Here is a compiled list of common questions and answers around building secure apps with Airkit, ranging from best practices around TCPA, Airdata security and retention, session expiry, and more.
Are data flows run server-side or client-side?
How long do sessions last?
By default, sessions have an expiration of 30 days. Session expiration time can be configured in Configuration Builder. Journey's can also be extended using the Extend Journey Expiration Time action in an action chain as well.
How do you know if a session/journey has been completed?
Session Activity can be monitored and seen by clicking on the menu icon > Sessions and Activity when editing an application in the studio. Journey's can also be ended manually by using the End Journey action in an action chain.
Can I build an app that requires authentication?
Are assets uploaded to the Media Library scanned for any malware or viruses?
Are my API tokens in console secure?
Yes, API tokens and credentials that are uploaded via integrations are stored in an encrypted vault.
Where is data in Airdata stored, and is it secure?
Airdata is encrypted at rest, encrypted in transit between systems and encrypted on the server itself. Our online infrastructure is built on Amazon Web Services, which maintains an extensive set of certifications including SOC2, ISO 27001, and FEDRAMP that cover the service’s security, confidentiality, availability, and integrity. For more information, see https://www.airkit.com/security/.
How long is data retained?
Data stored in Airdata is retained unless it is manually deleted. Session data, on the other hand, is stored for the length of the session duration. Session duration is configurable by the user in configuration builder and can also be extended by using the The Extend Journey Expiration Time Action.
Where is the data from inputs or variables stored?
Data that is input on the client is saved on the browser. If using the secure text input control, the values input into that control are not surfaced on the browser. Using the secure text input control generates a redis key that can be accessed through a data flow using the The Secure Value Retrieval Data Operation.
How are assets retained on Airkit servers?
Assets in Airkit are uploaded to Amazon S3, in a separate bucket per org, per application. Assets can either created as a global asset or a private asset. Global assets are available on the CDN with a static link. Private assets have a generated link and has an expiration time which is configurable. See The Asset Data Type for more information.
How do I handle secure data when building in Airkit?
Secure data can be handled by using the Secure Text Input Web Control, Secure Touchtone Capture Control, or by using PCI compliant controls such as the Credit Card Control or the Payment Request Button Control.
How are emails handled in Airkit?
What are some best practices for building an application that is TCPA compliant?
What are best practices when building a PCI compliant application?
When building a PCI compliant app, ensure that no sensitive data is saved on the client. Data that is deemed sensitive should use the Secure Text Input Web Control, and pass that data to be retrieved server side, through a data flow. Also, data that is passed to the data flow should not be returned as an output, or else the application is no longer PCI compliant. Also, when capturing credit card information, Airkit has PCI specific controls that are PCI compliant out of the box, such as Credit Card Web Control and the Payment Request Button Web Control.