Today’s digital landscape means limitless possibilities but also brings complex security risks and threats. At Sensor Tower, data protection and security is integral to our products, our company culture, business processes, and infrastructure. We employ industry best practices and  technology for data security, privacy, fraud, and crisis management—all so you can stay focused on your business.

You can rest easy knowing that Sensor Tower is SOC 2 Type II compliant and attested, and has implemented continuous testing and monitoring of its comprehensive security and infrastructure controls, providing real-time protection of its systems and information.

Have a question about something that's not covered here? Send us an email to compliance@sensortower.com and we will be glad to answer it.

Data Security

Security is important to us so we have adopted industry leading security controls to minimize threats to our systems and the information we store and process. Although the majority of the data that is aggregated and curated by our services comes from public channels, any confidential and sensitive data or credentials that we do collect is ethically sourced with proper permissions. Any data collected from our panel is transparent to the end user, and is anonymized and secured to protect their privacy.  

Uptime Status and Outages

While rare, Sensor Tower could at times experience degraded performance of our customer-facing systems. Please visit our status page for information about our current system uptime and to subscribe to system status updates.

System and Organization Controls Audit

Sensor Tower’s security controls have been audited by an independent CPA chartered auditor and attested to comply with the SOC 2 trust services criteria relevant to Security, Availability, and Confidentiality as set forth by the AIPCA (American Institute of Certified Public Accountants). A copy of the auditor’s SOC 2 Type II report is available to customers and prospective customers under NDA.

Requesting Access to SOC Report

Simply visit our Trust Center. You can also contact your usual Sales or Account team member to request a copy of our SOC 2 report. 

Frequently Asked Questions

Where does Sensor Tower run?

Sensor Tower services run as a web application on a third party cloud platform. The cloud service provider used by Sensor Tower is Amazon Web Services (AWS). AWS is a leading Cloud infrastructure provider that uses leading security practices and frameworks to ensure its infrastructure is secure, including physical, operational, and software measures. In particular, AWS is ISO 27001 certified and SOC 2 Type II attested. We may use other cloud providers in the future if they meet our security and compliance requirements. Sensor Tower exchanges data with our users over secure TLS connection, and the public web facing application enforces the use of HTTPS.

What data does Sensor Tower store?

Sensor Tower collects the vast majority of its data through public access channels - primarily from the App Store and Google Play. Additionally, for customers who optionally grant explicit permission via Sensor Tower’s My Sales Metrics Dashboard, Sensor Tower will collect sales and marketing data for your apps from iTunes Connect, Google Play or other analytics providers for whom you specifically grant us access. Doing so requires that we log in or connect to these services and retrieve the data over a secure connection. To collect this data, Sensor Tower may securely store a strongly encrypted access token or username and password for those services, based on information that you optionally provide to us.

How is sensitive data stored?

Sensor Tower stores all sensitive data in a secure and encrypted format via the AES 256 bits encryption algorithm, and the passwords you create to log in your Sensor Tower account are stored using an industry-best-practice uniquely salted hash algorithm. We do not write or modify cryptographic software but instead use thoroughly vetted and tested open source and AWS components that are compliant with NIST cryptographic standards and guidelines. The data is stored only with our cloud providers and is backed up in encrypted form.

How is secure data decrypted?

Only a small and thoroughly secured set of computers have the keys to decrypt sensitive data. The keys are not stored or checked in with the source code but instead are stored in secured storage with strict access controls.

The computers that are able to decrypt sensitive data are not public-facing servers. This means that even if Sensor Tower's public facing web servers are attacked, the keys necessary for decryption would not be compromised.

How is data access controlled?

Access to data is restricted on a least privilege basis according to our access control policy, meaning only employees that have a business need are provided access to the data and only for so long as that business need exists. 

How does Sensor Tower protect itself from external attackers?

The web servers that Sensor Tower is running on are built using a modern web framework designed with security in mind. We follow best security practices, keep up to date with bugs and security patches, and apply security updates to our systems in a timely manner following our Vulnerability Management Policy. We have tools in place to detect abnormal behavior.

We have dedicated Security and Compliance teams responsible for maintaining and continuously improving the company’s information security practices. Furthermore, we regularly run tests and security audits on our systems and work with external security firms to ensure that our systems are thoroughly secured.

How are payments processed?

We use Stripe for secure credit card payments without collecting or accessing your sensitive financial information directly. Sensor Tower never stores payment details; they are passed securely from you to the payment provider. 

What can I do to ensure the security of my Google Play or iTunes Connect account?

For customers who optionally choose to integrate the Sensor Tower App Intelligence Platform with their iTunes Connect or Google Play services, we advise that they create a separate iTunes Connect or Google Play account for Sensor Tower with permissions set to only view relevant data.

Responsible Disclosure Program

We will investigate the reports we receive and will work to correct verified vulnerabilities quickly. To encourage responsible reporting, we will not take legal action against you for submitting a vulnerability report for the products available on sensortower.com (“Products”) provided you comply with the following guidelines:

• Engage in testing of systems/research without harming Sensor Tower or its customers.

• Engage in vulnerability testing within the scope of regular penetration testing requirements.

• Test our Products without affecting customers.

• Adhere to the laws of your location and the location of Sensor Tower.

• Not disclose vulnerability details to the public before a mutually agreed-upon timeframe expires.

To submit a vulnerability report to Sensor Tower’s Security Committee, please send an email to

security@sensortower.com.

We prioritize and triage submissions that:

• Are made in good faith.

• Are well-written reports in English.

• Include proof-of-concept code.

• State how you found the bug, the impact, and any potential remediation.

• Include any plans or intentions for public disclosure.

Please note that we will de-prioritize or ignore submissions that include only crash dumps or other automated tool output or cover Products not available on sensortower.com.

If we deem the submission credible, then:

• A timely response to your submission will be made; and

• After we triage and determine remediation is necessary, we will send an update and commit to being transparent, and have an open dialog to discuss issues if necessary.

Updated May 29, 2024