Security Statement

Median.co is dedicated to securing and protecting your data through state-of-the-art technical and organizational security controls, numerous regulatory and compliance resources, and a growing collection of third-party attestations and certifications.

Additionally, we are dedicated to protecting customer data, including continually improving security processes and controls and upholding transparency with regard to data processing. We deliver the highest levels of standards conformance as part of our mission to address the most demanding security and privacy requirements of our customers.

For questions on privacy and security, or to submit a custom security questionnaire, please get in touch with our team. Please note that our team is only able to complete security questionnaires for our Enterprise customers at this time.

📘

Do you need more information or have any specific questions?

You can use the link to contact our Privacy and Security Team.

What are the privacy and security implications of using Median?

Security best practices

When developing apps in our App Studio, we strongly advise against embedding private data, such as non-public tokens or passwords, in your app configuration (e.g., custom JavaScript or analytics configuration). Any data embedded in your app can potentially be extracted from the compiled binary or other app files.

When testing apps using our browser-based simulators, you can safely enter login credentials as these simulators are secure and have been SOC 2 certified by an independent third-party auditor. These simulators provide the same security level as your website when accessed through a standard web browser. However, keep in mind that to obtain app store approval, you must provide sample login credentials to the app store reviewer. We recommend using a demo or sandbox account that excludes sensitive information and does not grant elevated access.. Contact us for a SOC 2 report for the browser-based simulators.

When installing and running apps built using the Median platform on a physical device, it’s important to note that by design all data and network traffic from your app goes directly between the device and your web server. This behavior mirrors how a user would access your website via Mobile Safari or Mobile Chrome. No website data whatsoever passes through any Median servers, and your app does not depend on Median's servers or uptime to function. Therefore, your app relies on the same security, encryption, and access that exists on your website. Ensure your app is considered a client when designing your web-based security architecture.

Security considerations for mobile apps

Mobile apps bring specific considerations for privacy and security (different from web-based SaaS platforms) such as:

• Network security restrictions (e.g. App Transport Security ATS enforcement to prevent encrypted/cleartext requests, SSL CA validation and certificate/identity pinning to avoid Man-in-the-Middle MiTM attacks)
• Device functionality restrictions to restrict access to sensitive content (e.g. copy and paste blocking, app switcher/recent apps appearance masking)
• Compromised device detection (e.g. prevent app usage on a jailbroken/rooted device)
• Disabling console logging of debug information (e.g. prevent sensitive information from being logged to the device debug logs)

Security assessments

Median is equipped to meet the most stringent mobile security requirements. At times an independent security assessment will be required to certify compliance with an organization's mobile security policies. Each app, and future app update, created using Median must be audited individually given the hybrid nature of the native app code plus web code, the potential use of native plugins, as well as continual updates to the Median solution. We recommend working directly with our team for guidance on the most relevant information applicable for your app and for your organization's specific requirements.

When engaged to assist with your security assessment our team will work directly with your organization's internal mobile security team and/or an external provider. A third-party vendor that several of our customers have used with success to audit their Median apps is Appknox. (No affiliation or relationship with Median).