Our Privacy Philosophy and Practice
We value your privacy and the privacy of your website visitors. Crazy Egg is GDPR compliant. We are also compliant with the standards of other industry-specific privacy policies (such as Health Care and Financial).
Crazy Egg uses CyberSource for payment processing and we do not store any credit card information. CyberSource is a trusted, Level 1 PCI Service Provider.
Apart from this information, we do not collect any other Personal Identifiable Information (PII) in our Snapshot or AB Testing features and all IP addresses are anonymized. Site visitors are assigned a unique user identifier, UUID, so that Crazy Egg can keep track of returning visitors without relying on any personal information, such as the IP address.
IP addresses of visitors are always suppressed before being stored. We set the last octet of IPv4 addresses, all connections to Crazy Egg are made via IPv4, to 0 to ensure the full IP address is never written to disk. For example, if a visitor's IP address is 220.127.116.11, it will be stored as 18.104.22.168. The first three octets of the IP addresses are only used to determine the geographic location of the visitor.
The Recordings feature can record the various pages on your site. When collecting data with Recordings, Crazy Egg automatically suppresses keystroke data on all input fields. In all cases, the data is suppressed client-side, the visitor’s browser, which means it never reaches our servers.
We believe it is important to ensure that sensitive customer information is kept private and this is reflective in how we process our Recordings feature. When a visitor types in an input field, we mask the typed characters. We've gone further and built a tool to block sensitive customer information that you have control over (and are responsible to handle) by excluding elements in recordings.
Our Security and Privacy Governance is made up of our executive team. We regularly review our policies and processes for efficiencies and improvements. Ensuring that staff has training in proper data management, privacy and security awareness and an understanding of the accountability and expectations to our customers in this area. All employees sign a Non-Disclosure Agreement and restricted in their access to only the data they require to complete their work.
Access to your account data stored on our System is restricted within Crazy Egg to employees who have a need to know this information to perform their job function, for example, to provide customer support, or to maintain infrastructure.
Crazy Egg requires the use of single sign-on, strong passwords and/or 2-factor authentication for all employees to access production servers for the Crazy Egg Service. SSH Key-Based authentication is used for server access.
Crazy Egg has implemented several employee job controls to help protect the information stored on the Crazy Egg Service:
- All employees are required to sign confidentiality agreements prior to accessing our production systems.
- All employees are required to receive security and privacy training at the time of hire, as well as quarterly security and/or privacy awareness training.
- Employee access to production systems that contain your data is logged and audited.
- Employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer data.
We have an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.
1. Data Segregation
The code snippet for the Crazy Egg Service is designed to be unique to your account. Crazy Egg’s application logic is designed to enforce this segmentation by permitting each end user access only to accounts that the user has been granted access to.
2. User Roles
The Crazy Egg Service is designed for use cases ranging from single account holders to large teams. User roles specify different levels of permissions that you can use to manage the users on your Crazy Egg Service account. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project or experiment.
- Crazy Egg requires authentication for access to all application pages on the Crazy Egg Service, except for those intended to be public.
- Crazy Egg currently uses TLS-encrypted POST requests to transmit authentication credentials to the Crazy Egg Service.
- The Password Management process is designed to enforce minimum password requirements for the use of Crazy Egg.
- End-user account passwords are hashed with a random salt using industry-standard techniques (we currently use BCrypt).
2. Session Management
Each time a user signs into Crazy Egg, the system assigns them a new, unique session identifier. All sessions are logged out upon quitting the browser. When signing out of the Crazy Egg Service, the system is designed to delete the session cookie from the client and to invalidate the session identifier on Crazy Egg servers.
3. Access Logs
Logs are kept at all account levels for the following key changes that end users make within the account:
- Account: Sign-in / Sign-out
- Tracking changes: Creating, Deleting, Start/Pause and Updating
- Updating Settings
1. Disaster Recovery
The infrastructure for the Crazy Egg Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. With our servers located in the US in data centers on both coasts, features include:
- State of the art cloud providers: We use Amazon Web Services, which are trusted by thousands of businesses to store and serve their data and services.
- Data replication: To help ensure availability in the event of a disaster, we replicate data across multiple data centers.
- Backups: We perform daily, weekly, and monthly backups of data stored on the Crazy Egg Service, which are tested regularly.
2. Data storage and backup
All data Crazy Egg collects is stored electronically in the USA on the Amazon Web Services infrastructure. Our application servers and database servers run inside an Amazon VPC, Virtual Private Cloud. The database containing visitor and usage data is only accessible from the application servers and no outside sources can connect to the database.
At Crazy Egg, we use Database replication to keep your data safe in the case of system failure. Full database backups are taken every day, stored on Amazon Cloud Storage (AWS S3), and kept for three days as an electronic copy. In case two or more database nodes would fail concurrently we would have to revert to a backup.
Compliance, certifications and audit reports:
- ISO-27001 Certification: https://aws.amazon.com/compliance/iso-27001-faqs/
- SOC2 third-party audit reports: https://aws.amazon.com/compliance/soc-faqs/
- Crazy Egg is PCI compliant.
Crazy Egg uses industry-leading cloud platforms (currently Amazon Web Services) to host its production systems for the Crazy Egg Service. Access to these data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for these data centers include on-premises security guards, closed-circuit video monitoring, and additional intrusion protection measures. We rely on the third-party attestations of their physical security.
Crazy Egg production data is processed and stored within Amazon Web Servers which use state-of-the-art multilayer access, alerting, and auditing measures, including
- perimeter fencing
- vehicle access barriers
- custom-designed electronic access cards
- biometric checks
- laser beam intrusion detection
- continuous external and internal security camera surveillance
- 24x7 trained security guards
Network and Transmission Controls
Crazy Egg monitors and updates its communication technologies periodically with the goal of providing network security.
By default, all communications from your end users and your visitors with the Crazy Egg Service are encrypted using industry-standard communication encryption technology. Crazy Egg currently uses Transport Layer Security (TLS), with regular updates to cipher suites and configurations.
2. Network Security
Crazy Egg regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
3. Infrastructure Security
Crazy Egg uses a Security Incident Event Management (SIEM) system and other security monitoring tools on the production servers hosting the Crazy Egg Service. Notifications from these tools are sent to the Crazy Egg Security Team so that they can take appropriate action.
Security in Engineering
1. Product Security Overview
The Crazy Egg software development lifecycle (SDLC) for the Crazy Egg Service includes many activities intended to foster security:
- Defining security requirements
- Design (threat modeling and analysis, security design review)
- Development controls (static analysis, manual peer code review)
- Testing (dynamic analysis, 3rd party security vulnerability assessments)
- We currently use unit, integration, and end-to-end tests, where applicable, to catch regressions.
- Deployment controls (such as change management and canary release process).
Crazy Egg designs, reviews and tests the software for the Crazy Egg Service using applicable OWASP standards.
2. Code Assessments
The software we develop for the Crazy Egg Service is continually monitored and tested using processed designed to proactively identify and remediate vulnerabilities. We regularly conduct:
- Automated source code analysis designed to find common defects
- Peer review of all code prior to being pushed to production
- Manual source code analysis on security-sensitive areas of code
- Third-party application security assessments and penetration tests performed annually