Security Overview

As an enterprise service provider, Clicktale understands that the security of the user data collected and stored by our customers is nothing less than critical. To deliver the peace of mind that our customers deserve, we believe in transparency regarding Clicktale’s security standards and practices, which are constantly evolving to protect against security breaches and provide full confidentiality, data integrity, and availability. Download the full Security Data Sheet here.

As an accreditation for these practices, Clicktale is ISO 27001 certified, ensuring the highest international standards and best practices in information security.


Tools to Block PII

Clicktale for Web

Clicktale provides clients with the ability to block recording and collection of any Personally Identifiable Information (PII) entered by keystroke, as well as any PII as defined by the customer contained within the webpage. Clicktale prevents the collection, saving or display of PII via several tools, including:

  • Client-side keystroke block - By default, Clicktale’s Client-Side Keystroke Block ensures that our product only keeps track of when keys are clicked, without keeping track of which keys are clicked. This helps customers ensure that no keystrokes are logged or recorded by our products, nor sent via the network.
  • PII labeling API – Clicktale has developed an API (Application Program Interface) to identify and block any type of PII before it leaves the visitor’s browser. This tool enables our customers to easily identify PII fields to maintain the highest levels of data privacy.
  • Client-side HTML rewrite rules – When an HTML page is sent directly from the user’s browser to Clicktale’s servers, any PII in the HTML (as identified by the customer) is removed using standard client-side expressions before it is sent across the network. 
  • Server-side HTML block – As a failsafe, Clicktale also offers server-side rewrite rules to remove any PII in HTML as identified by the customer. Thus, even if any PII unintentionally reaches Clicktale’s servers, it is removed before it is stored. 
  • PII exclude block – Customers may also tag sensitive data in the HTML with HTML comments, in order to ensure that any PII in data is removed by the Clicktale parser before being stored on Clicktale’s servers.

No Third-Party Cookies

Clicktale does not allow third-party cookies in order to increase user privacy. In other words, Clicktale does not create a unique profile to track users across unrelated domains (domains that do not belong to the same customer).

No IP Address Retention

When a visitor session is complete, Clicktale determines and saves the geographical location of the visitor, but the IP address is deleted. In addition, customers have the option to anonymize the IP address. This is done by removing the D-block of the IP at the earliest possible stage of the collection.


As discussed above, Clicktale goes to great lengths to provide its customers with the tools required to avoid receiving any personal information from its customers, and as such clients can ensure that the data Clicktale processes on behalf of its customers is anonymous. Therefore, Clicktale customers are able to maintain their compliance with PCI, HIPAA, and GLBA or similar laws regulating PII.

Clicktale for Apps

With Clicktale for Apps, the product owner maintains complete control over tagging PII, which might include edit boxes, images or other elements. Once PII is tagged via API which is available for the app developer, it is automatically blocked from being sent to Clicktale’s servers. From a security perspective, any data which is sent via the SDK is not shared with any third party.

Certifications & Compliance 

ISO 27001

ISO 27001 is an international Information Security standard that specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS).

Clicktale is ISO 27001 certified, and has been since 2013. This means that we have developed an ISMS based on security best practices, according to which we implement security controls to protect both our customers’ and our own information assets. These controls are systematically evaluated and updated by internal parties and by an external auditor to ensure that we continually meet both our own information security needs and those of our customers.

For more details visit our ISO 27001 certificate page.

Skyhigh Enterprise-Ready 

Clicktale has been audited and accredited with the Skyhigh Enterprise-Ready Seal, indicating our platform and solutions adhere to the highest levels of data protection, security, business practices, and legal protection. Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements.

Application-Level Security

From the earliest phases of product design and planning, the Clicktale security team takes an active role in how our products are built. Following completion, sensitive product developments are tested to ensure that application security has been thoroughly and properly addressed.

On an ongoing basis, security consultants review our code and conduct penetration tests for various attack scenarios based on the Open Web Application Security Project (OWASP) and scenarios relevant specifically to Clicktale. We also conduct extensive secure coding and ethical hacking training for our development and QA teams.

Our product contains various security features, including user authentication, authorization levels, account lock-out, single sign-on, and in transit encryption.

Penetration Testing and Security Audits

Clicktale performs at least two annual Information Security Penetration tests, which are conducted by accredited and completely independent information security companies. Vulnerabilities, if found, are addressed as part of our Risk Management Policy.

In addition to our security team’s regular reviews, we conduct an annual Information Security Risk Assessment to identify new threats, measure their likelihood and business impact, and determine appropriate controls to minimize risk.

Independent Customer Tests

Clicktale welcomes customers and potential customers to independently verify our product security by conducting their own vulnerability assessments and penetration tests. Please contact your sales representative in order to coordinate this.


Clicktale implements multiple and varied infrastructure security measures to protect customer information from unauthorized access, loss, alteration, viruses, Trojans and other similar harmful code. This includes swift and regular security updates, the use of firewalls and Intrusion Prevention Systems, hardened servers and scheduled data backups.

Physical Security

Clicktale has chosen SoftLayer as our strategic enterprise data facility. For detailed information about SoftLayer’s security, please click here. All Clicktale client-recorded data is stored on secure servers located in SoftLayer’s data center in Texas. For European enterprise clients, data is stored in SoftLayer’s Amsterdam data center.

Encrypted backups of our service and client data are stored on the Amazon Web Services cloud. For customers using our Event-Triggered Recorder offering, data is also stored on Azure cloud services.

Download the full Security Data Sheet here.

Book a demo to see how customer experience management can improve your business