Learn more about how app data is handled, stored, and protected within our mobile accessibility testing platform. This guide outlines our approach to security, including compliance measures, data flow, access restrictions, and encryption.
On this page:
- Security compliance and certifications
- Mobile app data flow and storage
- Data flow overview
- Storage and data persistence
- Data access and control
- Access restrictions
- Log management
- Data retention and deletion policies
- Backup and recovery procedures
- Security of third-party integrations
- Encryption and data protection measures
Security compliance and certifications
- SOC 2 compliance: Our platform adheres to industry-standard security controls for data protection, integrity, and confidentiality.
- Third-party security audits: Regular security assessments validate compliance with best practices.
- Access control measures: Strict role-based access ensures that only authorized personnel can interact with customer data.
Mobile app data flow and storage
Data flow steps
-
Upload
The customer uploads a mobile app through the Level Access platform.
-
Storage
The app bundle is temporarily stored in Amazon S3, which encrypts data at rest.
-
Notification
The platform sends a message to RabbitMQ to indicate the app was uploaded.
-
Processing and Fetching
The Device API fetches the app bundle from S3 and sends it to SauceLabs for test execution.
-
Testing Execution
The app is executed on a selected emulator or real device hosted by SauceLabs.
-
Results Handling
After testing, the app is automatically deleted from the device. Only interaction logs are retained, and no app content is persisted.
What data is accessed or persisted?
-
What data does the scanner access?
The scanner accesses only the runtime environment during manual scans. It does not access backend services or internal databases within the app.
-
What data, if any, is persisted?
Only session metadata, such as device used, timestamps, and user actions, is retained. The mobile app itself is not persisted long-term
- Where is data accessed, stored, or processed?
- Access: Level Access platform and authenticated user roles
- Storage: Amazon S3 and SauceLabs.
- Processing: Device API and SauceLabs testing environments
Storage and data persistence
Where are uploaded apps stored?
Uploaded apps are stored temporarily in Amazon S3 and then transferred to SauceLabs for execution. Neither location retains the app permanently. The app is deleted automatically by the device OS after the test session or after 2 months.
Is app data retained after a test session? If so, for how long?
Yes. Apps are retained for up to 2 months for re-use in future test sessions.
Are emulator/device session data or logs retained?
Yes. Session logs and basic interaction data including session start and end are retained. These logs do not contain the contents of the mobile app. Observability data is also captured using Datadog.
Is there a customer option to delete stored apps?
Yes. A Mobile apps admin can delete uploaded apps through the platform. Customers cannot delete apps themselves. Deletion on SauceLabs follows its internal automated cleanup policy.
Data access and control
Who can access uploaded apps?
Only users assigned the Emulator Tester or Mobile Apps Admin roles can view or launch testing sessions using uploaded apps.
What controls do customers have over app visibility and deletion?
Visibility is shared across roles that have app testing access. Only Mobile Apps Admins can delete app bundles.
Log management
What activity logs are captured?
The system logs:
- Session start and end times.
- Device and OS configuration.
- User interactions with the emulator.
Does the customer have access to their logs?
No, customers do not currently have direct access to test session logs.
Data retention and deletion policies
How long is customer data retained in the system?
- Uploaded app files: retained for 2 months before automatic deletion
- App records (metadata): retained indefinitely for audit and support purposes
Can customers delete their app data themselves?
No. Only users with the Mobile Apps Admin role can delete apps via the platform. Customers can also request deletion through support.
Backup and recovery procedures
Are apps backed up? If so, for how long?
App files themselves are not backed up due to their temporary nature. Platform metadata and logs may be backed up according to infrastructure policy.
Are backup copies deleted after a certain period?
Yes. Backup retention follows internal infrastructure lifecycle management. Please contact DevOps for specifics.
Security of third-party integrations
How is SauceLabs protected and controlled? What access controls are in place for third-party tools?
All app transfers to SauceLabs are encrypted and controlled via API. Access to SauceLabs is scoped to the required session and role context only.
For transparency and security practices, refer to SauceLabs’ security documentation.
Encryption and data protection measures
-
Is uploaded app data encrypted at rest and in transit?
- In transit: Yes. All uploads and communications use HTTPS/TLS encryption.
- At rest: While temporary app files may be encrypted by Amazon S3 or SauceLabs, persistent storage is not used by Level Access.
-
What encryption standards are used?
- All in-transit data is encrypted using TLS.
-
Are additional security layers applied during processing?
- Permissions checks before testing actions are allowed
- Role-based access control to restrict visibility and editing rights
Comments
0 comments
Article is closed for comments.