We are committed to working with customers, partners, and other stakeholders to meet the requirements for the General Data Protection Regulation (GDPR) that went into effect on May 25, 2018. The GDPR impacts multiple AppSheet platform stakeholders and we want to make sure you are aware of, and up-to-date on, any changes we introduce for GDPR compliance.
If you’re a new app creator, app user, vendor, technology partner, or are considering becoming any of those, this page describes how AppSheet meets the requirements of the GDPR and provides other resources to help you achieve GDPR compliance.
We'll update this page as new information and resources become available. Please bookmark this page as a reference for your AppSheet-related GDPR compliance resources. Meeting compliance commitments around privacy and security is important to us. If you have additional questions or need to review custom contractual settings with your business, please contact us at firstname.lastname@example.org. Here are some resources you may want to review:
AppSheet is an active participant in the Privacy Shield Framework. Our commitments covers HR and non-HR data in the EU, Switzerland, and United States.
AppSheet's EU-US and Swiss-US Privacy Shield notice applies to data that AppSheet customers submit through the AppSheet service. In connection with the services delivered through the AppSheet platform, AppSheet receives and may receive personal information from its users.
These are the types of personal data that may be used by the AppSheet Service:
- Personal Data. AppSheet captures personally identifiable information when a user uses an app built on AppSheet. In particular, our service retrieves the user's locale, timezone, and device identifier. For apps that require user signin, our service retrieves the user's email address and it may capture the user's name if available and authorized by the authentication provider. For some apps, the user's geographical location may be captured. Personal Data from app end-users may be passed to the app creator for normal operation and management of the app. If the user is an app creator who creates an account in order to create apps, the AppSheet service retrieves and saves some information about the user from the sign-in authentication provider. Any additional personal information from app creators (limited to information that can help us provide better support and establish a commercial relationship when the user chooses to do so) is opt-in and is not required to deliver AppSheet services.
Application Data. The data used and collected by your AppSheet applications resides in the application owner's third-party storage provider (eg: Google Drive, Dropbox, etc). The AppSheet service does not persist this data although it may log data changes for auditing purposes. In order to improve performance, we may temporarily cache data, images and other files.
- Usage Data. Our service uses browser session cookies and browser local storage to maintain user session state. This helps to speed up user login. You can set your browser to disable cookies and local storage, but this will significantly compromise or disable product usability. As you use our service, it logs usage information in back-end log files and in eventing services like Google Analytics and MixPanel, including the features you accessed on our site, and standard browser-provided information. We utilize this information not only to debug issues and problems, but also to learn aggregated patterns across all our users and thereby improve our service. Your personally identifiable information will not be sold or rented to third parties in a way that identifies you as an individual.
Where is data hosted?
Data used as the back-end of applications is stored wherever the creator of the app hosts its data (For example Google Drive, Amazon Web Services, Salesforce, etc). The AppSheet service does not persist the data used for the application and simply passes the data through data connections back to the original data source.
The back-end usage logs are hosted in the US in Microsoft Azure data centers. It is possible to mark any data field as sensitive information which in turn is going to be obscured from AppSheet back-end usage logs.
AppSheet connects with leading cloud storage providers. The links below are provided as a convenience—we recommend you audit and map out all your technology providers and how they work with the GDPR.
The AppSheet service logs usage information which includes the email address of the application user and email address of the creator of the application. Our logs are used with a subset of service providers (sub-processors); these sub-processors help us analyze data patterns and automate certain functions to improve the service and commercial relationship with our customers. As described in our Privacy Shield Commitments, your personally identifiable information will not be sold or rented to third parties in a way that identifies you as an individual. Below you can find a link of the GDPR compliance resources for the service providers we use:
- Intercom. We use Intercom to interact with customers while they use our product, host product documentation, and collect and respond to support tickets.
- Hubspot. We use Hubspot as our CRM and email platform. We add customer emails to the CRM in order to have a better commercial relationship.
- Google Analytics. We use Google Analytics to better understand the web traffic to our site and within our site. This help us improve the AppSheet service and site navigation
- Mixpanel. We use Mixpanel to log the usage of the AppSheet app creation and app usage experience. This help us improve the platform and provide new features. We also use Mixpanel to send email to application creators and application users to help them improve the usage of the platform.
- Microsoft Azure. We host logs which may include PII in Microsoft Azure servers in the United States, keeping usage logs helps us improve the product and add new features
- Mailchimp and Mandrill. We use Mailchimp to email our customers. Mandrill is used to deliver transactional emails to application creators and application users, and to help application creators automate processes for their users through email delivery.
- Stripe. We process payments via Stripe.
Personally Identifiable Information may be passed to our sub-processors in order to deliver the services of the AppSheet Platform. All the sub-processors listed above are active participants of the EU-US and Swiss-US Privacy Shield Framework.
What we're doing
You can create and share apps in a secure way, keeping control of who has access to data and where data is hosted. We invite you to explore the different security options available in the platform . Since the AppSheet service can be a controller and a processor of personal data, we will continue to keep all platform users informed of how we meet compliance requirements in both areas of the GDPR.
When is AppSheet a controller of data?
Generally speaking, we are controllers of the data that you provide to us to be able to create applications on AppSheet. For example, your email address to sign-in to the platform, the email addresses of the people you invite to use your apps, or contact details you provide in a "contact sales" form.
When is AppSheet a processor of data?
We are processors of the data that you connect to the applications you create in the platform. It's important to set the security, privacy, and compliance rules that match your needs for the data you use in AppSheet applications.
Platform features that support GDPR
AppSheet gives teams and individuals the ability to create secure applications using their own data and define the security and privacy model for them. In order to do so, we make sure that the existing and future capabilities of the platform match or exceed our commitments to privacy and security. Some of the capabilities available in AppSheet are:
- Ability to tag any field as sensitive data.
- Ability to apply security filters to any table used in AppSheet apps.
- Ability to restrict access to applications using oAuth 2.0 authentication.
- HTTPS data transmission.
- Ability to conditionally restrict read/write access to any field in a table.
- Ability to request a deletion of an AppSheet account.
As part of our GDPR compliance journey, AppSheet has participated in SOC 2, Type 1 audits. SOC 2 Type 1 focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. Additionally, we've performed a personal data audit across the AppSheet technology stack, identifying all parts of the platform that may store personal data, reviewing the privacy commitments of all technology partners, and allowing for data deletion upon request or anonymization where possible.
Thousands of App Creators use AppSheet to deliver mobile apps to their teams, colleagues, customers, and other stakeholders. It's possible that the data captured and displayed through those apps are personal data as defined by GDPR. We want to make sure all stakeholders are aware of the commitments they must have to controlling or processing personal data.
AppSheet's help site contains multiple articles that reference data security and privacy. During the months of April and May 2018, broadcast multiple communications to our stakeholders to increase awareness around the GDPR; recommending that app creators review this site and other resources to make sure their apps, and the data they manage in them, is GDPR-compliant.
January 2018: Completed
- Audit of control environment.
- Platform update.
April 2018: - Completed
May 2018: - Completed
- Educational content sent to people creating apps with AppSheet.
- Enforce GDPR feature updates to the platform, making sure app creators acknowledge their responsibility to create compliant apps.
- Privacy Shield Framework certification.
- Platform updates around user opt-in and account/profile deletion.
- Plan updates in our blog.
- Full enforcement of updated policies prior to May 25th.
Last updated December 26, 2019