Security Policiesand Practices

INTRODUCTIONAt AppsFlyer, data security, scalability and performance are ourlifeblood. Our state-of-the-art real-time infrastructure, advancedsecurity and data protection, independent certifications and globalregulatory compliance have earned the trust of the world’s leadingbrands.We strive to implement the highest level security processes andpractices across all business units. To help ensure we attain thisgoal, our staff includes a full-time, in-house chief informationsecurity officer (CISO) and a growing dedicated security team.Our security practices are based on industry-leading standards suchas SSAE 16 SOC2, on which we are audited annually. Our securityframework includes policies and procedures, asset management,access management, physical security, people security, productsecurity, cloud and network infrastructure security, third-partysecurity, vulnerability management, security monitoring, andincident response.Information security policies and standards are approved byAppsFlyer management and are available to all AppsFlyeremployees.AppsFlyer Security Policies and Practices2

APPSFLYERSECURITYStaffProductCloudPage 4Page 6Page 10AppsFlyer Security Policies and PracticesBusinesscontinuityPage 11Data3rd partiesCertificationPage 12Page 14Page 153

SECURITY TEAMHIRINGINFOSEC TRAININGONGOING COMMUNICATIONSPEOPLEThe teams behind AppsFlyer products play an essential part in protectingour service on an organizational level.SECURITY TEAMAppsFlyer’s business operation team includes top-notch security and privacy professionals who are experts in information, application and networksecurity. The team is tasked with:yyyyMaintaining the company’s defense systemsDeveloping security review processesBuilding security infrastructureImplementing AppsFlyer’s security policiesAppsFlyer’s dedicated security team actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA)measures, and software security reviews.Members of the AppsFlyer information security team review security plans for all networks, systems and services. They provide project-specificconsulting services to AppsFlyer’s product and engineering teams. They monitor for suspicious activity on AppsFlyer’s networks, address informationsecurity threats, perform routine security evaluations and audits, and engage outside experts to conduct regular security assessments.AppsFlyer Security Policies and Practices4

SECURITY TEAMHIRINGINFOSEC TRAININGONGOING COMMUNICATIONSPEOPLEHIRINGThe AppsFlyer screening process is based on background checks andpersonal interviews with recruitment/HR managers and hiring managers.Where applicable, additional background checks are included based onlocal law.INFOSEC TRAININGNew employees go through an on-boarding process that includessecurity guidelines, expectations, and code of conduct. All AppsFlyeremployees undergo annual security awareness training.ONGOING COMMUNICATIONSThe AppsFlyer security team communicates with all employees ona regular basis, covering topics such as emerging threats, phishingawareness campaigns, and other industry-related security topics.AppsFlyer Security Policies and Practices5

APPLICATION SECURITYACCOUNT SECURITYMONITORING AND VISIBILITYPRODUCTAPPLICATION SECURITYThe AppsFlyer security development lifecycle (SDLC) standard helps ensure the delivery of a highly secure platform.The following activities help us achieve this mission:Change managementAll changes are tracked, reviewed andapproved to ensure alignment with ourbusiness objectives and compliancerequirements.Penetration testsAppsFlyer conducts a variety of PTs usingexternal vendors as well as scans usingautomated scanners.Attack preventionAppsFlyer utilizes Anti-DDoSprotection, WAF and APIprotection tools.Bug bountyAppsFlyer offers a bug bounty programfor detecting bugs in Application security.AppsFlyer Security Policies and PracticesSDLCAll products and features undergothorough security reviews and codescanning.6

APPLICATION SECURITYACCOUNT SECURITYMONITORING AND VISIBILITYPRODUCTACCOUNT SECURITYAppsFlyer provides the most thorough authentication security measures in the mobile attribution industry. Among the available authenticationcapabilities, many settings are fully configurable to suit individual organizational standards and needs.Full complexity passwordsAll users must create full complexity passwords, which include aminimum of 8 characters, uppercase and lowercase letters,numbers and symbols.SHA-2 Salt password hashingCustomer passwords are not stored in clear text in AppsFlyer’sservers. AppsFlyer uses SHA-2 hash standard for storing allpasswords.Failed loginsWhile the recommended setting is to block users after 10 failedlogin attempts, AppsFlyer blocks users after 5.Customers can determine the duration of the lockout.Temporary passwordsAppsFlyer requires new users to create a new passwordimmediately after signing in with a temporary password.AppsFlyer Security Policies and Practices7

APPLICATION SECURITYACCOUNT SECURITYMONITORING AND VISIBILITYPRODUCTACCOUNT SECURITYSelf-serve2-Factor authenticationCustomers can choose to require 2FA when userslog in to the dashboard. Available options are GoogleAuthenticator or text message confirmation.AppsFlyer Security Policies and PracticesSingle sign-onCustomers using an IDP solution within their organizationcan connect it to the AppsFlyer dashboard.AppsFlyer works with the SAML 2.0 standard for SSO.8

