Versions Compared

Old Version 15

changes.mady.by.user Dan Whitty

Saved on

compared with

New Version 16

changes.mady.by.user Dan Whitty

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

1. Purpose

The purpose of this document is to specify and communicate the requirements for acceptable use of Hotjar's systems and hardware. Following this policy is a requirement for all Hotjar team members. Failing to comply with all or part of this policy can result in disciplinary actions up to and including termination.

Hotjar is committed to protecting the privacy of our team members and our customers. No portion of this policy is intended to encroach on their rights. Hotjar will always comply with applicable regulations in this regard.

This policy is structured in the following way:

Table of Contents


2. Security Requirements for Laptops

2.1 Operating Systems for Hotjar Laptops

For security purposes, only the following operating systems are approved for use on Hotjar purchased laptops. Other operating systems, versions or a virtualization of a laptop operating system used to access Hotjar systems or services is not permitted, even when used as a "dumb terminal" with a remote connection to an approved OS.

  • Windows 10 Professional
  • Mac OS
  • Linux

2.2 Protection Against Malware

Malware (computer viruses, spyware and other forms of malicious code exploit) and vulnerabilities in software programs can cause loss and damage to information, software, and IT equipment. Hotjar requires the use of anti-Malware software on every computer. Our current standard per operating system is:

  • Windows 10 Professional - Windows Defender Security Center. You shouldn't have to do much other than make sure it's running and up to date.
  • Mac OS - Avast Free Mac Security. Make sure you untick all the boxes for the extra software and browser plugins so you don't install extra things. You shouldn't have to do much other than make sure it's running and up to date after that.
  • Linux -Download and install ClamTK, a GUI for ClamAV. There are pre-packaged versions for several distros. Make sure you setup "Update Assistant" for automatic updates. Then go into "Scheduler" and set up daily scans for a time when the computer is on, maybe consider lunch time. The interface is a bit clunky, and you might have to double-click sections to open them. You should go into "History" and make sure your scans are up-to-date and threat free.

You must ensure that:

  • You have the software described above that is applicable to your computer. It needs to be installed and running in the configuration outlined.
  • You do not introduce a virus or malicious code onto your computer and other potential Hotjar systems, by downloading unauthorized or suspect software from the Internet or from computer media e.g. USB storage devices
  • All software and data which originates from outside Hotjar must be checked for viruses and malicious software prior to it being opened or used – if you need help email security@hotjar.com.
  • If you are suspicious of a virus or malicious code, you must stop using your computer immediately and notify security@hotjar.com.

2.3 Full Drive Encryption

To ensure the privacy of the data being stored on your local machine, we require that all hard drives are fully encrypted. Below are links for doing this within each operating system:

You must ensure that:

  • Your hard drive is encrypted at all times.
  • If for some reason you are unable to encrypt your hard drive due to a technical limitation or otherwise you must report the matter to security@hotjar.com.

2.4 Operating System Security Patching

Maintaining an operating system that is current with recent security patches is an essential part of keeping your computer safe from external threats.

Hotjar requires that your computer is regularly maintained with the latest security patches. Below are links for doing this within each operating system:

You must ensure that:

  • The operating system on your computer is running the latest critical security patches for your OS.
  • If for some reason you are unable to follow this policy you must immediately stop using your computer and report the matter to security@hotjar.com.

2.5 User Responsibilities of Computer Equipment

  • You must always take care of IT equipment allocated for your use, and treat it with respect as if it is your own.
  • All of the IT equipment and software that you have been assigned remains the property of Hotjar. All users have an obligation to ensure that this equipment is safeguarded and only used as intended by Hotjar.
  • You must protect your IT equipment against loss, theft and unauthorized access:
  • Always ensure that computer equipment is physically secure
  • Do not leave it unattended for example, when traveling or in a restaurant
  • Avoid keeping important files only on the computer to prevent them from being completely lost if a computer fails or is stolen.
  • Immediately report any lost or stolen equipment to security@hotjar.com.

Secure Disposal and Re-use of Equipment

All of Hotjar's information and software must be securely wiped from the computer or mobile equipment before disposal or re-use of the equipment. All equipment intended for disposal and re-use must be returned to Hotjar.

2.6 User Access Control for Laptop

  • Do not leave your computer unlocked when powered on. Normally the system or application will force a lockout after a predetermined period of time and you will be required to re-enter your password and UserID to regain access. The lockout can be facilitated manually.
  • Do not allow anyone else to use your UserID and password.
  • Do not allow anyone else to use your computer.
  • Do not use someone else’s User ID and password to access the network unless specifically authorized to do so via that person and having the login credentials shared with you via LastPass.
  • Your computer must be locked for access using a password that is at least 12 characters in length or via biometrics measures.
  • Use good judgment when using removable media or any USB device. This is a common way that trojans and other forms of malware are transferred. Never assume anything you plug into a USB port is safe/clean.
  • Be careful when connecting to new and unfamiliar wifi networks. Public and open wifi systems should all be considered to be compromised.

2.7 Internet Use

Accessing the internet for legitimate business purposes is regarded as acceptable use. In addition, you may occasionally access the internet for personal use, such as personal email, travel etc. You must use your proper judgment as to what constitutes occasional access, however, it must be based on minimal access to the websites and services necessary for daily life that in no way interfere with fulfilling your role within Hotjar.

