Security at AppTego

An overview of the security practices and measures we use to help protect our platform, your data, and your applications.

Our approach

As a security company, we take the protection of your data and applications seriously. We are continually working to improve our security posture as our platform and team grow.

Infrastructure security

  • Cloud hosting: Our platform runs on AWS cloud infrastructure, using multiple availability zones where possible. We use infrastructure-as-code to help maintain consistency across environments.
  • Encryption in transit: We use TLS to encrypt data transmitted between your browser, our APIs, and our backend services. We aim to encrypt internal service-to-service traffic as well.
  • Encryption at rest: Stored data — including account information, uploaded binaries, and configuration state — is encrypted at rest using AWS-managed encryption keys.
  • Network isolation: We use VPCs, security groups, and network segmentation to separate production environments and limit access.
  • Build environments: App binaries are processed inside isolated containers. We aim to keep build environments ephemeral and to remove artefacts after processing.

Application security

  • Development practices: We use code review, static analysis, and testing as part of our development workflow. We are working to make these practices more consistent and comprehensive over time.
  • Dependency management: We use automated tools to help identify known vulnerabilities in third-party dependencies.
  • Authentication: We support multi-factor authentication (MFA) for user accounts and scoped API keys for programmatic access.
  • Responsible disclosure: We welcome reports from security researchers concerning vulnerabilities in our platform infrastructure (website, dashboard, and APIs). See our Report a Bug page for how to get in touch. Out of scope: reverse engineering, instrumentation, or security testing of protected mobile binaries, the build pipeline, the on-device security controls, or any AppTego-injected code — these activities are prohibited under our Terms of Service.

Data handling

  • Binary processing: Mobile app binaries uploaded for protection are processed in isolated containers. We aim to delete uploaded binaries promptly after processing. We do not intentionally access or retain your source code.
  • Telemetry & privacy: Runtime telemetry from protected apps is encrypted in transit. Data collection settings are configurable in the dashboard.
  • Access controls: We use role-based access controls and the principle of least privilege where possible across our internal systems.
  • Data retention: We aim to retain personal data only as long as necessary to provide the service. See our Privacy Policy for more details.

Incident response

We are developing our incident response processes to cover detection, containment, and recovery. If we become aware of a security incident affecting customer data, we will make reasonable efforts to notify impacted customers promptly.

Our current operational status is available on our Status Page.

Compliance

Our security practices are informed by leading industry standards, including:

  • GDPR (General Data Protection Regulation)
  • OWASP Mobile Application Security guidelines

Formal certifications such as SOC 2 are part of our roadmap and we will share updates as they become available. Customers with specific compliance requirements are encouraged to contact us at legal@apptego.com so we can discuss how AppTego fits into their programme.

Responsible disclosure

If you believe you have found a security vulnerability in our platform (website, dashboard, or APIs), we encourage you to report it responsibly. Please email support@apptego.com with details and we will do our best to respond promptly and work with you to resolve the issue.

Scope is limited to AppTego platform infrastructure. Reverse engineering, decompilation, deobfuscation, instrumentation, fuzzing, hooking, or any other form of security analysis directed at protected mobile binaries, the build pipeline, on-device security controls, configuration delivery mechanisms, or any AppTego-injected code is out of scope and not permitted, whether or not such code is observed in an end-user application. Such activities violate our Terms of Service and may result in account termination and legal action. Reports concerning these out-of-scope items will not be accepted, acknowledged, eligible for any reward, or treated as protected disclosures.

Prohibited testing methods

Even within the in-scope platform surface, the following activities are always prohibited and will not be treated as good-faith research:

  • Denial-of-service (DoS / DDoS), volumetric, or resource-exhaustion testing of any kind, including attempts to assess rate limits by overwhelming them.
  • Automated scanning, brute-force attacks, credential stuffing, or any high-volume / high-rate request patterns against authentication, password reset, MFA, or build-trigger endpoints.
  • Social engineering, phishing, or pretexting against AppTego employees, contractors, customers, or sub-processors.
  • Physical attacks against AppTego or AWS facilities.
  • Any action that accesses, modifies, exfiltrates, retains, or destroys data belonging to another customer, tenant, or end user.
  • Pivoting from a discovered vulnerability into deeper exploitation, lateral movement, or persistence — stop at proof-of-concept and report.
  • Testing third-party services we depend on (AWS, Stripe, Google reCAPTCHA, etc.) — report those to the respective vendor.
  • Spam, mass-email, or any abuse of contact, registration, support, or build endpoints.
  • Public disclosure of any finding before we have had a reasonable opportunity to remediate (we ask for a minimum of 90 days).
  • Testing with any account other than your own, or in any environment other than the standard production environment as a registered user.

By submitting a report, you confirm that your testing complied with these conditions. Reports arising from prohibited testing will be ignored and may be referred for civil or criminal action.

Safe harbour

If you act in good faith, stay strictly within the in-scope surface and the conditions above, give us a reasonable opportunity to remediate before disclosure, and do not access or harm data belonging to others, AppTego will not pursue civil or criminal action against you for your research, and will treat your activity as authorised for the purposes of applicable computer-misuse laws (such as the U.S. Computer Fraud and Abuse Act and the UK Computer Misuse Act). This safe harbour does not extend to anything outside this scope and does not bind any third party (including AWS, Stripe, Google, or our customers).

We do not currently operate a paid bug-bounty programme.

Version 2026.04 · Effective: 18 April 2026 · Owner: legal@apptego.com

Have a question?

If anything is unclear, please don’t hesitate to reach out.

Contact Us