Security Overview

Introduction

We believe that digital experience data is critical to your business, and we take security extremely seriously. FullStory holds a SOC 2 Type II attestation, SOC 3 report, is ISO 27001 and ISO 27701 certified, and stores data securely with Google Cloud Platform. Additionally, FullStory provides a robust suite of tools and features which enable businesses to manage exactly what data FullStory captures and stores.

Key point: you control what data FullStory captures and stores.

You can and should exclude from capturing any information that could appear in your web pages or apps that you or your users would deem too sensitive to store. Please keep in mind as you review the security information below that the most effective way to minimize security exposure is to avoid storing unnecessarily sensitive data in the first place. You can read more about this philosophy in the Acceptable Use Policy. For further details, please see trust.fullstory.com.

Contents

• Attestations & Certifications
• Physical Security
• System Security
• Operational Security
• Application Security
• Security Incident & Coordinated Vulnerability Disclosure
• Security Benefits of Using FullStory

Attestations & Certifications

FullStory meets rigorous international standards for security in terms of confidentiality, integrity, and availability. The following attestations and certifications are available upon request for paying customers:

• SOC 2 Type II
• SOC 3
• ISO 27001
• ISO 27701

Physical Security

FullStory production data is processed and stored within world-renowned data centers, which use state-of-the-art multilayer access, alerting, and auditing measures, including

• perimeter fencing
• vehicle access barriers
• custom-designed electronic access cards
• biometric checks
• laser beam intrusion detection
• continuous external and internal security camera surveillance
• 24x7 trained security guards

System Security

Servers and Networking

All servers that run FullStory software in production are recent, continuously patched Linux systems. Additional hosted services that we utilize, such as Google Cloud Storage, are comprehensively hardened Google infrastructure-as-a-service (IaaS) platforms.

Our web servers encrypt data in transit using the strongest grade of HTTPS security (TLS 1.2+) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.

Internal tier-to-tier requests are signed and authenticated to prevent request forgery, tampering, and replay.

Storage

All persistent data is encrypted at rest using the AES-256 standards or similarly high standards, allowing Google Compute Engine to have successfully completed ISO 27001, SSAE-16, SOC 1, SOC 2, and SOC 3 certifications.

Operational Security

Employee Equipment

Employee computers have strong passwords, encrypted disks, firewalls, and, where applicable, inbound and outbound network traffic monitoring and alerting. No Windows computers or servers are used at all other than in isolated testing environments. A large and increasing percentage of employees use Chromebooks exclusively for maximum defense against malware, including powerful security measures such as verified boot.

Employee Access

We follow the principle of least privilege in how we write software as well as the level of access employees are instructed to utilize in diagnosing and resolving problems in our software and in response to customer support requests.

We use Google account infrastructure to verify employee account identity and require physical security keys and/or two-factor authentication for all internal applications without exception. Access to administrative interfaces additionally enforce administrator permissions where applicable, and all administrative access is logged and auditable both in the form of traditional web server logs as well as via FullStory itself to make it easy to find and review any administrative activities with full fidelity. For third-party SaaS providers, we utilize Google as an identity provider whenever possible to provide a single point of access control across all the apps that employees access as part of their job.

Code Reviews and Production Signoff

All changes to source code destined for production systems are subject to pre-commit code review by a qualified engineering peer that includes security, performance, and potential-for-abuse analysis.

Prior to updating production services, all contributors to the updated software version are required to approve that their changes are working as intended on staging servers.

Service Levels, Backups, and Recovery

FullStory infrastructure utilizes multiple and layered techniques for increasingly reliable uptime, including the use of autoscaling, load balancing, task queues and rolling deployments. Due to the very large amount of data that FullStory stores, we do not currently make point-in-time backups, although we do use highly redundant data stores and/or rapid recovery infrastructure, making unintentional loss of received data due to hardware failures very unlikely.

Application Security

Excluding Sensitive Data

As emphasized in the introduction, the most important security consideration — one that you control — is the choice of what data to collect in the first place. By responsibly excluding sensitive information, you can gain full benefit from FullStory without sensitive data ever leaving an end user’s computer.

Under the Settings in FullStory, there is an area to add CSS selectors for Excluded Elements which designates DOM elements to be excluded from capture. Not only will elements matched by specified selectors not be captured, they will never be sent across any network. Excluded elements stay on the client. We don’t receive them. We don’t store them. Learn more

Client and Server Hardening

Exposed server endpoints are recurrently tested for vulnerabilities using multiple types of scanning software as well as manual testing. Request-handling code paths have frequent user re-authorization checks, payload size restrictions, rate limiting where appropriate, and other request verification techniques. All requests are logged and made searchable to operations staff.

Client code utilizes multiple techniques to ensure that using the FullStory application is safe and that requests are authentic, including

• IFRAME sandboxing
• XSS and CSRF protection
• signed and encrypted user auth cookies
• remote invalidation of extant sessions upon password change/user deactivation

API and Integrations

All access to FullStory REST API endpoints require an access key that can be regenerated on demand by customers. Learn more

Integrations with other applications are all opt-in and authenticate via OAuth or other applicable mechanisms required by the third party application. Integrations can be disabled at any time.

Customer Payment Information

We use Stripe for payment processing and do not store any credit card information. Stripe is a trusted, Level 1 PCI Service Provider. Learn more

Security Incident & Coordinated Vulnerability Disclosure

FullStory's Product Security Incident Response Team (PSIRT) operates a coordinated vulnerability disclosure program. If you would like to report a security concern to us, please email psirt@fullstory.com and use our GPG key to encrypt any sensitive information.

Additionally, FullStory also operates a private bug bounty program via HackerOne. If you would like to be considered for inclusion to our private program, please email your request to psirt@fullstory.com.

Security Benefits of Using FullStory

FullStory can, perhaps surprisingly, also produce substantial security enhancements for your own security practices.

Monitor and Audit Suspicious Activity

While it is certainly not the reason that we developed FullStory, we have heard from customers that FullStory adds an additional and new type of application security. "It is sort of like having a security camera in our product."

With FullStory, you can explore, search and view any suspicious sessions in near real-time. Viewing sessions is a much quicker and informative way of assessing a situation than scouring through vast system logs.

Reduce Staff Administrative Permissions

Especially for SaaS providers, supporting your own customers may entail sharing privileged administrative passwords, often circulated widely throughout an organization, to aid in troubleshooting user issues via “under-the-covers” data access or impersonating users within your own application. This practice increases the risk of accidental data corruption, theft, and privacy intrusions as support employees login and poke through user accounts.

FullStory provides a one-way window into your users’ sessions. Session playback is historical (and of course read-only), meaning that information can be ascertained without the interactive with your live applications. Buttons cannot be pushed. Settings cannot be changed. Files cannot be exported.

Thus, FullStory provides a means to better support your users while also safely reducing the number of individuals with administrative privileges in your organization.