Page Comparison

4. Acceptable Use of Hotjar Systems and Data

4.1 System/Application Password Security

General

• User Access to the systems is controlled by the use of UserIDs and passwords. Unless specifically stated, all UserIDs and passwords are unique to each individual and consequently, you will be accountable for all actions on systems that are linked to your login ID.
• You are personally responsible for controlling access to your computer and therefore it is necessary that you strictly follow the measures stated below.

Passwords

In many cases, the system will enforce password length and quality. If this is not the case you must:

• Change temporary passwords on first use.
• Use LastPass to randomly generate and store your passwords.
• Unless restricted by the system, a password should always adhere the following:
• Minimum of 12 characters
• Not a password you've used in the past or are currently using for another system
• Must contain at least one upper case, lower case, number, and special character
• When the system allows for it you must always enable two-factor authentication (2FA)

You must not:

• Write down passwords, or disclose them via email. They should only be shared via LastPass.
• Makeup passwords outside of LastPass. This includes using the save password function with web browsers.
• Use Default passwords.

If you suspect that your password has been compromised, that password must be changed immediately. Immediately after changing the password that is suspected of being compromised, you must report the suspected compromise security@hotjar.com.

4.2

All usage of Hotjar's email correspondence must be regarded as the property of Hotjar and must not be regarded as private. You should note that Hotjar's systems may be subject to monitoring and inappropriate use may result in further action, including disciplinary action up to and including dismissal. This policy applies when using Hotjar email on any network or device.

You must:

• Obey the law and comply with relevant legislation. You are responsible for observing copyright, intellectual property rights and licensing agreements that may apply to information, documents and software.
• Take care if emails are received from unknown and unexpected sources. Do not open suspicious emails and their attachments or web links, as these may contain malicious software.
• When possible it's preferable to open and edit files completely through the Google Drive/Docs interface as this will prevent the infection of local machines
• It is good practice to save attachments to the local desktop (or other relevant computer folders) before opening them so that they can be automatically checked for malicious software content.
• If in doubt, either permanently delete suspect emails (delete them from the ‘deleted items’ folder too) or contact security@hotjar.com.
• If appropriate, immediately share information about the threat with the team either through email or instant messaging.

You must not:

• Use email for political purposes, personal advertising or anything that conflicts with Hotjar's Core Values.
• Configure your email for automatic forwarding unless there is a justified business requirement, authorized by security@hotjar.com.
• Use email to store or transmit:
• Pornographic, obscene, offensive, racist, defamatory, harassing or intimidating material;
• Unsolicited messages (known as spam), hoax and nuisance emails. If such emails are received, never reply to or forward them to other users.
• Attempt to neither ‘spoof’ emails, transmit anonymous emails, nor change the origin or content of emails that have been sent or received.

Ownership of Information

You should be aware that:

• All Hotjar information is ultimately the property of Hotjar and/or our customers, who have entrusted us to keep their data safe.
• Hotjar may monitor, inspect, search and/or record any activities occurring on Hotjar resources without limitation. This includes electronic communications, without notice of any kind.
• Team Members using Hotjar resources have no expectation of privacy except when using personal applications on their personal mobile devices.

4.

3 Protection of Customer Information

The Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) protect individuals from the misuse of their personal data. They cover data held in both electronic and paper forms. Compliance with Hotjar's Security policies, standards, and procedures will ensure that the security of customer data is not compromised as a result of intentional or unintentional systems misuse.

Notes entered in Customer Relationship Management (CRM) systems and support ticket systems such as Intercom and Zendesk, are subject to these regulations, and our customers are entitled to see any call notes or other details we hold about any of the calls they have made to us. Therefore:

• Comments and notes and other details, just like any other documents, could be disclosed in litigation. Unprofessional statements made about a colleague, customer, supplier or a third party, even those intended as a joke, can be viewed as harassment, libel, or slander and could result in you, the Company or both being sued.
• You must not use any terms that are defamatory; what may be intended as a joke or light-hearted comment could cause offense to others.
• You must not use any information obtained from these systems for any purpose other than your legitimate work for the Company.
• You must not copy any of the information in these systems for any purpose other than your legitimate work for the Company.

4.

4 Storing Hotjar Work/Data

All team members will ensure that any data that they create or change on behalf of Hotjar is saved only on a device purchased by Hotjar and backed up only into one of our cloud services on a regular and recurring basis. Our standard service for this is Google Drive but there may be system-specific services/requirements. Therefore you should ensure that:

• You minimize storage of data solely to Hotjar owned/furnished devices and officially approved cloud services.
• You regularly back up any data that exists on your Hotjar furnished computer to Google Drive or whatever system is appropriate for that data.
• You never store any Hotjar data on an appliance or system that is not owned by Hotjar (e.g. your personal laptop, mobile phone, tablet, or a cloud service managed by Hotjar).
• You never backup Hotjar data to an external storage device without approval from security@hotjar.com.

4.

5 Reporting of Security Incidents

In order for Hotjar to manage and deal with security incidents successfully, they must be captured and logged. If you suspect or have knowledge of a security incident or a breach of Hotjar's security policy and standards, or a software malfunction, or a security weakness in any information system, you must report the concern immediately, to security@hotjar.com.

Examples of a security incident include:

• Loss of equipment or sensitive data
• Physical damage to IT equipment;
• Compromise of sensitive documents and information;
• Unauthorized use of another user’s profile (masquerading of user identity);
• Divulging a password to another user without authority;
• Improper use of email or the Internet, e.g. harassing emails, downloading or distribution of pornographic images;
• Unauthorized copying of information;
• Damage to property that could impact information security;
• Access to premises without authority;
• Theft of IT equipment.

If the security incident is an actual or suspected breach by a team member or third party, then the security incident must be immediately reported to security@hotjar.com, and as relevant, People Operations.

In all cases, Hotjar's Security Officer is ultimately responsible for ensuring that the Security Incident is documented and shared with PeopleOps