Our Privacy Philosophy and Practice
We value your privacy and the privacy of your website visitors. Crazy Egg is GDPR compliant. We also comply with industry-specific privacy policies (Health Care and Financial) standards.
Crazy Egg uses CyberSource for payment processing, and we do not store any credit card information. CyberSource is a trusted, Level 1 PCI Service Provider.
When tracking data of our customer's website, we do not collect any other Personal Identifiable Information (PII) in our Snapshots or AB Testing features, and all IP addresses are anonymized. Site visitors are assigned a unique user identifier, UUID, so Crazy Egg can keep track of returning visitors without relying on personal information, such as the IP address.
IP addresses of visitors are always anonymized before being stored. We set the last octet of IPv4 addresses to 0 to ensure the full IP address is never written to disk. For example, if a visitor's IP address is 18.104.22.168, it will be stored as 22.214.171.124. The first three octets of the IP addresses are only used to determine the visitor's geographic location.
The Recordings feature can record the various pages on your site. Crazy Egg automatically suppresses keystroke data on all input fields when collecting data with Recordings. In all cases, the data is suppressed client-side, the visitor’s browser, which means it never reaches our servers.
We believe it is essential to ensure that sensitive customer information is kept private, reflected in how we track data in our Recordings feature. When visitors type in an input field, we mask the typed characters. We've built a tool to block sensitive customer information that you have control over (and are responsible for handling) by excluding elements in recordings.
Learn more about our Privacy and Security Structure using any of the links below.
- Security and Privacy Governance
- Segregation Controls
- Access Controls
- Availability Controls
- Physical Security
- Network and Transmission Controls
- Security in Engineering
Security and Privacy Governance
We regularly review our policies and processes for efficiencies and improvements. Ensuring staff has training in proper data management, privacy and security awareness, and an understanding of the accountability and expectations of our customers in this area. All employees sign a Non-Disclosure Agreement and are restricted to accessing only the data required to complete their work.
Access to your account data stored on our System is restricted within Crazy Egg to employees who need to know this information to perform their job function, for example, to provide customer support or maintain infrastructure.
Crazy Egg requires using single sign-on, strong passwords, and/or 2-factor authentication for all employees to access production servers for the Crazy Egg Service. SSH Key-Based authentication is used for server access.
Crazy Egg has implemented several employee job controls to help protect the information stored on the Crazy Egg Service:
- All employees are required to sign confidentiality agreements before accessing our production systems.
- All employees receive security and privacy training at the time of hire and quarterly security and/or privacy awareness training.
- Employee access to production systems that contain your data is logged and audited.
- Employees are subject to disciplinary action, including but not limited to termination, if they have abused their access to customer data.
We have an Incident Response Plan designed to promptly and systematically respond to possible security and availability incidents. The incident response plan is tested and refined regularly.
1. Data Segregation
The code snippet for the Crazy Egg Service is designed to be unique to your account. Crazy Egg’s application logic is designed to enforce this segmentation by permitting each end user access only to accounts that the user has been granted access to.
2. User Roles
The Crazy Egg Service is designed for cases ranging from single account holders to large teams. User roles specify different levels of permissions that you can use to manage the users on your Crazy Egg Service account. You can invite users to your account without giving all team members the same levels of permission. These user permission levels are beneficial when multiple people work on the same project or experiment.
- Crazy Egg requires authentication for access to all application pages on the Crazy Egg Service, except for those intended to be public.
- Crazy Egg currently uses TLS-encrypted POST requests to transmit authentication credentials to the Crazy Egg Service.
- The Password Management process is designed to enforce minimum password requirements for the use of Crazy Egg.
- End-user account passwords are hashed with a random salt using industry-standard techniques (we currently use BCrypt).
2. Session Management
Each time a user signs into Crazy Egg, the system assigns them a new, unique session identifier. All sessions are logged out upon quitting the browser. When signing out of the Crazy Egg Service, the system is designed to delete the session cookie from the client and invalidate the session identifier on Crazy Egg servers.
