Security at Hotjar

Security is key to fulfilling our commitment to our users and we at Hotjar take it very seriously. We have certifications, processes, and audits in place to systematically help ensure the safe and secure use of our service for everyone.

Security Overview

Infrastructure Security

By default we block all traffic at a network level and only open specific ports as required to deliver the Hotjar service.

Any escalated access to infrastructure requires VPN with 2-factor authentication.

Unauthorized access attempts are logged and escalated through our usage of Threatstack.

Host-based intrusion detection systems are in active use.

Data Encryption

Data to and from Hotjar's servers is encrypted in transit.

Our Data Safety, Privacy & Security article explains the exact details of the setup in more depth.

Failover and Disaster Recovery

All of our production infrastructure is built with redundancies in place, in highly-available configurations spread over three different availability zones in the eu-west-1 AWS region.

Inventory and Configuration

Infrastructure is kept as code using Terraform, and other infrastructure-as-code tools with changes going through a process very similar to the application-level software development process. We make use of separate infrastructure for development, staging and live environments, with no sharing of data between environments.

Identity and Access Control

Passwords are stored in a hashed format using PBKDF2-SHA512.

VPN access requiring 2-factor authentication is required to access any internal resources.

Access to customer data is limited to authorized employees who require it for or operational and maintenance activities.

Access to sensitive production data is limited to just the devops team.

Monitoring/Logging

We do extensive monitoring of infrastructure and application performance, which usually allows us to detect issues before many customers experience them.

Automated alerts are set up with an on-call schedule with escalations. In case an issue isn't acknowledged within 10 minutes, it's escalated to all other members of the devops team.

Penetration Testing

We perform annual application-level penetration tests via an independent third party.

Our aim is to fix any discovered critical issues within 2 business days, and high-severity issues within 30 business days.

Medium-severity and lower-severity issues are handled as part of ongoing security work.

Incident Response

Hotjar implements a protocol for handling security events and other operational issues which includes escalation procedures, rapid mitigation, and post-mortems.

You can visit our status page to get updates on any potential issues, and even subscribe to automatic updates.

Infrastructure Security

By default we block all traffic at a network level and only open specific ports as required to deliver the Hotjar service.

Any escalated access to infrastructure requires VPN with 2-factor authentication.

Unauthorized access attempts are logged and escalated through our usage of Threatstack.

Host-based intrusion detection systems are in active use.

Data Encryption

Data to and from Hotjar's servers is encrypted in transit.

Our Data Safety, Privacy & Security article explains the exact details of the setup in more depth.

Failover and Disaster Recovery

All of our production infrastructure is built with redundancies in place, in highly-available configurations spread over three different availability zones in the eu-west-1 AWS region.

Inventory and Configuration

Infrastructure is kept as code using Terraform, and other infrastructure-as-code tools with changes going through a process very similar to the application-level software development process. We make use of separate infrastructure for development, staging and live environments, with no sharing of data between environments.

Identity and Access Control

Passwords are stored in a hashed format using PBKDF2-SHA512.

VPN access requiring 2-factor authentication is required to access any internal resources.

Access to customer data is limited to authorized employees who require it for or operational and maintenance activities.

Access to sensitive production data is limited to just the devops team.

Monitoring/Logging

We do extensive monitoring of infrastructure and application performance, which usually allows us to detect issues before many customers experience them.

Automated alerts are set up with an on-call schedule with escalations. In case an issue isn't acknowledged within 10 minutes, it's escalated to all other members of the devops team.

Penetration Testing

We perform annual application-level penetration tests via an independent third party.

Our aim is to fix any discovered critical issues within 2 business days, and high-severity issues within 30 business days.

Medium-severity and lower-severity issues are handled as part of ongoing security work.

Incident Response

Hotjar implements a protocol for handling security events and other operational issues which includes escalation procedures, rapid mitigation, and post-mortems.

You can visit our status page to get updates on any potential issues, and even subscribe to automatic updates.

Security / GDPR

Hotjar is fully committed to achieving compliance with the GDPR prior to the regulation’s effective date (May 25th 2018).

We will ensure that the required controls and application features are in place to allow our users to use Hotjar in a GDPR-compliant manner.

To read more about our commitment and compliance controls we have put in place, please check the resources below.

Compliance / Certifications

Hotjar is PCI-compliant as we utilize Braintree's Hosted Fields.
Our infrastructure is hosted on AWS, which is an ISO27001 certified service.
Our infrastructure is hosted on AWS, which is an SOC2 certified service.

Security questions or issues?

If you think you may have found a security vulnerability within Hotjar, please get in touch with our security team.

Read more about our Data Safety, Privacy & Security, Privacy Policy & Terms of Service.