APPLICATION SECURITYACCOUNT SECURITYMONITORING AND VISIBILITYPRODUCTMONITORING AND VISIBILITYOur security team continuously monitors and assesses compliance,regulation and risk. Our vulnerability tests establish how we identify,respond, and triage vulnerabilities against the AppsFlyer platform. Toensure the security of our platform, AppsFlyer continues to improve andenhance its security capabilities: Continuous 24/7/365 monitoring and theimplementation of a variety of security tools and other components todetect and mitigate any new vulnerabilities, incidents, and threats.We want our customers to have complete visibility into what happensinside their account, giving them the freedom to monitor their ownaccount activity. For this reason, we provide complete logs of all accountactivity, including failed login attempts and changes made to dataexportation.AppsFlyer Security Policies and PracticesAudit TrailCustomers have fullvisibility into accountactivity: failed andsuccessful logins, changesmade and data exports.24/7 MonitoringAppsFlyer security teamconducts 24/7 monitoringof the infrastructure andto application. Any alerttriggers a clear process tomitigation.9

INFRASTRUCTURE COMPLIANCEASSET MANAGEMENT & OWNERSHIPDDOS PROTECTIONFULL REDUNDANCYCLOUDThe security of our infrastructure and networks is critical. Creating asafe platform for AppsFlyer application and customer innovation is themission of our cloud security.INFRASTRUCTURE COMPLIANCEDDoS PROTECTIONWe use multi-layered controls to help protect our infrastructure,constantly monitoring and improving our applications, systems, andprocesses to meet the growing demands and challenges of security. Inaddition, we use AWS and GCP, highly-regulated and compliant datacenters that meet stringent regional and international certificationrequirements.As part of the multilayered-protection approach, a dedicated DDoSmitigation ecosystem has been put in place. AppsFlyer utilizes Anti DDoSprotection, WAF and API protection tools.ASSET MANAGEMENT & OWNERSHIPAll assets are assigned with a defined owner and accountability. Accessto production infrastructure is limited to the minimal number ofindividuals based on a least-privilege and need-to-work basis.AppsFlyer Security Policies and PracticesFULL REDUNDANCYAppsFlyer utilizes a wide range of tools to monitor its environment acrossdata centers on both the server and application level. Parameters arecollected and aggregated at a central location using redundancy todetect anomalies, trends, threshold crossing, etc.10

BUSINESS CONTINUITY PLAN (BCP)DISASTER RECOVERYDATA BACKUPSBUSINESS CONTINUITYWhile we can’t predict the future, we can ensure that we are fullyprepared for it. That includes managing potential service interruptionsand minimizing recovery time.BUSINESS CONTINUITYPLAN (BCP)DISASTERRECOVERYDATABACKUPSAppsFlyer’s BCP ensures thatcritical operations and services arecontinuously available to customersthroughout the occurrence of anydisaster or business interruption, fromtemporary outages to global-scalecatastrophes.AppsFlyer’s services are hosted on AWSand GCP, enabling continuous globalactivity, even if one location fails. AWS andGCP span multiple geographic regionsand provide multiple backups, allowingAppsFlyer servers to remain resilient in theevent of most failure modes.AppsFlyer performs regularbackups of customer data andother critical data using AmazonS3 cloud storage. All backups areencrypted in transit and at restusing strong encryption.AppsFlyer Security Policies and Practices11

DATA IN TRANSITDATA AT RESTMASKINGACCOUNT SEGREGATION AND ACCESSDATADATA IN TRANSITData is vulnerable to unauthorized access as it travels across the internetor within networks. For this reason, securing data in transit is a high priorityfor AppsFlyer. Our web servers support strong encryption protocols tosecure connections between customer devices and AppsFlyer’s webservices and APIs. Any traffic transferred to AppsFlyer encrypted overhttps using TLS1.2 only.DATA AT RESTData is encrypted in our databases using AES256bit encryption by default.AppsFlyer Security Policies and Practices12

DATA IN TRANSITDATA AT RESTMASKINGACCOUNT SEGREGATION AND ACCESSDATAMASKINGOur customers can choose to implement even stricter security measures, i.e., additional layers of protection to their account. We encourage customersto work with their account managers to make sure any specific security needs are being met, such as IP masking.ACCOUNT SEGREGATION AND ACCESSTo keep data private and secure, AppsFlyer logically isolates each customer’s account data from other customers and users, even when stored onthe same physical server.For AppsFlyer employees, access rights and levels are based on job function and role using the concepts of least-privilege and need-to-know. Theyare only granted a limited set of default permissions to access company resources. Additional permissions require a formal process that involvesan approval from a manager as dictated by AppsFlyer’s security policies. An employee’s authorization settings are used to control access to allresources, including data and systems.AppsFlyer Security Policies and Practices13

