Security & Privacy Overview


As an enterprise service provider, ClickTale understands that the security of the user data collected and stored by our customers is nothing less than critical. To deliver the peace of mind that our customers deserve, we believe in transparency regarding ClickTale’s security standards and practices, which are constantly evolving to protect against security breaches and provide full confidentiality, data integrity and availability. Download the full Security Data Sheet here.PDF Icon

As an accreditation for these practices, ClickTale is ISO 27001 certified, ensuring the highest international standards and best practices in information security.

Private Means PRIVATE: No PII

By design, ClickTale blocks recording and collection of any Personally Identifiable Information (PII) entered by keystroke, as well as any PII as defined by the customer. ClickTale prevents the collection, saving or display of PII via several tools, including:

  • Blocking client-side keystrokes  - ClickTale only keeps track of when keys are clicked, but not which keys are clicked.
  • Client-side HTML rewrite rules - When an HTML page is sent directly from the user’s browser to ClickTale’s servers, any PII in the HTML (as identified by the customer) is removed using standard client-side expressions, before it is sent across the network.
  • Blocking server-side HTML - As a failsafe, even if any PII unintentionally reaches ClickTale’s servers, it is removed by the server-side rewrite rules before can be stored.
  • Tagging PII - Customers may also tag sensitive data in the HTML with HTML comments, to ensure that any PII in data is removed by the ClickTale parser before being saved on ClickTale’s servers.  

No Third-Party Cookies

ClickTale does not allow third-party cookies in order to increase user privacy. In other words, ClickTale does not create a unique profile to track users across unrelated domains (domains that do not belong to the same customer).

No IP Address Retention

When a visitor session is complete, ClickTale determines and saves the geographical location of the visitor, but the IP address is deleted. In addition, customers have the option to anonymize the IP address. This is done by removing the D-block of the IP at the earliest possible stage of the collection.


As discussed above, ClickTale takes stringent measures to avoid receiving any personal information from its customers, and as such the data ClickTale processes on behalf of its customer should be completely anonymous. Therefore, ClickTale customers are able to maintain their compliance with PCI, HIPAA and GLBA or similar laws regulating PII.

ISO 27001 Certification

ISO 27001 is an international Information Security standard that specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS).

ClickTale is ISO 27001 certified, and has been since 2013. This means that we have developed an ISMS based on security best practices, according to which we implement security controls to protect both our customers’ and our own information assets. These controls are systematically evaluated and updated by internal parties and by an external auditor to ensure that we continually meet both our own information security needs and those of our customers.

For more details visit our ISO 27001 certificate page

Application-Level Security

From the earliest phases of product design and planning, the ClickTale security team takes an active role in how our products are built. Following completion, sensitive product developments are tested to ensure that application security has been thoroughly and properly addressed.

On an ongoing basis, security consultants review our code and conduct penetration tests for various attack scenarios based on the Open Web Application Security Project (OWASP) and scenarios relevant specifically to ClickTale. We also conduct extensive secure coding and ethical hacking training for our development and QA teams.

Our product contains various security features, including user authentication, authorization levels, account lock-out, single sign-on, and in transit encryption.

Penetration Testing and Security Audits

ClickTale performs at least two annual Information Security Penetration tests, which are conducted by accredited and completely independent information security companies. Vulnerabilities, if found, are addressed as part of our Risk Management Policy.

In addition to our security team’s regular reviews, we conduct an annual Information Security Risk Assessment to identify new threats, measure their likelihood and business impact, and determine appropriate controls to minimize risk.

Independent Customer Tests

ClickTale welcomes customers and potential customers to independently verify our product security by conducting their own vulnerability assessments and penetration tests. Please contact your sales representative in order to coordinate this.


ClickTale implements multiple and varied infrastructure security measures to protect customer information from unauthorized access, loss, alteration, viruses, Trojans and other similar harmful code. This includes swift and regular security updates, the use of firewalls and Intrusion Prevention Systems, hardened servers, and scheduled data backups.

Physical Security

ClickTale has chosen SoftLayer as our strategic enterprise data facility. For detailed information about SoftLayer’s security, please click here. All ClickTale client-recorded data is stored on secure servers located in SoftLayer’s data center in Texas. For European enterprise clients, data is stored in SoftLayer’s Amsterdam data center.

Encrypted backups of our service and client data are stored on the Amazon Web Services cloud. For customers using our Event-Triggered Recorder offering, data is also stored on Azure cloud services.

Download the full Security Data Sheet here.