How secure is it to put secrets and keys etc. in Adalo?

Is it secure to use Adalo to pass secrets, keys etc from the user to the component via the Adalo interface and the component’s props?


Why not?

Many reasons. The first rule of security is, whenever there is doubt, there is no doubt. So if you don’t know if something is secure, it means that it is not.

When handling secrets, chain of custody is important. You don’t know how the component works, or where the data is stored, or who has access. If your customer puts data into your app, you get to see it in the collections. Does that mean that Adalo can see it as well? If you can see your customer, can adalo see you?

This is why laws like GDPR and California privacy exists, to prevent and/punish people who collect information and don’t know where it goes or who has access.

What is the standard solution of Adalo builders for storing their app’s users’ data?

The standard is to store only what you need, no secrets or keys, and hope that it is safe.

If you wanted to take it one step further, which is probably a waste of time, then depending on your region, you need to contact Adalo for more details.

Let’s say you enjoy the protections of GDPR. This means that you are the data controller, adalo is the data processor and if Adalo does business in Europe they need to comply to GDPR. So as the data controller, you are allowed to ask lots of information from the data provider about how they collect and secure the data you are giving them to process. You can request to spent to the data protection officer, and inspect their systems , and request the records of their operations as a processor. This is expensive and filled with legal jargon.

Hope for the best and keep the impact of breach as low as possible is my recommendation.

So to securely/legally use Adalo for anything production that stores user data, you have to be communicating with Adalo directly?

It’s impossible (insecure/illegal) for regular users of Adalo to use Adalo to make the app they want their end users to have?

It is not that black and white. It depends on where you are located, who your customers are and where they are located.

It is not legal or illegal, it is far more subtle.

If you search the forum for GDPR you will find a lot of information on the topic.

But yes, if you want to do something securely and legally, it is your requirement as a data controller to be in touch with adalo directly as a data processor.

Let’s take something as simple as PCI compliance. If you collect credit cards in your app (like using stripe) then you are legally obligated to be PCI compliant, or risk fines. To be PCI compliant you must know exactly how the credit card data is handled, every step of the way. When you drag and drop the Stripe component into your app, you do not know how the component works, where the information is sent, or anything. This means that you are not PCI compliant.

So, stay small and off the radar of governing bodies, MVP your app, then worry about compliance.

To release an app in the store, you must have a privacy policy. If you put that your app does this and that and blah blah, how are you certain that this is accurate and true? If you say that you keep their data safe, how could you possibly know if you are not a developer with access to the system?

One more note, this is not an Adalo problem, this is an “every no-code platform on the market problem”. So moving to another platform will not solve this problem.

Someone (Adalo? But they won’t) should write a boilerplate privacy template for everyone to use. I assume 90% of it would be the same for everyone using Adalo…

1 Like

It would read something like this ( I don’t know if I am being honest, or sarcastic, or both…)

This App is designed using a No-Code platform because we have a great idea we want to give to the world but we don’t have the skillset or the funds to build it with code. As a bootstrap start-up we will do our best to ensure your privacy is safe, but we did not write the code, we simply dragged and dropped items onto a screen, clicked a button and an app popped out. We do not track your information, but we don’t know what code exists in the app so your information might be tracked. We followed the nessecary guidelines to ensure your data is safe to the best of our abilities, but we are not sure where or how your data is being stored, backed up, or secured.

If you live in the EU and file a GDPR request with us, we will download the Information we have access to, but it might not be complete because we don’t know where your information is going.

If you file a “right to forget” request, again, we will do our best to comply but we do not know how the system works to fully comply with the legal requirements.

Something like that should do it.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.