Putting Privacy First
Security at Hotjar
Security is key to fulfilling our commitment to our users and we at Hotjar take it very seriously. We have certifications, processes, and audits in place to systematically help ensure the safe and secure use of our service for everyone.
Putting Privacy First
Security at Hotjar
Security is key to fulfilling our commitment to our users and we at Hotjar take it very seriously. We have certifications, processes, and audits in place to systematically help ensure the safe and secure use of our service for everyone.
Security overview
Infrastructure security
By default we block all traffic at a network level and only open specific ports as required to deliver the Hotjar service.
Any escalated access to infrastructure requires VPN with 2-factor authentication.
Unauthorized access attempts are logged and escalated through our usage of Threatstack.
Host-based intrusion detection systems are in active use.
Data encryption
Data to and from Hotjar's servers is encrypted in transit.
Our Data Safety, Privacy & Security article explains the exact details of the setup in more depth.
Failover and disaster recovery
All of our production infrastructure is built with redundancies in place, in highly-available configurations spread over three different availability zones in the eu-west-1 AWS region.
Inventory and configuration
Infrastructure is kept as code using Terraform, and other infrastructure-as-code tools with changes going through a process very similar to the application-level software development process. We make use of separate infrastructure for development, staging and live environments, with no sharing of data between environments.
Identity and Access Control
Passwords are stored in a hashed format using PBKDF2-SHA512.
VPN access requiring 2-factor authentication is required to access any internal resources.
Access to customer data is limited to authorized employees who require it for or operational and maintenance activities.
Access to sensitive production data is limited to just the devops team.
Monitoring and logging
We do extensive monitoring of infrastructure and application performance, which usually allows us to detect issues before many customers experience them.
Automated alerts are set up with an on-call schedule with escalations. In case an issue isn't acknowledged within 10 minutes, it's escalated to all other members of the devops team.
Penetration Testing
We perform annual application-level penetration tests via an independent third party.
Our aim is to fix any discovered critical issues within 2 business days, and high-severity issues within 30 business days.
Medium-severity and lower-severity issues are handled as part of ongoing security work.
Incident response
Hotjar implements a protocol for handling security events and other operational issues which includes escalation procedures, rapid mitigation, and post-mortems.
You can visit our status page to get updates on any potential issues, and even subscribe to automatic updates.
Security and GDPR
Hotjar is fully committed to achieving compliance with the GDPR prior to the regulation’s effective date (May 25th 2018).
We will ensure that the required controls and application features are in place to allow our users to use Hotjar in a GDPR-compliant manner.
To read more about our commitment and compliance controls we have put in place, please check the resources below.
Compliance / Certifications
Hotjar is PCI-compliant as we utilize Braintree's Hosted Fields.
Our infrastructure is hosted on AWS, which is an ISO27001 certified service.
Our infrastructure is hosted on AWS, which is an SOC2 certified service.
Security questions or issues?
If you think you may have found a security vulnerability within Hotjar, please get in touch with our security team.
Read more about our Data Safety, Privacy & Security, Privacy Policy & Terms of Service.
Get started with Hotjar
Trusted by over 900,000 organizations across 180+ countries. It’s free, forever.
No credit card required
56,549 users signed up last month
GDPR- & CCPA-ready