Common questions around data storage and collection. See Handling Personal Data for recommendations on user data storage.
OneSignal's data is stored in Netherlands in a datacenter managed by Google Cloud Platform (GCP). Details on our move in this blog post.
Messages sent through OneSignal's API, Journeys and Automated Messages are kept for around 30 days before being removed from OneSignal's servers.
All User Data and Messages sent through the OneSignal Dashboard Create Message forms are kept for the lifetime of the OneSignal App or unless manually deleted.
Notification History is the list of devices that were sent or clicked the push. This is available for 7 days.
See Exporting Data.
OneSignal is certified with the Families Ads Program as of January 10th 2022.
COPPA is the responsibility of the publisher to maintain. However, OneSignal provides an easy solution for gathering User Consent before collecting data and prompting for push. More details on how to properly handle this interaction can be found in this article: How to Implement COPPA Compliant Push Notifications in Kid Directed Apps.
Yes! Our work in achieving SOC 2 certification has also helped us in our goal to achieving HIPAA compliance. For those not aware, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that regulates how companies and healthcare providers handle protected health information (PHI) to ensure proper data security. We are happy to say that we now support a core aspect of HIPAA compliance by offering a Business Associate Agreement (BAA) to Enterprise Plan customers.
OneSignal's SDKs are open source on Github.
Our Native Android SDK is currently 190KB and, like most Android SDKs/Plugins, it depends on the Android Support Library v4 and Google Play services library which may add 1 to 2 MB if they are not in your project already. However, if you use Proguard on your project this size will be reduced.
Our Native iOS SDK is a 3MB download. However, if you build your app with bit code turned on, it will only add around 500KB to your app's size.
Our Web SDK is 55 KB minified and gzipped. It is loaded asynchronously from our worldwide CDN with a long browser-expiry.
All OneSignal SDKs connect to our servers with HTTPS. Our REST API enforces a TLS 1.2+ connection and the need for a REST API Key where it is needed.
OneSignal uses the TLS encryption for sending notifications as required by the Apple APNS specifications.
OneSignal uses Google's GCM/FCM service, which uses the HTTPS protocol.
Steps to secure your OneSignal Account:
- Use Two-Step Authentication and enable it for all users with access to your account.
- Remove Administrators that do not need access to your account. Multiple people should also not share a single account. You should have 1 email associated for each person.
- Do not publish your REST API Key or User Auth Key. These keys should not be placed anywhere publicly accessible like Github or within your app/site.
- If you believe your account is already compromised follow these steps to reset your account.
Make sure your OneSignal REST API Key and User Auth Key did not get published within your app/site or openly, like on Github. Also, make sure your email and password used for OneSignal is not easily guessable or the same as another site that has been compromised. You can check if this occurred using a site like https://haveibeenpwned.com/
Follow these steps to lockdown and reset your account:
Login to onesignal.com and go to Accounts & API Keys in the top right corner.
Navigate to User Auth Key > Generate New User Auth Key.
Select Yes, generate a new one
In Accounts & API Keys enter a New Password and Confirm Password. Then Submit.
In your App, navigate to Settings > Keys & IDs and select Generate New API Key for all apps.
Remove Administrators on your account that are not part of the project anymore or who don't need access.
You can enable Two-Step Authentication within your OneSignal dashboard.
Make sure everyone on your team that has access to your account does the above steps.
If you believe that your REST API key has been compromised, please follow our guide to Reset Your REST API Key.
More details below on Locking down your account.
If someone was to gain access to your
app_id through your application or site, they could technically add a new device record. However, that record cannot receive notifications if the device wasn't subscribed through valid means.
A user's own
subscription_id is public to that user, and discovering it is generally harmless. It can be used to view and update tags and other data about the user's subscription. For this reason, tags should not be used for either authentication or the storage of sensitive data and personally-identifiable information.
Users of your application or service should not be given access to the
subscription_ids of other users. This is because a
subscription_id on its own is sufficient to send a notification to that user's device. So the
subscription_ids belonging to other people should be kept secret.
Updated 15 days ago