We believe that behavioral data is critical to your business, and we take security and privacy extremely seriously. You'll find the privacy, security, and compliance documentation you need in the Fullstory Trust Center:
- Publicly available: Some documents, like our SOC 3 Report and Privacy and Security Guide, are publicly available.
- Access required: Other documents, like our SOC 2, Type 2 Report, the Penetration Test Executive Report, and many others, require special access. Access is granted to prospective customers with a fully executed NDA and to current customers with an active MSA.
The rest of this guide will walk through Fullstory's approach to compliance and the documents you'll find in the Trust Center.
Our Commitment to Audited Assurance
Fullstory's comprehensive compliance program demonstrates our deep commitment to protecting your data, with transparency that's validated by the industry's most rigorous independent audits.
From our SOC 2 Type 2 Attestation to our ISO certifications in security and privacy, and our pioneering ISO 42001 certification for AI systems, we've built a framework that safeguards your information at every level while enabling the innovative tools you trust us to deliver.
This guide outlines our key certifications and reports to provide you with trusted assurance of our practices.
Understanding Our ISO Certifications
The International Organization for Standardization (ISO) is an independent, non-governmental body that develops and publishes international standards. These standards ensure the quality, safety, and efficiency of systems and services. Achieving an ISO certification means an accredited, independent auditor has tested our systems and processes against that standard’s strict requirements.
The documents and reports referenced below are available in the Fullstory Trust Center.
The Statement of Applicability (SoA): Our Proof of ISO Compliance
A common question organizations receive is, "How do we know which parts of your security program were actually tested for ISO?" The answer lies within the official certificate and in a document called the Statement of Applicability (SoA).
The SoA is a mandatory document for ISO 27001 certification that lists every security control defined by the standard. For each control, we declare whether it is applicable to Fullstory and justify how it has been implemented. Independent auditors use our SoA as the official roadmap for their audit, making it the definitive record of what our security, privacy, and AI program was tested on.
Maintaining these certifications is an ongoing process. Each year, we undergo both a comprehensive internal audit and an external audit performed by an accredited third party. This annual cycle of verification ensures our program remains effective and continuously adheres to the rigorous standards set by ISO.
Fullstory's ISO Certifications Explained
-
ISO 27001:2022 (Information Security Management)
This standard provides the requirements for an Information Security Management System (ISMS), ensuring we have a systematic, risk-based approach to managing sensitive information. The framework contains 93 controls. -
ISO 27701 (Privacy Information Management)
This is an extension to ISO 27001 that provides the framework for a Privacy Information Management System (PIMS), specifically addressing the protection of Personally Identifiable Information (PII). It enhances our existing security system with dozens of additional privacy-specific controls. -
ISO 27017 (Cloud Security)
This standard provides guidelines on information security controls applicable to the provision and use of cloud services, ensuring security for both Fullstory as a cloud provider and for how we use cloud services. It adds 7 new cloud-specific controls and provides implementation guidance for 37 others. -
ISO 27018 (Protecting PII in the Cloud)
This certification establishes controls and guidelines for protecting Personally Identifiable Information (PII) within a public cloud computing environment. It provides implementation guidance on 16 existing controls and adds 25 new PII-specific controls. -
ISO 42001 (Artificial Intelligence Management System)
This is the first international standard for an AI Management System (AIMS), providing a framework to govern our AI systems ethically and responsibly throughout their entire lifecycle. The framework contains 38 controls.
Understanding Our SOC Reports
In addition to our ISO certifications, we undergo regular Service Organization Control (SOC) audits, a U.S. standard developed by the American Institute of CPAs (AICPA).
SOC 2 Type 2 Report: A Deep Dive into Our Controls
A SOC 2 report evaluates an organization's controls against the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A Type 2 report confirms that these controls have been tested for operational effectiveness over a period of time (typically 6-12 months, with Fullstory’s being 12 months). Because the SOC 2 Type 2 report contains highly detailed descriptions of our internal controls and the auditor's testing, it is a confidential document available to customers and prospects under a Non-Disclosure Agreement (NDA).
SOC 3 Report: Publicly Available Assurance
A SOC 3 report provides the same assurance as a SOC 2 report but in a format that is intended for public consumption. It includes the independent auditor's opinion on the effectiveness of our controls but omits the sensitive, detailed descriptions of the tests and results. This makes our SOC 3 report an excellent way to verify our security posture and validate our compliance, with no NDA required. It is available here.
Explore Our Compliance Program
These certifications and reports represent our deep and ongoing commitment to protecting your data with a comprehensive, transparent, and independently validated program.
For more detailed documentation, including our certifications, our publicly available SOC 3 report, or to request our SOC 2 Type 2 report, please visit the Fullstory Trust Center.