AppsFlyer’s Approach to Security and Privacy – A Chat with Guy Flechter, CISO & DPO
At AppsFlyer, we get asked often about data security and privacy. Customers and partners want to know what measures we’ve put into place to ensure the integrity of their data, and they are 100% right to be raising these questions.
As a company that processes over 1 trillion (you read that right) datapoints per year for thousands of customers, it’s only natural that you’d want to know what we’re doing to make sure your data is secure and private. To answer all of these questions and more, we thought it best to get all of the answers firsthand from none other than AppsFlyer’s own CISO (Chief Information Security Officer) and DPO (Data Protection Officer), Guy Flechter.
In late 2017, we welcomed Guy Flechter on board the AppsFlyer rocketship as our CISO and DPO. Guy brings 17 years of rich professional experience in security and privacy to the table.
What is AppsFlyer’s general approach to privacy and security? What is your guiding force as leader of these efforts?
I see privacy as a fundamental human right. I know that sounds kind of dramatic, but I mean it in all sincerity. I have been working in the industry for over 15 years to protect and improve the available measures out there. At AppsFlyer, we meet (and even exceed) the requirements needed to be officially certified by internationally-recognized organizations for both security and privacy.
We’re always on high alert. Always. Checking and rechecking our activity and seeking the most advanced technology out there to protect our systems. We don’t just check boxes, we are constantly thinking of how we can expand and go beyond.
What makes AppsFlyer stand out when it comes to security and privacy?
The privacy and security team isn’t a standalone, siloed unit; we work as part of the solutions, IT, DevOps and development teams in AppsFlyer. We consider ourselves an extension of the other teams.
On the development side, security is an inherent part of the product, rather than something that is tacked on at the end. My team is involved from the very early stages of new feature and product development to ensure that security and privacy are part of the structure of the product and not an afterthought. The result is a security-first culture within R&D, which is how I believe every company should be.
It doesn’t just end there. Every team at AppsFlyer is involved in our efforts on some level, on a daily basis. And, of course, we are backed by management 100% for any needs and concerns we may have about security or privacy.
Where would you say that AppsFlyer fits into the industry landscape?
I wouldn’t say that we “fit in”, so much, as lead the way. We see no limits as to what we can develop and improve; we constantly strive to go beyond.
We’ve spearheaded groundbreaking privacy and security initiatives that aren’t paralleled in our competitive space at all. One such initiative is OpenGDPR, a universal, secure, and common framework for compliance with GDPR-mandated data subject rights. Developed with a handful of our partners, the OpenGDPR framework presents a public API specification along with a recommended set of best practices for implementing and maintaining a connected and compliant stack.
“AppsFlyer, mParticle, Braze, and Amplitude have banded together to form the industry version of the Justice League. Calling itself OpenGDPR, the consortium aims to streamline the process for marketers in making sure their data practices are up to speed.”
Can you give us the low-down on the certifications AppsFlyer has for security and privacy?
On the security front, AppsFlyer has been SSAE16 SOC2 certified since 2016. This certification is awarded to organizations that meet a set of very strict controls for security, processing integrity, confidentiality and system privacy (read more here). Only one other mobile attribution company is SOC2 certified and we truly appreciate the significance of meeting its requirements.
AppsFlyer has certified adherence to the principles of the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information transferred from the European Union to the United States (read more here).
In addition, AppsFlyer meets all the privacy requirements established by TRUSTe and/or applicable regulatory bodies using a combination of technical and manual methodologies and company self-attestations. Our continued TRUSTe certification demonstrates our utmost commitment to transparency. We work with TRUSTe to verify our data privacy policies and practices. TRUSTe reviews our website and its subdomains, software development kit (SDK), and APIs (read more here).
This isn’t all; we have a few more certifications in the works, including ISO27001 and ePrivacy, to name a few.
What are the biggest challenges/concerns in the AdTech market and mobile ecosystem?
Mobile technology is one of the fastest growing markets on the planet. Unsurprisingly, the risks and technologies for breaching mobile security are also evolving at a crazy fast rate. Staying ahead of the risks is the most important goal any CISO can set for himself (or herself), but this is even more so the case for a mobile tech company.
Protecting our clients’ data is our utmost priority. Tackling the challenges of protecting the data of both our clients and their end-users–is an ongoing, non-stop effort.
The team’s motto is to never assume that the work is done or that we know everything. We’re constantly learning, growing, improving. It’s imperative in this field to keep an open mind and sleep with one eye open.
Many companies work with an external service or consultancy for privacy. Why is it important to have an in-house DPO?
An in-house DPO has an inherent advantage: he’s there. He’s part of the team, familiar with day-to-day activity, knows everyone and everything that’s going on. The privacy measures taken are part of the product’s development and not an afterthought. An external provider can’t be as involved and is more likely to miss crucial details along the way.
What’s the team vision, where is the team going?
Our team continues to grow, mirroring the company’s growth. We continue to work tirelessly to always stay one step ahead of the industry when it comes to understanding the risk landscape and the changing climate. Our work is never done.
This all sounds immensely stressful. How do you manage to sleep at night?
Usually on my stomach, but sometimes on my side.