Does your application require access to location or GPS data?
Explanation
At the heart of this is location data: whether your application collects or requires access to a user's physical position or GPS coordinates. Location data is considered sensitive personal information because it can reveal patterns about a person's movements, home address, workplace, and other private details.
In a security assessment, this question is important for several reasons:
1. Privacy implications: Location data is considered sensitive personal information under many privacy regulations (like GDPR, CCPA).
2. Data minimization: Security best practices recommend collecting only the data necessary for the application's functionality.
3. Risk assessment: Applications that collect location data present additional security risks if that data is breached.
4. Compliance requirements: Different jurisdictions have specific requirements for handling location data.
When answering this question, you should:
- Be clear about whether your application collects location data at all
- If it does, explain why this data is necessary for core functionality
- Describe how precisely the location is tracked (city-level, exact coordinates, etc.)
- Mention any controls in place to protect this sensitive data
- Explain if users can opt out of location tracking while still using core features
Example Responses
Example Response 1
No, our application does not require or collect any location or GPS data from users Our cloud-based document management system functions entirely without needing to know the physical location of users All authentication is based on credentials and optional multi-factor authentication rather than location-based verification Our application's functionality is designed to work consistently regardless of where users are physically located.
Example Response 2
Yes, our delivery logistics application requires access to GPS data, but with specific limitations and protections The application needs real-time location data only for delivery drivers while they are on active duty to optimize routes and provide accurate delivery estimates to customers Drivers can toggle location tracking on/off when not on shift Customer-facing portions of the application only request approximate location (city level) to determine service availability All location data is encrypted in transit and at rest, retained for only 30 days, and we obtain explicit consent before collecting any location information Users can opt out of precise location sharing and manually enter their general location instead.
Example Response 3
Our application does collect location data, but we have not implemented specific security controls around this data The marketing analytics dashboard uses IP-based geolocation and optional GPS data from mobile users to provide regional insights to our customers We do not currently have a documented retention policy specifically for location data, and while users are informed about data collection in our privacy policy, there is no specific opt-out mechanism for location tracking while continuing to use the service We're currently working on improving our controls in this area to better protect this sensitive information.
Context
- Tab
- Infrastructure
- Category
- Application/Service Security
Related questions
- Are access controls for institutional accounts based on structured rules, such as role-based access control (RBAC), attribute-based access control (ABAC), or policy-based access control (PBAC)?
- Are you using a web application firewall (WAF)?
- Are only currently supported operating system(s), software, and libraries leveraged by the system(s)/application(s) that will have access to institution's data?
- Does your application provide separation of duties between security administration, system administration, and standard user functions?
- Do you subject your code to static code analysis and/or static application security testing prior to release?
- Do you have software testing processes (dynamic or static) that are established and followed?

