Security & Privacy Overview
At ClickTale we take privacy and security very seriously.
On this page you will find the most common questions and answers related to ClickTale's security and privacy practices.
This page is intended for users of the ClickTale software, for Information Security and IT personnel.
Does ClickTale allow customers to record Personally Identifiable Information (PII)?
No. Personally identifiable information (PII) is any information that can be used to identify, contact, or locate an individual. It may include names, email addresses, health data, financial data (for example, credit card), or similar information that can be used to identify a particular person.
ClickTale takes privacy very seriously and has a strict policy against using its service to collect PII. All data that ClickTale processes on behalf of its clients should be completely anonymous data.
How is recording Personally Identifiable Information (PII) prevented?
ClickTale helps its customers with various implementation tools to ensure that ClickTale does not receive, save or display through the product any PII.
The primary areas in which PII exists is in the keystrokes that users input or in the HTML (i.e. prefilled data). Following are the various methods that we provide to ensure that no PII is recorded.
Keystroke Client Side Block
This means the keys are neither logged nor are they sent across the network.
Keystroke Server Side Block
As an additional failsafe, ClickTale may implement a server side block to ensure that no keystrokes are saved. It is also possible for us to set up a complete block, such that if any keystroke is recorded from the account,
all recordings are immediately stopped, and alerts are sent out to all relevant parties.
HTML Client Side Block
When this method is used, any PII in the HTML can be removed using client side regular expressions, before it is sent across the network. This can be done using the ClickTale API.
This solution is discussed here: http://wiki.clicktale.com/Article/ClickTaleExcludeBlock
HTML Server Side Rewrite Rules
Does ClickTale save IP addresses?
No. Once a visitor’s session is completed, the geographical location of a visitor is determined and saved, but the IP address is deleted. This enables visitors of websites using ClickTale to maintain a high degree of anonymity and privacy. In any case, ClickTale does not create a unique profile for any specific user and does not track users across unrelated domains (that is, domains that do not belong to the same customer using ClickTale). In certain countries IP address may be deemed PII. In such cases ClickTale can be configured to drop the D block of the IP address at the earliest possibility.
Is ClickTale PCI Data Security Standards (DSS) compliant?
Will my customers’ private credentials, such as passwords, ever be collected?
Does ClickTale comply with HIPAA, GLBA, and other Data Protection laws related to the storage and or processing of Personal Information?
The data ClickTale processes on behalf of its customer should be completely anonymous data. As such data-protection laws like the EU Privacy directive, HIPAA or GLBA which govern the use, storage, and processing of various types of PII do not apply.
Nonetheless, ClickTale complies with any data protection laws that do apply to the type of information ClickTale stores on behalf of customers and has in place strict controls, which meet or exceed industry standards, against theft, destruction or manipulation of any data collected.
Does ClickTale use third-party cookies?
For more information, see http://wiki.clicktale.com/Article/ClickTale_Cookies and http://wiki.clicktale.com/Article/EU_Cookie_Compliance
Do my visitors know they are being recorded?
What security measures does ClickTale implement to protect its customers' information?
- ClickTale uses firewalls and Intrusion Prevention Systems (IPS) systems to limit access and protect its servers.
- Our servers are hardened according to industry best practices.
- ClickTale installs regular updates of the operating system, hardware, and any other software to avoid security vulnerabilities.
- Data recorded on HTTPS pages is fully encrypted and passed to ClickTale servers over SSL.
- Our data hosting provider is SOC2 compliant and safe harbor certified.
- Application Development according to the Open Web Application Security Project (OWASP) principles.
- Every ClickTale employee uses unique identifiers consistent with individual accountability.
- A complex password policy is enforced, including prohibiting of clear-text credentials.
- User access privileges to information resources are granted on a need-to-know basis consistent with role-based authorization.
- Two-factor authentication is used to secure all remote access communication.
- We create logs and audit trails for monitoring and security purposes, which can only be accessed by privileged personnel.
- Our systems regularly undergo internal and external security reviews.
Can I leverage existing credentials and password policies?
ClickTale offers Single Sign On authentication via the SAML2 standard. This convenience is available to Enterprise customers, by request.
Who can access my Data?
These are exposed to that information only in limited circumstances and for the purpose of providing customers with services and operating, developing or improving ClickTale's products and services.
These individuals are bound by confidentiality agreements and may be subject to disciplinary action, including termination and criminal prosecution, if they fail to meet these obligations.
How much control do I retain over my data?
As a ClickTale customer, all data belongs to you. You have the ability to export individual recordings and aggregated reports. In addition, our system allows exporting customer data to CSV files.
Finally, any analysis or other asset that is provided to you as part of our professional services is owned by you for your own use.
Will my data be backed-up?
- Customer data are backed up daily at each data center, on a rotating schedule.
- The backups are encrypted and transferred to an offsite location.
- Customer data will no longer continue to be stored once the engagement is complete. Within a short period of the end of the engagement, all customer data will cease to be in our systems.
Where is my data stored?
By default, a ClickTale client’s recording data is stored on secure servers, located at SoftLayer’s data center in Texas. For European enterprise clients data can be stored in SoftLayer’s data center in Amsterdam.
How do you ensure the physical security of your servers?
- Controlled access and 24-hour security is enforced
- 24-hour manned security, including foot patrols and perimeter inspections
- Rooms are monitored with digital security video surveillance
- Rooms are secured with biometric systems
- Server-room access is strictly limited to authorized personnel and escorted visitors
- Hardware is tagged with Barcode identification. No customer markings of any type on the servers themselves are allowed
What physical redundancy methods are available for the data stored by ClickTale?
- Fire detection and suppression systems
- Multiple power feeds, fiber links, dedicated generators, UPS Systems, and battery backup
- Power distribution units and electrical panels
- Heating and cooling mechanisms such as CRAC units and chillers
I understand you are ISO 27001 certified. What does this mean?
ISO 27001 is an international standard that specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of the organization's overall business risks. It applies to all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations).
Certification to the standard means that ClickTale has developed an ISMS based on best practices, according to which we implement security controls to protect information assets.
These controls are systematically evaluated and updated as necessary, to ensure that we continually meet our information security needs and that of our customers.
How does this benefit me as a ClickTale customer?
ISO 27001 certification means that we further strengthen our commitment to keep our customers' information and data secure, at every level, in compliance with recognized international standards.