VETTING PROCESSONGOING MONITORINGTHIRD PARTIESEvery organization relies on other organizations – whether its an email provider, a server farm or the cafe that caters your Friday lunches. Vendorsecurity must be addressed just like any other element in organizational security. Investing in internal security and ignoring the security vulnerability islike padlocking your front door but leaving a window open. Vulnerability is just that, a vulnerability; and third-party vendors can be a significant one.AppsFlyer is a 3rd-party vendor for some of the world’s biggest organizations. On top of that, AppsFlyer’s products have third-party integrations and weemploy vendors for internal services across multiple departments. We take 3rd party security as seriously as an other internal security measures:VETTING PROCESSONGOING MONITORINGThird parties used by AppsFlyer are checkedbefore employment to validate that prospectivethird parties meet AppsFlyer’s security standards.Customer data is not accessible to third partiesor subcontractors.The AppsFlyer security team will conduct an annual review ofapplicable vendors. The review will conducted by AppsFlyer’ssecurity team or via a third-party report (e.g., SSAE 16 SOC2 report,ISO27001). The procedure takes into account the type of access andclassification of data being accessed (if any), controls necessary toprotect data, and legal/regulatory requirements.AppsFlyer Security Policies and Practices14

CERTIFICATIONAppsFlyer is committed to mitigating risk and ensuring AppsFlyerservices meet regulatory and security compliance requirements.AppsFlyer complies with applicable legal, industry, and regulatoryrequirements as well as industry best practices.ComplianceWhile other attribution companies have been subject to repeatedbreaches, leaks and compliance failures, AppsFlyer has offered(and continues to expand) an unparalleled global compliance andcertification program. AppsFlyer's compliance program is unmatchedin the industry.ePrivacyBranchAdjustKochavaSingularSSAE16 CSA STAREU-USPrivacy ShieldSwiss-USPrivacy ShieldAppsFlyer Security Policies and Practices15

SSAE16 SOC2ISO 27001, 27017, 27018, 27032, 27701AppsFlyer has obtained SOC2 certification, providing ourThe ISO/IEC 27000 family of standards helps organizations keepcustomers with validation of our security controls and confidenceinformation assets secure and manage security of our security program. The Trust Service Criteria, which SOC 2AppsFlyer has standard requirements for ISO 27001, 27017, 27018are based upon, are modeled around four broad areas: Policies,and 27032 which verify that AppsFlyer has demonstrated (andCommunications, Procedures, and Monitoring. Each of the criteriaeven exceeded) the required measures for organizational securityhave corresponding points of focus, which should be met tomanagement, information security, PII cloud security and privacy.demonstrate adherence to the overall criteria.Privacy Shield FrameworkEU/US - Swiss/USAppsFlyer has certified adherence to the principles of the EUU.S. and Swiss-US Privacy Shield Frameworks as set forth by theU.S. Department of Commerce regarding the collection, use, andretention of personal information transferred from the EuropeanUnion or Switzerland to the United States.CSA STARAppsFlyer’s commitment to data security extends to cloud servicesused by the company.CSA STAR Certification is a rigorous third party independentassessment of the security of a cloud service provider. The STARCertification is based upon achieving ISO/IEC 27001 and the specifiedset of criteria outlined in the Cloud Controls Matrix.TRUSTeePrivacysealAppsFlyer meets all the privacy requirements established byePrivacy GmbH awards the data protection seal of approval followingTRUSTe and/or applicable regulatory bodies. Our continuedan in-depth audit of a company's online and mobile products. TheTRUSTe certification demonstrates AppsFlyer's utmostcertification covers the requirements of GDPR for digital products.commitment to transparency. TRUSTe reviews our website and itsFollowing a stringent evaluation process, AppsFlyer has beensubdomains, software development kit {"SDK"), and APl's.awarded the ePrivacyseal for compliance with all criteria outlined byePrivacyseal.AppsFlyer Security Policies and Practices16

SUMMARYAs a leading provider with vast experience in the industry, we realize thatworking in a cloud-based multi-tenant environment may raise concernsrelated to the confidentiality and protection of sensitive data. AppsFlyer’ssecurity mechanisms to protect physical, network and applicationcomponents of the platform and our transparency with regard to securitypolicies and processes let brands trust us with their most confidentialdata. This trust helps for the foundation on which our customers leveragethe business benefits of our multi-tenant SaaS solution.If you have questions or need more detailed explanations on topicscovered in this whitepaper, feel free to contact our Security Team via theSupport Team or your Customer Success Manager.To learn more, visit www.appsflyer.comAppsFlyer Security Policies and Practices17

as SSAE 16 SOC2, on which we are audited annually. Our security framework includes policies and procedures, asset management, access management, physical security, people security, product security, cloud and network infrastructure security, third-party security, vulnerabilit