Putting Privacy First
Putting Privacy First
Security at Hotjar
Security is key to fulfilling our commitment to our users and we at Hotjar take it very seriously. We have certifications, processes, and audits in place to systematically help ensure the safe and secure use of our service for everyone.
By default we block all traffic at a network level and only open specific ports as required to deliver the Hotjar service.
Any escalated access to infrastructure requires VPN with 2-factor authentication.
Unauthorized access attempts are logged and escalated through our usage of Threatstack.
Host-based intrusion detection systems are in active use.
Data to and from Hotjar's servers is encrypted in transit.
Our Data Safety, Privacy & Security article explains the exact details of the setup in more depth.
Failover and disaster recovery
All of our production infrastructure is built with redundancies in place, in highly-available configurations spread over three different availability zones in the eu-west-1 AWS region.
Inventory and configuration
Infrastructure is kept as code using Terraform, and other infrastructure-as-code tools with changes going through a process very similar to the application-level software development process. We make use of separate infrastructure for development, staging and live environments, with no sharing of data between environments.
Identity and Access Control
Passwords are stored in a hashed format using PBKDF2-SHA512.
VPN access requiring 2-factor authentication is required to access any internal resources.
Access to customer data is limited to authorized employees who require it for or operational and maintenance activities.
Access to sensitive production data is limited to just the devops team.
Monitoring and logging
We do extensive monitoring of infrastructure and application performance, which usually allows us to detect issues before many customers experience them.
Automated alerts are set up with an on-call schedule with escalations. In case an issue isn't acknowledged within 10 minutes, it's escalated to all other members of the devops team.
We perform annual application-level penetration tests via an independent third party.
Our aim is to fix any discovered critical issues within 2 business days, and high-severity issues within 30 business days.
Medium-severity and lower-severity issues are handled as part of ongoing security work.
Hotjar implements a protocol for handling security events and other operational issues which includes escalation procedures, rapid mitigation, and post-mortems.
You can visit our status page to get updates on any potential issues, and even subscribe to automatic updates.
Security and GDPR
Hotjar is fully committed to achieving compliance with the GDPR prior to the regulation’s effective date (May 25th 2018).
We will ensure that the required controls and application features are in place to allow our users to use Hotjar in a GDPR-compliant manner.
To read more about our commitment and compliance controls we have put in place, please check the resources below.