By
Any escalated access to infrastructure requires VPN with 2-factor authentication.
Unauthorized access attempts are logged and escalated through our usage of Threatstack.
Host-based intrusion detection systems are in active use.
Data to and from Hotjar's servers is encrypted in transit.
Our Data Safety, Privacy & Security article explains the exact details of the setup in more depth.
All of our production
Infrastructure is kept as code using Terraform, and other infrastructure-as-code tools with changes going through a process very similar to the application-level software development process. We make use of separate infrastructure for development, staging and live environments, with no sharing of data between environments.
Passwords are stored in a hashed format using PBKDF2-SHA512.
VPN access requiring 2-factor authentication is required to access any internal resources.
Access to customer data is limited to authorized employees who require it for
Access to sensitive production data is limited to just the
We do extensive monitoring of infrastructure and application performance, which usually allows us to detect issues before many customers experience them.
Automated alerts are set up with an on-call schedule with escalations. In case an issue isn't acknowledged within 10 minutes, it's escalated to all other members of the
We perform annual application-level penetration tests via an independent third party.
Our aim is to fix any discovered critical issues within 2 business days, and high-severity issues within 30 business days.
Medium-severity and lower-severity issues are handled as part of ongoing security work.
Hotjar implements a protocol for handling security events and other operational issues which includes escalation procedures, rapid mitigation, and post-mortems.
You can visit our status page to get updates on any potential issues, and even subscribe to automatic updates.
By
Any escalated access to infrastructure requires VPN with 2-factor authentication.
Unauthorized access attempts are logged and escalated through our usage of Threatstack.
Host-based intrusion detection systems are in active use.
Data to and from Hotjar's servers is encrypted in transit.
Our Data Safety, Privacy & Security article explains the exact details of the setup in more depth.
All of our production
Infrastructure is kept as code using Terraform, and other infrastructure-as-code tools with changes going through a process very similar to the application-level software development process. We make use of separate infrastructure for development, staging and live environments, with no sharing of data between environments.
Passwords are stored in a hashed format using PBKDF2-SHA512.
VPN access requiring 2-factor authentication is required to access any internal resources.
Access to customer data is limited to authorized employees who require it for
Access to sensitive production data is limited to just the
We do extensive monitoring of infrastructure and application performance, which usually allows us to detect issues before many customers experience them.
Automated alerts are set up with an on-call schedule with escalations. In case an issue isn't acknowledged within 10 minutes, it's escalated to all other members of the
We perform annual application-level penetration tests via an independent third party.
Our aim is to fix any discovered critical issues within 2 business days, and high-severity issues within 30 business days.
Medium-severity and lower-severity issues are handled as part of ongoing security work.
Hotjar implements a protocol for handling security events and other operational issues which includes escalation procedures, rapid mitigation, and post-mortems.
You can visit our status page to get updates on any potential issues, and even subscribe to automatic updates.
Hotjar is fully committed to achieving compliance with the GDPR prior to the regulation’s effective date (May
We will ensure that the required controls and application features are in place to allow our users to use Hotjar in a GDPR-compliant manner.
To read more about our commitment and compliance controls we have put in place, please check the resources below.
If you think you may have found a security vulnerability within Hotjar, please get in touch with our security team.
Read more about our Data Safety, Privacy & Security, Privacy Policy & Terms of Service.