Unacceptable Use

The following are deemed as unacceptable use, regardless of whether it is for business or personal reasons:

  • Any activity that may adversely impact or damage the reputation of Hotjar.
  • Downloads of material that infringes any copyright, trademark, patent, trade secret or other proprietary rights of a third party. This includes unauthorized copying of copyright material, digitization, and distribution of copyright photographs, software.
  • Downloading of any unlicensed or ‘hacked’ illegal software.
  • Knowingly accessing or sending:
  • Material likely to encourage an illegal act
  • Information about, or software designed for, breaching security controls or creating computer viruses
  • Material that is obscene, sexually explicit, defamatory, incites or depicts violence, or describes techniques for criminal or terrorist acts (unless it is related to a customer support issue)
  • Material that is illegal under local or International law
  • Material that conflicts with Hotjar's Core Values of Respect
  • Excessive personal use of the internet.
  • Compromising security controls of Hotjar, its customers, or any other person or organization.
  • Any activities that intentionally adversely affect the ability of others to use Hotjar services.
  • Making any statement on your own behalf or on behalf of Hotjar that may cause offense, libel or damage the reputation of others.

If in doubt about whether or not an activity is considered unacceptable then do not do it. If you require advice then please contact security@hotjar.com.

3. Security Requirements for Mobile Phones, Tablets and Single-Purpose Devices.

3.1 Usage

Use of a personal mobile phone or tablet is permissible by Hotjar Team Members. Hotjar recognizes that the mobile/tablet is your personal device. We do not furnish any mobile devices to team members because they are not required for the way we work. However, if you choose to use your device for work purposes to allow convenience or ease of use you must recognize that any and all data related to Hotjar is the property of Hotjar even if it resides on your device.

Because of this, we require certain security requirements for these devices that are detailed below. Some applications such as Google also provide us with additional policy enforcement capabilities that include providing Hotjar with the ability to remote wipe your device. These measures will only be undertaken by the company in instances such as lost or stolen devices, fraud or for data protection measures/risk.

3.2 Operating Systems for Mobile Phones, Tablets and Single Purpose Devices.

For security purposes, only the following operating systems are approved for use on mobile phones that access Hotjar systems. Jailbroken or rooted devices are not permitted.

  • Android
  • iOS

To ensure the best security possible, we ask that you apply security updates to the operating system of your device when they become available from the manufacturer or service provider.

3.3 Full Drive Encryption

To ensure the privacy of the data being stored on your device, we require that it be encrypted. You will need to check the settings of your device to ensure that this is enabled. If it is not enabled you will be unable to access certain mobile applications due to admin related policy enforcement.

3.4 Passwords for Mobile Devices and Tablets

Due to the extremely portable nature of mobile devices and tablets, it is essential that all devices be secured with reasonable password measures as specified below.

  • Passwords must be at least 8 characters long
  • Pattern-based passwords are not permitted
  • Biometric Passwords (i.e. fingerprints and facial recognition are allowed)
  • Auto-lock of the device, prompting a password to be re-entered, after 1 minute of inactivity must be enabled.

3.5 User Responsibilities of Mobile Devices

  • Each Hotjar Team Member is permitted to use no more than two devices (a phone and a tablet) to access Hotjar systems.
  • Do not allow anyone else to use your device.
  • Immediately report any lost or stolen equipment to security@hotjar.com.
  • If you sell, damage beyond use, or replace your mobile device you must ensure it is reformatted and restored to the default factory setting.
  • You must protect your devices against loss, theft and unauthorized access. Do not leave it unattended for example, when traveling or in a restaurant.

3.6 Exceptions for Mobile/Tablets

  • If you are only using your personal device for the following purposes related to Hotjar (and not using it with any other Hotjar related apps) you do not need to comply with the above related Mobile requirements:

  • Manage and generate your 2FA codes (i.e. Google Authenticator)
  • Spendesk
  • Zoom
  • PagerDuty
  • Bamboo

  • If you have a special circumstance that you believe might warrant an exception to any of the above requirements relating to mobile/tablets or if you feel another App should be added to the exemption list please send an email to security@hotjar.com.

3.7 Single-Purpose Devices

Approved single-purpose devices are permitted by Hotjar. We recognize the productivity value such devices offer for non-critical tasks such as note-taking, time-keeping, personal development, or annotation. Single-purpose reflects the functionality of the device that only has one specific use, rather than an iPad or other tablets that have many.

Such devices should not be considered as an alternative or replacement to a laptop, and can only access a limited number of services, that are pre-approved. These devices are considered as personal and not company-owned, as such you must recognize that any and all data related to Hotjar is the property of Hotjar even if it resides on your device.

For security reasons, only the following devices are approved for use with Hotjar.

Some applications such as Google also provide us with additional policy enforcement capabilities that include providing Hotjar with the ability to remote wipe your device. These measures will only be undertaken by the company in instances such as lost or stolen devices, fraud or data protection measures/risk.

If you feel other single-purpose devices should be added to the approved list, then please follow the Request a New Tool, Application or Service.

3.8 Acceptable Use and User Responsibility of Single-Purpose Devices

  • All team members are expected to use good judgment when using these devices, ensuring the appropriate and available security controls are implemented where possible. e.g passcodes, data syncing, screen lock.
  • You must protect your devices against loss, theft, and unauthorized access. Do not leave it unattended
  • Using such devices to screen share e.g. Zoom is allowed.
  • Each team member should ensure the device is only to be used for non-critical tasks.
  • If there is no device encryption available, then the device is not allowed to connect or sync to Google Workspace services (Mail, Drive).
  • All Hotjar related data will be removed when offboarded.
  • Report any lost, stolen, or damaged devices to security@hotjar.com

...