# Platform Security & Compliance
Appfarm uses a combination of enterprise-class security features, industry best practices, and comprehensive audits to ensure data protection.
## Compliance
Security compliance
**ISO 27001:2022 Certification**
Appfarm is ISO 27001:2022 certified for a three-year period from December 2023–December 2026
Artifacts
Our ISO 27001:2022 certificate can be requested at our [Trust Center](https://trust.appfarm.io/).
Trust Center
To learn more about how Appfarm remains compliant, please visit our [Trust Center](https://trust.appfarm.io/), which tracks ISO 27001:2022 controls and other security-related compliance.
## Cloud Security
Data center physical security
**Facilities**
Appfarm hosts all Service Data in Google Cloud data centers. Google Cloud Platform has been certified as ISO27001, PCI DSS level 4, and SOC 2 compliant. Read more about [compliance at Google Cloud](https://cloud.google.com/compliance?hl=en).
**On-site security**
Google Cloud on-site security includes features such as security guards, fencing, intrusion detection systems, security feeds, comprehensive camera coverage, and other security measures. Read more about [Google Cloud on-site security](https://www.google.com/about/datacenters/data-security/).
**Data hosting location**
Appfarm leverages services at Google Cloud running in Belgium.
Vendor security
Appfarm minimizes the risk associated with third-party service providers by performing reviews on all vendors with any level of access to Appfarm's systems or data. These reviews are revised annually.
Network security
**Protection**
Our cloud network is protected by several Google Cloud Platform security services, regular security audits, and network intelligence technologies, which monitor and/or block unknown malicious traffic and network attacks.
**Architecture**
Our network security architecture is set up through layers of security using the principle of least privilege. Services run with only the privileges required to perform the tasks intended. Our Kubernetes clusters run in a zero-trust environment, allowing only intended functionality and communication and isolating customers from each other. Strict network policies further isolate services from each other.
**Third-party security audits**
In addition to an in-house security team that performs regular security audits in the development cycle, Appfarm also employs annual security audits by third-party security specialists. The audit consists of a complete whitebox audit of the Service, including access to the cloud environment.
**Network vulnerability scanning**
Security Health Analytics, Rapid Vulnerability Detection, Workload Vulnerability Scanner, and Web Security Scanner give Appfarm comprehensive knowledge and insight to quickly identify out-of-compliance or potentially vulnerable systems and services.
**Intrusion detection and prevention**
Ingress and egress traffic is monitored, detecting anomalous behavior. The systems are configured to generate alerts when incidents and values exceed predetermined thresholds.
**Threat intelligence program**
Appfarm participates in several threat intelligence programs, and our information security team is active in the cyber security community. Threats that occur are monitored, and action is taken based on risk.
**DDoS mitigation**
All Appfarm services running in Google Cloud Platform run behind Google load balancers. These load balancers are protected by Google Cloud Armor, which has many security features, including DDoS protection.
**Logical access**
Appfarm runs a least-privileged environment, where access to the Appfarm production network is restricted to only personnel who require access to maintain the running of the Service. Multi-factor authentication is required for all services connected to Appfarm systems.
**Security incident response**
In case of a system alert, events are escalated to our Cloud or Security team. Employees are trained on security incident response processes, including communication channels and escalation paths.
**Logging and monitoring**
Appfarm collects extensive access and traffic logs on the service and cloud environment, and log retention is set to 30 or 400 days depending on the log type. Alerts are set up to detect suspicious behavior or performance issues and are immediately handled by the cloud or development teams.
Encryption
**Encryption in transit**
All communication with Appfarm endpoints is encrypted via industry-standard HTTPS/TLS over a public network. Appfarm regularly performs scans on our public endpoints, evaluates TLS configurations, and upgrades them if needed to maintain the highest level of information security in transit.
**Encryption at Rest**
Service data is encrypted at rest in Google Cloud using AES-256 key encryption.
Availability and continuity
**Uptime**
Appfarm maintains a publicly available [status page](https://status.appfarm.io/), which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
**Redundancy**
By running in Google Cloud Platform on a regional basis, Appfarm is protected through Google's redundancy services in multiple geographical locations. The applications run in multi-zone Kubernetes, and the databases run by default on three different nodes in different zones. Our strict backup regime, including regular backup tests, and our business continuity plan allow us to deliver a high service availability in compliance with agreed-upon SLAs.
**Business continuity and disaster recovery**
Our Business Continuity and Disaster Recovery Plan ensures that our services remain available and are easily recoverable in case of a disaster. The plan is tested regularly to identify areas of improvement and provide training to personnel.
**Backup in alternative cloud**
Appfarm runs a backup of the version control system at an alternative cloud provider to avoid relying on only one cloud provider. This allows us to start operations elsewhere in a reasonable timeframe in the case of an unforeseen event at our main cloud provider.
## Application Security
Secure Development Lifecycle
**Secure code training**
All engineers go through mandatory secure coding training based on the OWASP Top 10 framework and ASVS.
**Version control**
Appfarm employs a version control system for coding, with mandatory code reviews for changes that also take into account information security requirements.
**Quality assurance**
Appfarm's Quality Assurance department tests the codebase, and an in-house security team performs security tests on new and existing functionality added to the Service. Automatic tests are implemented in the codebase to ensure code changes don't introduce new bugs.
**Separate environments**
For development purposes, Appfarm runs four different environments; Development, Test, Staging, and Production. Only the Production environment contains data from customers.
Vulnerability management
**Dynamic vulnerability scanning**
Appfarm runs third-party security tools that dynamically scan Appfarm Create regarding, but not limited to, OWASP's Top 10 security risks. Our in-house product security team tests and works with the engineering team to discover and remediate issues.
**Software composition analysis**
Libraries and dependencies used in the Appfarm Service are scanned to identify vulnerabilities and ensure they are mitigated.
## Product Security
Authentication security
**Appfarm Create authentication**
Appfarm Create has several different options for authentication: one-time password, SSO with Google, and username and password.\
\
**Appfarm Client authentication**
The Appfarm Client has several different options for authentication: one-time password, login link, SSO with custom identity provider using OpenID Connect, and username and password.
**Credential storage**
Appfarm follows security best practices by only storing passwords in salted one-way hashes with SCRYPT and never in a human-readable format.
Role-based access controls
Appfram Create has an extensive system for controlling [permissions](https://docs.appfarm.io/reference/security/permissions) and [roles](https://docs.appfarm.io/reference/security/roles). Appfarm has built-in roles that maintain "security by default" practices and also allows for custom roles to be made. More information about permissions and roles can be found in the [Appfarm documentation](https://docs.appfarm.io/reference/security).
Secrets
To allow our versatile platform to communicate and integrate with external systems, [secrets](https://docs.appfarm.io/reference/security/secrets) can be used to store sensitive values. Secrets are only available server-side and are not available in the Appfarm Client.
## HR Security
Security awareness
**Policies**
Appfarm has developed a comprehensive collection of security policies to cover everything to ensure security in the day-to-day operations of the company. All employees and contractors with access to Appfarm information assets read and accept these policies.
**Training**
All employees attend Security Awareness Training, which is given upon hire and renewed annually. Certain personnel also attend extra specialized training designed for their explicit roles and responsibilities. The Appfarm Security team provides additional awareness updates via email, Slack groups, and presentations during internal events.
Employee vetting
**Confidentiality agreements**
All new hires are required to sign non-disclosure and confidentiality agreements.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://policies.appfarm.io/security/platform-security-and-compliance.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.