As an enterprise service provider, Clicktale understands that the security of the user data collected and stored by our customers is nothing less than critical. To deliver the peace of mind that our customers deserve, we believe in transparency regarding Clicktale’s security standards and practices, which are constantly evolving to protect against security breaches and provide full confidentiality, data integrity, and availability. Download the full Security Data Sheet here.
As an accreditation for these practices, Clicktale is ISO 27001 and SOC 2 certified, ensuring the highest international standards and best practices in information security.
Tools to Block PII
Clicktale for Web
Clicktale provides clients with the ability to block recording and collection of any Personally Identifiable Information (PII) entered by keystroke, as well as any PII as defined by the customer contained within the webpage. Clicktale prevents the collection, saving or display of PII via several tools, including:
- Client-side keystroke block - By default, Clicktale’s Client-Side Keystroke Block ensures that our product only keeps track of when keys are clicked, without keeping track of which keys are clicked. This helps customers ensure that no keystrokes are logged or recorded by our products, nor sent via the network.
- PII labeling API – Clicktale has developed an API (Application Program Interface) to identify and block any type of PII before it leaves the visitor’s browser. This tool enables our customers to easily identify PII fields to maintain the highest levels of data privacy.
- Client-side HTML rewrite rules – When an HTML page is sent directly from the user’s browser to Clicktale’s servers, any PII in the HTML (as identified by the customer) is removed using standard client-side expressions before it is sent across the network.
No Third-Party Cookies
Clicktale does not allow third-party cookies in order to increase user privacy. In other words, Clicktale does not create a unique profile to track users across unrelated domains (domains that do not belong to the same customer).
No IP Address Retention
When a visitor session is complete, Clicktale determines and saves the geographical location of the visitor, but the IP address is deleted. In addition, customers have the option to anonymize the IP address. This is done by removing the D-block of the IP at the earliest possible stage of the collection.
PCI, HIPAA, GLBA
As discussed above, Clicktale goes to great lengths to provide its customers with the tools required to avoid receiving any personal information from its customers, and as such clients can ensure that the data Clicktale processes on behalf of its customers is anonymous. Therefore, Clicktale customers are able to maintain their compliance with PCI, HIPAA, and GLBA or similar laws regulating PII.
Clicktale for Apps
With Clicktale for Apps, the product owner maintains complete control over tagging PII, which might include edit boxes, images or other elements. Once PII is tagged via API which is available for the app developer, it is automatically blocked from being sent to Clicktale’s servers. From a security perspective, any data which is sent via the SDK is not shared with any third party.
Certifications & Compliance
ISO 27001 is an international Information Security standard that specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS).
Clicktale is ISO 27001 certified, and has been since 2013. This means that we have developed an ISMS based on security best practices, according to which we implement security controls to protect both our customers’ and our own information assets. These controls are systematically evaluated and updated by internal parties and by an external auditor to ensure that we continually meet both our own information security needs and those of our customers.
For more details visit our ISO 27001 certificate page.
SOC 2 Type II
In 2018, Clicktale received a SOC 2 Type II attestation report, following a rigorous audit. SOC 2 is an auditing procedure that ensures that service providers are securely managing data to protect the interests of their customers and the privacy of their customers' clients. The SOC 2 Type II attestation report, issued by Grant Thornton, an independent CPA firm, confirms that Clicktale has met the standards established by the American Institute of Certified Public Accountants [AICPA].
Clicktale has been audited and accredited with the Skyhigh Enterprise-Ready Seal, indicating our platform and solutions adhere to the highest levels of data protection, security, business practices, and legal protection. Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements.
From the earliest phases of product design and planning, the Clicktale security team takes an active role in how our products are built. Following completion, sensitive product developments are tested to ensure that application security has been thoroughly and properly addressed.
On an ongoing basis, security consultants review our code and conduct penetration tests for various attack scenarios based on the Open Web Application Security Project (OWASP) and scenarios relevant specifically to Clicktale. We also conduct extensive secure coding and ethical hacking training for our development and QA teams.
Our product contains various security features, including user authentication, authorization levels, account lock-out, single sign-on, and in transit encryption.
Penetration Testing and Security Audits
Clicktale performs at least two annual Information Security Penetration tests, which are conducted by accredited and completely independent information security companies. Vulnerabilities, if found, are addressed as part of our Risk Management Policy.
In addition to our security team’s regular reviews, we conduct an annual Information Security Risk Assessment to identify new threats, measure their likelihood and business impact, and determine appropriate controls to minimize risk.
Independent Customer Tests
Clicktale welcomes customers and potential customers to independently verify our product security by conducting their own vulnerability assessments and penetration tests. Please contact your sales representative in order to coordinate this.
Clicktale implements multiple and varied infrastructure security measures to protect customer information from unauthorized access, loss, alteration, viruses, Trojans and other similar harmful code. This includes swift and regular security updates, the use of firewalls and Intrusion Prevention Systems, hardened servers and scheduled data backups.
Clicktale has chosen QTS, SoftLayer, and Amazon Web Services (AWS) as our strategic enterprise data facilities. For detailed information about QTS's security, please click here. For detailed information about SoftLayer’s security, please click here. For detailed information about AWS, please click here. All Clicktale client-recorded data is stored on secure servers in a co-location data center and in AWS, both in north Virginia. For European enterprise clients, data is stored in SoftLayer’s Amsterdam data center and in AWS in Ireland.
Encrypted backups of our service and client data are stored on the Amazon Web Services cloud.
Download the full Security Data Sheet here.