Dated 10 November 2019
Here at Appraisd we are acutely aware that our customers and their
employees entrust us with very sensitive data. Not only do we have a
responsibility to protect this data from external threats, but we must
ensure that data is only visible to those it is intended to be visible
to. For us therefore, security means several things. It is both the
obvious things, using encryption, pen testing and so on to protect
from hackers. But it is also a question of design - if a piece of
feedback is shared with the wrong person because a user misunderstood
the meaning of a button that's a security issue we take equally
ISO 27001 Certification
As of October 2019 we are certified to industry standard
ISO27001:2017. We have top-level management commitment with the Tech
Lead appointed as Information Security Manager. Our CEO is a former
software developer who has personally overseen multiple penetration
tests and so security awareness is at the heart of our business.
ISO27001 is not just about getting security controls and measures in
place. It's also a regular set of internal and external audits that
ensure that if something could be improved, action is taken. It also
embeds a culture of security awareness in all employees with an
emphasis on continual self improvement.
User-first design philosophy
The easiest way for data to get into the wrong hands is for a user to
inadvertently send it there. That's why we are constantly putting
ourselves in the heads of users - making sure that what they expect to
happen when they use our system is exactly what does happen. We use UI
design to make sure admins can reliably predict how the system will
behave. We make sure we capture feedback from clients to continuously
Every line of code we write must go through a code review process to
ensure our systems development policies are being upheld. The process
involves another developer of appropriate experience reading the
submission and checking off a number of factors, such as whether there's
adequate unit or integration test coverage and that the tenant
identifier is used in queries. New features and fixes go through UAT and
must be approved by a member of the Customer Success team before they
can be released into production. On top of this, every build involves
running over 1,000 automated tests which ensure we don't break old code
when adding new code. We use Azure devops to manage this process and
provide a reliable audit trail.
World class infrastructure
All our data is stored in the Microsoft Azure cloud which has over 50
compliance certifications. We build on Microsoft's PaaS which reduces
our security surface area with a set of easily configured security
settings. We benefit from security through simplicity, with Microsoft in
charge of maintaining the base level security updates and patches for
its own servers.
Super strong encryption everywhere
All data is encrypted using the latest TLS 1.2 encryption with strong
ciphers while in transit, and using AES256 Microsoft Azure encryption
while at rest. CSRF tokens are validated for each request to ensure your
data isn't tampered with by malicious third parties.
Single Sign-on (SSO) Ready
We can integrate with your existing single sign on systems, so your
employees don't need to juggle additional passwords. Where you do need
to use password and email authentication, you can implement your own
password policy in Appraisd.
Employees you can trust
Data access is limited within Appraisd to those who require it.
Employees also go through regular Appraisd-specific and general security
training and access to superuser facilities is not granted until
superuser tests are passed. All employees must undergo criminal and
employment history background checks.
Appraisd undertakes at least-annual third-party penetration tests to
ensure our security is working as expected.
Responsible disclosure and bug bounty policy
Security is a top priority at Appraisd. We believe working with security
researchers can help us fix any problems as quickly as possible. If you
believe you have found an issue, please notify us and we will work with
you to resolve the issue promptly. We aim to resolve any critical issue
within one week and non critical issues within 90 days. Please refrain
from publicising issues until after a fix has been released.
We are currently accepting no further bug-bounty submissions but welcome
any submissions under a responsible disclosure policy. Please make every
effort to avoid violating the privacy or damaging any data of any
Please refrain from
- Social engineering/phishing attacks
- Attacks against physical property/data centres.
of service attacks
- Attacks that might negatively impact clients
use of our infrastructure.