Security & Data Handling

How your data is protected when using Backup Okta

The Key Point

We never see, store, or process your Okta data.

Backup Okta is an Apify actor that runs entirely within your own Apify account. Your Okta credentials, backups, and logs never leave Apify's infrastructure and are never accessible to us.

This is not a SaaS. It's a tool you run in your own compute environment. Think of it like running a script on your own server, except the server is managed by Apify.

Where Your Data Lives

Credentials

  • Your Okta API token or OAuth credentials are entered directly into Apify's actor input form
  • Credentials are stored in Apify's encrypted storage (if you save them as a preset)
  • We have no access to your credentials

Backups

  • All backup files are stored in your Apify Key-Value Store
  • Files include: OKTA_SNAPSHOT.json, OKTA_WORKFLOWS.zip, logs
  • You control retention through Apify's data retention settings
  • We have no access to your backups

Logs

  • Actor run logs are stored in your Apify account
  • Logs may contain resource names (but not sensitive values)
  • You control log retention through Apify settings

Network Architecture

When you run Backup Okta:

  1. Apify spins up a container in their cloud infrastructure
  2. The container runs our code
  3. API calls go directly from Apify → your Okta tenant
  4. Backup files are written directly to your Apify storage
  5. The container is destroyed when the run completes

Our servers are never in the data path.

What We Can See

  • That you forked/ran our actor (basic Apify analytics)
  • Public error reports if you choose to share them

What We Cannot See

  • Your Okta credentials
  • Your backup data
  • Your Okta configuration
  • Your run logs
  • Anything in your Apify account

Apify's Security

Apify handles the infrastructure security. They maintain:

  • SOC 2 Type II certification
  • GDPR compliance
  • Encrypted data at rest and in transit
  • Regular security audits

For details, see Apify's security page.

Code Transparency

We're committed to transparency about how Backup Okta works:

  • Full documentation of all API calls made to your Okta tenant
  • Clear logging of all operations performed
  • Detailed restore plans before any changes are made
  • Contact us for security reviews or compliance questionnaires

Recommended Security Practices

For OAuth (Recommended)

  • Create a dedicated OAuth app for backups
  • Use the minimum required scopes
  • Rotate credentials periodically
  • Monitor API usage in Okta's System Log

For API Tokens

  • Create a dedicated service account
  • Use read-only roles where possible
  • Set token expiration policies
  • Monitor token usage

For Restore Operations

  • Always run dry-run first
  • Review the restore plan before confirming
  • Keep allowDeletes: false unless specifically needed
  • Test restores in a sandbox org first

Compliance Considerations

You are responsible for your own compliance. We provide a tool; you decide how to use it within your compliance framework.

That said, this architecture is often easier to justify to security teams than traditional SaaS because:

  • No third-party data storage
  • No vendor access to your data
  • Transparent operations with detailed logging
  • Runs in your controlled environment
  • Inherits Apify's compliance certifications

Questions?

If you have security questions or need additional documentation for your compliance team, contact us at security@backupokta.org.