APPL-04

Does your application require access to location or GPS data?

Explanation

This question is asking whether your software application or service collects or requires access to a user's physical location data or GPS (Global Positioning System) coordinates. Location data is considered sensitive personal information because it can reveal patterns about a person's movements, home address, workplace, and other private details. In a security assessment, this question is important for several reasons: 1. Privacy implications: Location data is considered sensitive personal information under many privacy regulations (like GDPR, CCPA). 2. Data minimization: Security best practices recommend collecting only the data necessary for the application's functionality. 3. Risk assessment: Applications that collect location data present additional security risks if that data is breached. 4. Compliance requirements: Different jurisdictions have specific requirements for handling location data. When answering this question, you should: - Be clear about whether your application collects location data at all - If it does, explain why this data is necessary for core functionality - Describe how precisely the location is tracked (city-level, exact coordinates, etc.) - Mention any controls in place to protect this sensitive data - Explain if users can opt out of location tracking while still using core features

Example Responses

Example Response 1

No, our application does not require or collect any location or GPS data from users Our cloud-based document management system functions entirely without needing to know the physical location of users All authentication is based on credentials and optional multi-factor authentication rather than location-based verification Our application's functionality is designed to work consistently regardless of where users are physically located.

Example Response 2

Yes, our delivery logistics application requires access to GPS data, but with specific limitations and protections The application needs real-time location data only for delivery drivers while they are on active duty to optimize routes and provide accurate delivery estimates to customers Drivers can toggle location tracking on/off when not on shift Customer-facing portions of the application only request approximate location (city level) to determine service availability All location data is encrypted in transit and at rest, retained for only 30 days, and we obtain explicit consent before collecting any location information Users can opt out of precise location sharing and manually enter their general location instead.

Example Response 3

Our application does collect location data, but we have not implemented specific security controls around this data The marketing analytics dashboard uses IP-based geolocation and optional GPS data from mobile users to provide regional insights to our customers We do not currently have a documented retention policy specifically for location data, and while users are informed about data collection in our privacy policy, there is no specific opt-out mechanism for location tracking while continuing to use the service We're currently working on improving our controls in this area to better protect this sensitive information.

Context

Tab
Infrastructure
Category
Application/Service Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron