Security Practices

Last updated: May 31, 2026

Statused monitors App Store Connect and Google Play Console statuses and notifies your team when something changes. Because that requires access to your app store accounts, we treat the security of your data and credentials as a first-class concern. This page describes the controls we actually have in place today.

Statused is not formally SOC 2 certified — at our size and price point the audit cost isn’t yet justified. Instead, we hold ourselves to the same control framework internally: the practices below map to the SOC 2 Trust Services Criteria. Statused customers include teams in highly regulated industries like healthcare and finance, and we have gone through rigorous security reviews as part of their onboarding process. If you have a security or compliance question for a procurement review, please reach us.

Data access and least privilege

We ask for the minimum access required to monitor your apps, and we use it for read-only polling:

  • Read-only by design. Statused reads app, build, version, and release status from the App Store Connect and Google Play APIs. We do not publish, modify releases, change metadata, or push builds on your behalf.
  • No app content or source code. We never access your app’s source code (it’d be impossible as we’re not granted access to your source code), binaries, or customer data — only status metadata.
  • No private APIs. We only use official platform APIs, so your developer account is never put at risk.
  • Why App Store Connect currently needs an Admin key. We tested every narrower App Store Connect role, and Apple’s current permission model does not expose app and build polling to lower-privilege keys. The Admin requirement is an Apple platform limitation, not a Statused design choice — and we use that access strictly for read-only polling. The moment Apple honors finer-grained permissions, we’ll adopt them. We periodically monitor for changes to Apple’s permission model and will update our documentation and customer guidance if that ever allows for less-privilege access.
  • Revocable at any time. Because Statused authenticates with API keys you generate, you can revoke our access from App Store Connect or Google Play Console at any moment, independently of us.

Encryption

  • Your sensitive data is encrypted both in transit and at rest. All traffic to Statused is served over HTTPS with TLS 1.2 or higher. HTTP is redirected to HTTPS and we send HTTP Strict Transport Security (HSTS). All sensitive credentials are encrypted before being stored.
  • Write-only secrets. Once uploaded, store credentials cannot be viewed or exported through the dashboard or API. They are decrypted only in memory when needed to call the store APIs.

Authentication and access control

  • Managed identity provider.User authentication is handled by AWS Cognito over the OAuth 2.0 authorization-code flow. Sessions are carried as signed JSON Web Tokens and cleared on sign-out.
  • Tenant isolation. Every account’s data is scoped to that account; records use non-sequential globally unique identifiers.
  • Least-privilege operations. Access to production systems is restricted to authorized personnel on a least-privilege basis. We do not grant third parties standing access to production data.
  • MFA on administrative access. Administrative access to our production infrastructure requires multi-factor authentication.
  • Endpoint security. Workstations with access to our systems use full-disk encryption.

Secure development and AI-assisted coding

We use AI-assisted (“agentic”) coding tools to move quickly, but with strict guardrails so that speed never comes at the cost of safety:

  • No autonomous agents in production. AI agents have no write access to the production environment in any way. They cannot deploy, run migrations, or touch production data.
  • Two human gates before anything ships. Every change passes through two human review checkpoints before it reaches production. Nothing is developed (let alone shipped) without human review, so every action Statused takes is accountable to a human decision.
  • Automated security checks in CI. Every change runs through static analysis, automated dependency vulnerability scanning, and a comprehensive automated test suite before it’s incorporated into the system.
  • Separation of environments. Development and test environments use their own credentials and never share production secrets.

Infrastructure and hosting

  • Cloud infrastructure. Statused is hosted on Amazon Web Services, on managed, access-controlled infrastructure. Our database and internal services are not exposed to the public internet — they are reachable only through our application layer. All data is stored in US-based regions.
  • Secrets management. Application secrets are kept out of source control, encrypted at rest, and injected via environment configuration. Logs filter out passwords, secrets, tokens, keys, and any other sensitive data before they’re written.

Monitoring and logging

  • Error monitoring. We capture application errors and performance traces so we can detect and resolve issues quickly.
  • Event trail. Inbound and outbound webhook events are persisted, giving us a record of what was received and transmitted, and how it was processed.

Data retention and deletion

  • Minimal collection. We collect only what we need to operate the Service: your account profile, the apps you monitor, their status history, and your notification configuration.
  • Deletion on request. You can revoke store access at any time and request deletion of your data by contacting us. See our Privacy Policy for details on what we retain and why.

Availability and reliability

  • Uptime. We target 99.9%+ uptime and publish live availability on our public status page.
  • Backups. Customer data is backed up daily to support recovery.

Payments

Billing is handled by Chargebee and Stripe. Statused never stores your payment card details — card data is processed directly by our PCI-compliant payment processors.

Subprocessors

We rely on a small set of trusted vendors to operate the Service, each receiving only the data necessary for its function. We vet each vendor’s security posture and bind them with data processing agreements. The authoritative, up-to-date list — with the data each one processes — is maintained in our Privacy Policy.

Compliance posture

  • SOC 2.Not formally certified, but operated against the SOC 2 control framework internally (see above).
  • GDPR. We support data access and deletion requests and bind our subprocessors with data processing agreements. See our Privacy Policy.
  • PCI DSS. Handled by our payment processors; we never store card data.

Report a vulnerability

We welcome reports from security researchers. If you believe you’ve found a vulnerability, please email security@statused.com rather than opening a public issue, and give us reasonable time to remediate before disclosure.

Have a security or compliance question for a procurement review? Reach us at security@statused.com.

Try now for free with a 30-day trial

Sign up now