Security & Privacy Overview

Last updated on July 13th 2014

At ClickTale we take privacy and security very seriously.
On this page you will find the most common questions and answers related to ClickTale's security and privacy practices.  
This page is intended for users of the ClickTale software, for Information Security and IT personnel.

Does ClickTale allow customers to record Personally Identifiable Information (PII)?

No. Personally identifiable information (PII) is any information that can be used to identify, contact, or locate an individual. It may include names, email addresses, health data, financial data (for example, credit card), or similar information that can be used to identify a particular person.
ClickTale takes privacy very seriously and has a strict policy against using its service to collect PII. All data that ClickTale processes on behalf of its clients should be completely anonymous data.

How is recording Personally Identifiable Information (PII) prevented?

ClickTale helps its customers with various implementation tools to ensure that ClickTale does not receive, save or display through the product any PII.
The primary areas in which PII exists is in the keystrokes that users input or in the HTML (i.e. prefilled data). Following are the various methods that we provide to ensure that no PII is recorded.

Keystroke Client Side Block

ClickTale helps customers ensure that no keystrokes are recorded at all by our product. This is implemented with one line of JavaScript code, which ensures that our product only keeps track of when keystrokes were clicked, without keeping track of the actual keys clicked.
This means the keys are neither logged nor are they sent across the network.

Keystroke Server Side Block

As an additional failsafe, ClickTale may implement a server side block to ensure that no keystrokes are saved. It is also possible for us to set up a complete block, such that if any keystroke is recorded from the account,
all recordings are immediately stopped, and alerts are sent out to all relevant parties.

HTML Client Side Block

The most common method of integration ClickTale has of supporting pages that have PII is one in which the HTML of the page is sent directly from the browser to ClickTale’s servers.
When this method is used, any PII in the HTML can be removed using client side regular expressions, before it is sent across the network. This can be done using the ClickTale API.
Another option is to tag sensitive data in the HTML with HTML comments. These comments ensure that PII is removed from the ClickTale parser, before they are saved on ClickTale’s servers.
This solution is discussed here: http://wiki.clicktale.com/Article/ClickTaleExcludeBlock

HTML Server Side Rewrite Rules

In certain cases, ClickTale may create server side rewrite rules, which remove any PII in HTML, as a failsafe. So, if ever any HTML were to reach ClickTale’s servers, these rules will remove the PII before it is stored.

Does ClickTale save IP addresses?

No. Once a visitor’s session is completed, the geographical location of a visitor is determined and saved, but the IP address is deleted. This enables visitors of websites using ClickTale to maintain a high degree of anonymity and privacy. In any case, ClickTale does not create a unique profile for any specific user and does not track users across unrelated domains (that is, domains that do not belong to the same customer using ClickTale). In certain countries IP address may be deemed PII. In such cases ClickTale can be configured to drop the D block of the IP address at the earliest possibility.

Is ClickTale PCI Data Security Standards (DSS) compliant?

PCI DSS applies to any organization that transmits, stores, or processes credit card information. Since ClickTale does not receive any credit card information and in fact strictly prohibits the collection of any PII (including credit card information), PCI DSS does not apply.

Will my customers’ private credentials, such as passwords, ever be collected?

Beyond the aforementioned mechanisms used to protect sensitive information, which includes both blocking of sensitive data in HTML and in keystrokes, ClickTale blocks on the client side any data that is entered into any password field.

Does ClickTale comply with HIPAA, GLBA, and other Data Protection laws related to the storage and or processing of Personal Information?

ClickTale should not receive any personal information from its customers.
The data ClickTale processes on behalf of its customer should be completely anonymous data. As such data-protection laws like the EU Privacy directive, HIPAA or GLBA which govern the use, storage, and processing of various types of PII do not apply.
Nonetheless, ClickTale complies with any data protection laws that do apply to the type of information ClickTale stores on behalf of customers and has in place strict controls, which meet or exceed industry standards, against theft, destruction or manipulation of any data collected.

Does ClickTale use third-party cookies?

Only our opt-out cookie is a third party cookie, which only contains a Boolean value; all others are first-party cookies only.
For more information, see http://wiki.clicktale.com/Article/ClickTale_Cookies and http://wiki.clicktale.com/Article/EU_Cookie_Compliance

Do my visitors know they are being recorded?

Even though the recording process is transparent to end users, we require that our customers provide proper disclosure in their Privacy Policy regarding the use of third-party analytics services, the information collected and how it is used.

What security measures does ClickTale implement to protect its customers' information?

