Where is my data stored?
As a Hotjar user, your data is stored in our secure cloud environment, hosted by Amazon Web Services. The data is geographically located in the eu-west-1 region, Ireland. Read more about our Cloud Security.
What network controls has Hotjar implemented to protect the data it stores?
Data in transit between end-users and Hotjar's cloud environment is encrypted using HTTPS over TLS 1.2. This is verifiable by an independent check that can be performed via SSL Labs. Read more on our Networking Security Controls.
What physical controls has Hotjar implemented to protect the data it stores?
Hotjar is hosted in a nondescript data center location that utilizes a number of managed, physical and automated measures to prevent unauthorized access to its facilities. Read more about the physical security of Hotjar.
The data center has appropriately mitigated the risks of fire and water damage. You can read more about the environmental controls in place
What organizational controls does Hotjar have in place?
Our Information Security Policy is the overarching collection of policies Hotjar implements to ensure the confidentiality, integrity, and availability of the data we store.
More detail on our policies, procedures, and standards can be found here.
Do you run a bug bounty program?
Yes, we currently have a private bug bounty program and we encourage all industry experts and researchers to partner with us to disclose vulnerability responsibility via this platform. You can read more about this program in our Responsible Disclosure Bug Bounty Program article.
Are we able to conduct our own penetration testing or security assessment scanning of Hotjar?
We have found that it is almost impossible to recognize simulated security assessments from that of genuine threats. As such, we coordinate our own annual security assessments. The details of our latest assessment can be found here.
How frequently does Hotjar run privacy and security training?
Security and privacy training is provided to all new team members during their onboarding. The training aims to provide a baseline understanding within the context of Hotjar, its values and how we appropriately implement controls to help protect Hotjar and the data we store.
What monitoring and testing controls have been implemented for the detection of suspected incidents?
Hotjar has extensive monitoring and alerting tools that provide near real-time monitoring to on-call engineers. In the event of an incident, our Incident Response Management Plan will be initiated.
Does Hotjar have a Secure Development Coding Lifecycle?
Hotjar has implemented a robust application assessment process that includes a number of key security checkpoints throughout the pipeline. More details of this can be found in Hotjar Coding Guidelines.
Does Hotjar have a status page?
Yes, our status page can be found here.