS.

Version control

Appfarm employs a version control system for coding, with mandatory code reviews for changes that also take into account information security requirements.

Quality assurance

Appfarm's Quality Assurance department tests the codebase, and an in-house security team performs security tests on new and existing functionality added to the Service. Automatic tests are implemented in the codebase to ensure code changes don't introduce new bugs.

Separate environments

For development purposes, Appfarm runs four different environments; Development, Test, Staging, and Production. Only the Production environment contains data from customers.

Vulnerability management

Dynamic vulnerability scanning

Appfarm runs third-party security tools that dynamically scan Appfarm Create regarding, but not limited to, OWASP's Top 10 security risks. Our in-house product security team tests and works with the engineering team to discover and remediate issues.

Software composition analysis

Libraries and dependencies used in the Appfarm Service are scanned to identify vulnerabilities and ensure they are mitigated.

Product Security

Authentication security

Appfarm Create authentication

Appfarm Create has several different options for authentication: one-time password, SSO with Google, and username and password. Appfarm Client authentication

The Appfarm Client has several different options for authentication: one-time password, login link, SSO with custom identity provider using OpenID Connect, and username and password.

Credential storage

Appfarm follows security best practices by only storing passwords in salted one-way hashes with SCRYPT and never in a human-readable format.

Role-based access controls

Appfram Create has an extensive system for controlling permissions and roles. Appfarm has built-in roles that maintain "security by default" practices and also allows for custom roles to be made. More information about permissions and roles can be found in the Appfarm documentation.


To allow our versatile platform to communicate and integrate with external systems, secrets can be used to store sensitive values. Secrets are only available server-side and are not available in the Appfarm Client.

HR Security

Security awareness


Appfarm has developed a comprehensive collection of security policies to cover everything to ensure security in the day-to-day operations of the company. All employees and contractors with access to Appfarm information assets read and accept these policies.


All employees attend Security Awareness Training, which is given upon hire and renewed annually. Certain personnel also attend extra specialized training designed for their explicit roles and responsibilities. The Appfarm Security team provides additional awareness updates via email, Slack groups, and presentations during internal events.

Employee vetting

Confidentiality agreements

All new hires are required to sign non-disclosure and confidentiality agreements.

Last updated