ClickTale implements various security measures to protect customers' information from unauthorized access, loss, alteration, viruses, Trojans and other similar harmful code. This includes:
  • ClickTale uses firewalls and Intrusion Prevention Systems (IPS) systems to limit access and protect its servers.
  • Our servers are hardened according to industry best practices.
  • ClickTale installs regular updates of the operating system, hardware, and any other software to avoid security vulnerabilities.
  • Data recorded on HTTPS pages is fully encrypted and passed to ClickTale servers over SSL.
  • Our data hosting provider is SOC2 compliant and safe harbor certified.
  • Application Development according to the Open Web Application Security Project (OWASP) principles.
  • Every ClickTale employee uses unique identifiers consistent with individual accountability.
  • A complex password policy is enforced, including prohibiting of clear-text credentials.
  • User access privileges to information resources are granted on a need-to-know basis consistent with role-based authorization.
  • Two-factor authentication is used to secure all remote access communication.
  • We create logs and audit trails for monitoring and security purposes, which can only be accessed by privileged personnel.
  • Our systems regularly undergo internal and external security reviews.

Can I leverage existing credentials and password policies?

ClickTale offers Single Sign On authentication via the SAML2 standard. This convenience is available to Enterprise customers, by request.

Who can access my Data?

ClickTale restricts access to information collected by its customers to a limited number of ClickTale employees, contractors and agents.
These are exposed to that information only in limited circumstances and for the purpose of providing customers with services and operating, developing or improving ClickTale's products and services.
These individuals are bound by confidentiality agreements and may be subject to disciplinary action, including termination and criminal prosecution, if they fail to meet these obligations.

How much control do I retain over my data?

As a ClickTale customer, all data belongs to you. You have the ability to export individual recordings and aggregated reports. In addition, our system allows exporting customer data to CSV files.
Finally, any analysis or other asset that is provided to you as part of our professional services is owned by you for your own use.

Will my data be backed-up?

  • Customer data are backed up daily at each data center, on a rotating schedule.
  • The backups are encrypted and transferred to an offsite location.
  • Customer data will no longer continue to be stored once the engagement is complete. Within a short period of the end of the engagement, all customer data will cease to be in our systems.

Where is my data stored?

By default, a ClickTale client’s recording data is stored on secure servers, located at SoftLayer’s data center in Texas. For European enterprise clients data can be stored in SoftLayer’s data center in Amsterdam.

How do you ensure the physical security of your servers?

As previously mentioned, all data is saved in SoftLayer’s data centers, which are SOC2 compliant. Security mechanisms in the data centers include:
  • Controlled access and 24-hour security is enforced
  • 24-hour manned security, including foot patrols and perimeter inspections
  • Rooms are monitored with digital security video surveillance
  • Rooms are secured with biometric systems
  • Server-room access is strictly limited to authorized personnel and escorted visitors
  • Hardware is tagged with Barcode identification. No customer markings of any type on the servers themselves are allowed

What physical redundancy methods are available for the data stored by ClickTale?

The data center provides geographical redundancy of all core systems for disaster recovery and business continuity. In addition, adequate environmental controls provide protection of equipment and data, including:
  • Fire detection and suppression systems
  • Multiple power feeds, fiber links, dedicated generators, UPS Systems, and battery backup
  • Power distribution units and electrical panels
  • Heating and cooling mechanisms such as CRAC units and chillers

I understand you are ISO 27001 certified. What does this mean?

ISO 27001 is an international standard that specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of the organization's overall business risks. It applies to all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations).
Certification to the standard means that ClickTale has developed an ISMS based on best practices, according to which we implement security controls to protect information assets.
These controls are systematically evaluated and updated as necessary, to ensure that we continually meet our information security needs and that of our customers.

How does this benefit me as a ClickTale customer?

ISO 27001 certification means that we further strengthen our commitment to keep our customers' information and data secure, at every level, in compliance with recognized international standards.

How does this further secure the data stored in ClickTale's servers?

It does so in the sense that we increase our attention and efforts to security issues. We continue to provide the optimum levels of security you have grown accustomed to.

Can you provide copy of the certification?

Sure. Visit our ISO certification page  to view and download a copy of the certificate.
Compliance with the standard has been certified by the Standards Institution of Israel (SII) and by the International Certification Network (IQNET).

Have you undergone a third party audit or penetration test?

Yes, every year ClickTale undergoes third party penetration testing by an accredited information security company. In addition, our system is constantly being evaluated using several security tools and automated testing systems.