(Disclaimer, I'm not an AppDrag representative, just a user and fan, but my opinions are my own)
The AppDrag Whitepaper has some good information about their own security.
But, part of the AppDrag's power in allowing you to design and build your own 'back-end' to a site is giving you the flexibility how much (or how little) security you need.
In this sense, it's almost as if you are renting a storefront in a mall. The mall (AppDrag) mops the floors, maintains the public restrooms, manages the parking lot, etc.
But you have to decide what kind of door and what kind of locks you put on or in your store.
AppDrag prevents 'unauthorized' access in the default state. Meaning, nobody can change your website or access your data directly.
However, as soon as you start using their tools to build other ways of accessing the data, the responsibility for security falls under your scope.
For example, if you build an API function to access confidential or private data, you should also build-in tests or checks to ensure that the API caller is authorized to access that information.
This is obviously part of a much larger conversation about application security in general, but I wanted to get the ball started by defining and distinguishing the 'scopes' of your responsibility vs. AppDrag's.