3. Access Logs
Logs are kept at all account levels for the following key changes that end users make within the account:
- Account: Sign-in / Sign-out
- Tracking changes: Creating, Deleting, Start/Pause and Updating
- Updating Settings
1. Disaster Recovery
The infrastructure for the Crazy Egg Service is designed to minimize service interruption due to hardware failure, natural disasters, or other catastrophes. With our servers located in the US in data centers on both coasts, features include:
- State-of-the-art cloud providers: We use Amazon Web Services, which thousands of businesses trust to store and serve their data and services.
- Data replication: To help ensure availability in a disaster, we replicate data across multiple data centers.
- Backups: We perform daily, weekly, and monthly backups of data stored on the Crazy Egg Service, which are tested regularly.
2. Data storage and backup
All data Crazy Egg collects is stored electronically in the USA on the Amazon Web Services infrastructure. Our application and database servers run inside an Amazon VPC, Virtual Private Cloud. The database containing visitor and usage data is only accessible from the application servers, and no outside sources can connect to the database.
At Crazy Egg, we use Database replication to keep your data safe in the case of system failure. Full database backups are taken daily, stored on Amazon Cloud Storage (AWS S3), and kept as an electronic copy for three days. We must revert to a backup if two or more database nodes fail concurrently.
Compliance, certifications, and audit reports:
- ISO-27001 Certification: https://aws.amazon.com/compliance/iso-27001-faqs/
- SOC2 third-party audit reports: https://aws.amazon.com/compliance/soc-faqs/
Crazy Egg uses industry-leading cloud platforms (currently Amazon Web Services) to host its production systems for the Crazy Egg Service. Access to these data centers is limited to authorized personnel, as verified by biometric identity verification measures. Physical security measures for these data centers include on-premises security guards, closed-circuit video monitoring, and additional intrusion protection measures. We rely on third-party attestations of their physical security.
Crazy Egg production data is processed and stored within Amazon Web Servers, which use state-of-the-art multilayer access, alerting, and auditing measures, including
- perimeter fencing
- vehicle access barriers
- custom-designed electronic access cards
- biometric checks
- laser beam intrusion detection
- continuous external and internal security camera surveillance
- 24x7 trained security guards
Network and Transmission Controls
Crazy Egg monitors and updates its communication technologies periodically to provide network security.
All communications from your end users and visitors with the Crazy Egg Service are encrypted using industry-standard communication encryption technology. Crazy Egg currently uses Transport Layer Security (TLS), with regular updates to cipher suites and configurations.
2. Network Security
Crazy Egg regularly updates the network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness regularly.
3. Infrastructure Security
Crazy Egg uses a Security Incident Event Management (SIEM) system and other security monitoring tools on the production servers hosting the Crazy Egg Service. Notifications from these tools are sent to the Crazy Egg Security Team so that they can take appropriate action.
Security in Engineering
1. Product Security Overview
The Crazy Egg software development lifecycle (SDLC) for the Crazy Egg Service includes many activities intended to foster security:
- Defining security requirements
- Design (threat modeling and analysis, security design review)
- Development controls (static analysis, manual peer code review)
- Testing (dynamic analysis, 3rd party security vulnerability assessments)
- We currently use unit, integration, and end-to-end tests, where applicable, to catch regressions.
- Deployment controls (such as change management and canary release process).
Crazy Egg designs, reviews, and tests the software for the Crazy Egg Service using applicable OWASP standards.
2. Code Assessments
The software we develop for the Crazy Egg Service is continually monitored and tested using processes designed to identify and remediate vulnerabilities proactively. We regularly conduct:
- Automated source code analysis designed to find common defects
- Peer review of all code before being pushed to production
- Manual source code analysis on security-sensitive areas of code
- Third-party application security assessments and penetration tests are performed annually