Adapty is the subscription infrastructure layer for thousands of mobile apps, processing billions of dollars in subscription transactions on behalf of our customers.
That position carries a clear obligation: the data you and your users entrust to us has to be handled with care, audited by people who don’t work for us, and defended by controls that don’t depend on anyone personally.
This page describes how we do that.
Certifications
SOC 2 Type II
SOC 2 Type II. An independent CPA firm examines our security, availability, and confidentiality controls and issues a SOC 2 Type II attestation covering the operating effectiveness of those controls over the reporting period. The current report is available to customers and prospective customers under NDA. You can request it from your account team or at [email protected].
Privacy regulations
Privacy regulations. Adapty processes end-user data strictly as a data processor, acting only on the documented instructions of our customers under our Data Processing Agreement. Our processing practices are designed to meet the requirements of:
- GDPR (EU and UK);
- LGPD (Brazil).
If your jurisdiction has specific requirements not listed above, contact us — we can usually accommodate them.
How we protect data
Encryption
Encryption. All customer data is encrypted in transit (TLS 1.2+) and at rest using industry-standard ciphers.
Network and infrastructure
Network and infrastructure. Production runs in hardened industry-standard environments with network segmentation between services, restricted ingress and egress, and least-privilege access for the small group of engineers who can reach production at all. Production access requires multi-factor authentication and is logged.
Continuous monitoring
Continuous monitoring. Logs from our infrastructure and applications are aggregated centrally, anomalies trigger automated alerts, and an on-call engineer is available 24/7 to respond to incidents.
Secure development
Secure development. Every code change goes through peer review, automated static analysis, and security checks in CI before it can reach production. Dependencies are tracked and patched on a defined schedule, and we maintain a clear deployment pipeline that records who shipped what, when.
Operational practices
People
People. All staff complete security awareness training on hire and annually. MFA is mandatory on every company system that supports it. Access to customer data is restricted, logged and reviewed regularly.
Vendors
Vendors. Every third party we rely on for infrastructure, data processing, or security goes through a documented review before we onboard them and is reassessed periodically. Critical vendors are required to hold equivalent certifications (typically SOC 2 Type II or ISO 27001).
Resilience
Resilience. We run encrypted backups on a defined schedule, maintain redundancy across our critical services, and test our disaster recovery procedures so that recovery is something we’ve actually rehearsed rather than something we plan to figure out under pressure.
Incident response
Incident response. We maintain a documented incident response plan with defined severity levels, communication protocols, and post-incident review.
Reporting a vulnerability
If you believe you’ve found a security issue in Adapty, please email [email protected]. We investigate every credible report, work with the reporter on remediation, and credit researchers who follow responsible disclosure (unless they prefer to remain anonymous).
For enterprise security reviews
Enterprise customers and prospects can request the following from [email protected]:
- Current SOC 2 Type II report (under NDA);
- Completed security questionnaire (CAIQ, SIG, or your own format);
- Information Security Policy summary;
- Penetration test summary.
