Security and privacy
Ownership of application data
Rokt and its partners will not be able to access or receive your application form data. The information customers enter into the application form will only be provided to you and stored by you on your own servers. Users may, of course, choose to share the same or similar information with partners directly on the ecommerce page. Much of the same information, such as name and address, is required to complete a purchase on the originating partner site. You will not have access to any customer PII data provided by customers directly to partners.
Storage of application data
Rokt does not have access to customer data entered into your application form. Therefore, customer data is not stored on Rokt servers for integrated application campaigns.
Rokt security policies
Listed below are some security measures intentionally implemented by Rokt to mitigate vulnerabilities and protect you from any form of communication with your webapp except through explicitly defined postmessage implementations.
- Although Rokt will never attempt to access the content of your application, Rokt will set the most secure CSP configuration for the iFrame hosting your application, making it impossible for external access.
- Rokt uses a Channel Messaging API on both sender and receiver sides. This is to prevent third parties from sending or receiving messages through
window.postmessage(). - Rokt does not send any credentials or tokens via
window.postmessage(). - Rokt will not use any type of communication channel, which means your application does not need to listen to “message” events.
- Rokt implements frame-ancestors CSP directive to defend against clickjacking.
Rokt has a detailed process for handling any security incidents, which includes a complete internal review of any incidents.