Security Overview

As an enterprise service provider, Clicktale understands that the security of the user data collected and stored by our customers is nothing less than critical. To deliver the peace of mind that our customers deserve, we believe in transparency regarding Clicktale’s security standards and practices, which are constantly evolving to protect against security breaches and provide full confidentiality, data integrity, and availability. Download the full Security Data Sheet here.

As an accreditation for these practices, Clicktale is ISO 27001 and SOC 2 certified, ensuring the highest international standards and best practices in information security.


Tools to Block PII

Clicktale for Web

Clicktale provides clients with the ability to block recording and collection of any Personally Identifiable Information (PII) entered by keystroke, as well as any PII as defined by the customer contained within the webpage. Clicktale prevents the collection, saving or display of PII via several tools, including:

  • Client-side keystroke block - By default, Clicktale’s Client-Side Keystroke Block ensures that our product only keeps track of when keys are clicked, without keeping track of which keys are clicked. This helps customers ensure that no keystrokes are logged or recorded by our products, nor sent via the network.
  • PII labeling API – Clicktale has developed an API (Application Program Interface) to identify and block any type of PII before it leaves the visitor’s browser. This tool enables our customers to easily identify PII fields to maintain the highest levels of data privacy.
  • Client-side HTML rewrite rules – When an HTML page is sent directly from the user’s browser to Clicktale’s servers, any PII in the HTML (as identified by the customer) is removed using standard client-side expressions before it is sent across the network. 

No Third-Party Cookies

Clicktale does not allow third-party cookies in order to increase user privacy. In other words, Clicktale does not create a unique profile to track users across unrelated domains (domains that do not belong to the same customer).

No IP Address Retention

When a visitor session is complete, Clicktale determines and saves the geographical location of the visitor, but the IP address is deleted. In addition, customers have the option to anonymize the IP address. This is done by removing the D-block of the IP at the earliest possible stage of the collection.


As discussed above, Clicktale goes to great lengths to provide its customers with the tools required to avoid receiving any personal information from its customers, and as such clients can ensure that the data Clicktale processes on behalf of its customers is anonymous. Therefore, Clicktale customers are able to maintain their compliance with PCI, HIPAA, and GLBA or similar laws regulating PII.

Clicktale for Apps

With Clicktale for Apps, the product owner maintains complete control over tagging PII, which might include edit boxes, images or other elements. Once PII is tagged via API which is available for the app developer, it is automatically blocked from being sent to Clicktale’s servers. From a security perspective, any data which is sent via the SDK is not shared with any third party.

Certifications & Compliance 

ISO 27001

ISO 27001 is an international Information Security standard that specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS).

Clicktale is ISO 27001 certified, and has been since 2013. This means that we have developed an ISMS based on security best practices, according to which we implement security controls to protect both our customers’ and our own information assets. These controls are systematically evaluated and updated by internal parties and by an external auditor to ensure that we continually meet both our own information security needs and those of our customers.

For more details visit our ISO 27001 certificate page.

SOC 2 Type II

In 2018, Clicktale received a SOC 2 Type II attestation report, following a rigorous audit. SOC 2 is an auditing procedure that ensures that service providers are securely managing data to protect the interests of their customers and the privacy of their customers' clients. The SOC 2 Type II attestation report, issued by Grant Thornton, an independent CPA firm, confirms that Clicktale has met the standards established by the American Institute of Certified Public Accountants [AICPA].

Skyhigh Enterprise-Ready 

Clicktale has been audited and accredited with the Skyhigh Enterprise-Ready Seal, indicating our platform and solutions adhere to the highest levels of data protection, security, business practices, and legal protection. Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements.

Application-Level Security

From the earliest phases of product design and planning, the Clicktale security team takes an active role in how our products are built. Following completion, sensitive product developments are tested to ensure that application security has been thoroughly and properly addressed.

On an ongoing basis, security consultants review our code and conduct penetration tests for various attack scenarios based on the Open Web Application Security Project (OWASP) and scenarios relevant specifically to Clicktale. We also conduct extensive secure coding and ethical hacking training for our development and QA teams.

Our product contains various security features, including user authentication, authorization levels, account lock-out, single sign-on, and in transit encryption.

Penetration Testing and Security Audits

Clicktale performs at least two annual Information Security Penetration tests, which are conducted by accredited and completely independent information security companies. Vulnerabilities, if found, are addressed as part of our Risk Management Policy.

In addition to our security team’s regular reviews, we conduct an annual Information Security Risk Assessment to identify new threats, measure their likelihood and business impact, and determine appropriate controls to minimize risk.

Independent Customer Tests

Clicktale welcomes customers and potential customers to independently verify our product security by conducting their own vulnerability assessments and penetration tests. Please contact your sales representative in order to coordinate this.


Clicktale implements multiple and varied infrastructure security measures to protect customer information from unauthorized access, loss, alteration, viruses, Trojans and other similar harmful code. This includes swift and regular security updates, the use of firewalls and Intrusion Prevention Systems, hardened servers and scheduled data backups.

Physical Security

Clicktale has chosen QTS, SoftLayer, and Amazon Web Services (AWS) as our strategic enterprise data facilities. For detailed information about QTS's security, please click here. For detailed information about SoftLayer’s security, please click here. For detailed information about AWS, please click here. All Clicktale client-recorded data is stored on secure servers in a co-location data center and in AWS, both in north Virginia. For European enterprise clients, data is stored in SoftLayer’s Amsterdam data center and in AWS in Ireland.

Encrypted backups of our service and client data are stored on the Amazon Web Services cloud. 

Download the full Security Data Sheet here.


Website/App Operators Compliance

Clicktale recommends that Website/App Operators monitor any changes in privacy regulations and requirements to ensure compliance with those that are applicable to their activities, including in respect to the use of Clicktale solutions, as such requirements change frequently.

In addition, we would further suggest that App Operators regularly monitor and revisit their compliance with any new policies in regards to common app distribution platforms (i.e. App Store and Google Play). As a trusted technology partner, Clicktale will continue to comply with any privacy-related instructions as directed by our customers.

Talk to us to explore how customer experience analytics can improve your business