Security at Sensor Tower

Today’s digital landscape means limitless possibilities but also brings complex security risks and threats. At Sensor Tower, data protection and security is integral to our products, our company culture, business processes, and infrastructure. We employ industry best practices and  technology for data security, privacy, fraud, and crisis management—all so you can stay focused on your business.

You can rest easy knowing that Sensor Tower is SOC II, Type I compliant, and has implemented continuous testing and monitoring of its comprehensive security and infrastructure controls, providing real-time protection of its systems and information.

Have a question about something that's not covered here? Send us an email to security@sensortower.com and we will be glad to answer it.

Data Security

Security is important to us, so we have adopted industry leading security controls to minimize threats to our systems and the information we store and process. Although the majority of the data that is aggregated and curated by our services comes from public channels, any confidential and sensitive data or credentials that we do collect is ethically sourced with proper permissions. Any data collected from our panel is done so in a transparent manner to the end user, and is anonymized and secured to protect their privacy.  

Uptime Status and Outages

While rare, Sensor Tower could at times experience degraded performance of our customer facing systems. Please visit our status page for information about our current system uptime and to subscribe to system status updates.

System and Organization Controls Audit

Sensor Tower’s security controls have been audited by an independent CPA chartered auditor and deemed to achieve the SOC 2 trust services criteria relevant to Security, Availability, and Confidentiality as set forth by the AIPCA (American Institute of Certified Public Accountants).  A copy of the auditor’s SOC 2, Type I report is available to customers and prospective customers under NDA.

Requesting Access to SOC Report

Please contact your appropriate sales or account team member, or Sensor Tower’s compliance team (compliance@sensortower.com), to request a copy of the SOC 2 report. 

Frequently Asked Questions

Where does Sensor Tower run?

Sensor Tower services run as a web application on a third party cloud platform. The cloud service provider used by Sensor Tower is Amazon Web Services (AWS). AWS is a leading IT infrastructure provider that uses leading security practices and frameworks to ensure its infrastructure is secure, including physical, operational, and software measures. We may use other cloud providers in the future if they meet our security and availability needs. Sensor Tower exchanges data with our users over secure TLS connection, and the public web facing application enforces the use of HTTPS.

What data does Sensor Tower store?

Sensor Tower collects the vast majority of its data through public access channels - primarily from the App Store and Google Play. Additionally, for customers who optionally grant explicit permission via Sensor Tower’s My Sales Metrics Dashboard, Sensor Tower will collect sales and marketing data for your apps from iTunes Connect, Google Play or other analytics providers for whom you specifically grant us access. Doing so requires that we log in or connect to these services and retrieve the data over a secure connection. To collect this data, Sensor Tower may store an access token or username and password for those services, based on information that you optionally provide to us.

How is sensitive data stored?

Sensor Tower stores all sensitive data in a secure and encrypted format via the AES-256 encryption algorithm, and the passwords you create to log in your Sensor Tower account are encrypted via the bcrypt encryption algorithm. We do not write or modify the cryptographic software but instead use thoroughly vetted and tested open source libraries that are compliant with NIST cryptographic standards and guidelines. The data is stored only with our cloud providers and is backed up in the encrypted form.

How is secure data decrypted?

Only a small and thoroughly secured set of computers have the keys to decrypt sensitive data. The keys are not stored or checked in with the source code but instead are stored securely in a dedicated parameter store with strict access controls.

The computers that are able to decrypt sensitive data are not public-facing servers – they're not connected to the internet and are only accessed through secure and encrypted calls. This means that even if Sensor Tower's public facing web servers are attacked, the keys necessary for decryption would not be compromised.

How is data access controlled?

Access to data is restricted on a least privilege basis according to our access control policy, meaning only employees that have a business need are provided access to the data and only for so long as that business need exists. 

How does Sensor Tower protect itself from external attackers?

The web servers that Sensor Tower is running on are built using a modern web framework designed with security in mind. We follow best security practices, keep up to date with bugs and security patches, and apply security updates to our systems in a very prompt manner. We have tools in place to detect abnormal behavior and have an internal security team responsible for keeping our security up to date. Furthermore, we regularly run tests and security audits on our systems and work with external security firms to ensure that our systems are thoroughly secured.

How are payments processed?

We have a secure method of payment implemented on our site: Credit card payments via Stripe. We never collect and cannot access your credit card information but instead securely pass the information directly to the payment provider. 

What can I do to ensure the security of my Google Play or iTunes Connect account?

For customers who optionally choose to integrate the Sensor Tower App Intelligence Platform with their iTunes Connect or Google Play services, we advise that they create a separate iTunes Connect or Google Play account for Sensor Tower with permissions set to only view relevant data.

Responsible Disclosure Program

We will investigate the reports we receive and will work to correct verified vulnerabilities quickly. To encourage responsible reporting, we will not take legal action against you for submitting a vulnerability report for the products available on sensortower.com (“Products”) provided you comply with the following guidelines:

  • Engage in testing of systems/research without harming Sensor Tower or its customers.

  • Engage in vulnerability testing within the scope of regular penetration testing requirements.

  • Test our Products without affecting customers.

  • Adhere to the laws of your location and the location of Sensor Tower.

  • Not disclose vulnerability details to the public before a mutually agreed-upon timeframe expires.

To submit a vulnerability report to Sensor Tower’s Security Committee, please send an email to

security@sensortower.com.

We prioritize and triage submissions that:

  • Are made in good faith.

  • Are well-written reports in English.

  • Include proof-of-concept code.

  • State how you found the bug, the impact, and any potential remediation.

  • Include any plans or intentions for public disclosure.

Please note that we will de-prioritize or ignore submissions that include only crash dumps or other automated tool output or cover Products not available on sensortower.com.

If we deem the submission credible, then:

  • A timely response to your submission will be made; and

  • After we triage and determine remediation is necessary, we will send an update and commit to being transparent, and have an open dialog to discuss issues if necessary.

Updated February 6, 2023