1. Purpose

The purpose of this document is to specify and communicate the requirements for acceptable use of Hotjar's systems and hardware. Following this policy is a requirement for all Hotjar team members. Failing to comply with all or part of this policy can result in disciplinary actions up to and including termination.

Hotjar is committed to protecting the privacy of our team members and our customers. No portion of this policy is intended to encroach on their rights. Hotjar will always comply with applicable regulations in this regard.

This policy is structured in the following way:


2. Security Requirements for Laptops

2.1 Operating Systems for Hotjar Laptops

For security purposes, only the following operating systems are approved for use on Hotjar purchased laptops. Other operating systems, versions or a virtualization of a laptop operating system used to access Hotjar systems or services is not permitted, even when used as a "dumb terminal" with a remote connection to an approved OS.

2.2 Protection Against Malware

Malware (computer viruses, spyware and other forms of malicious code exploit) and vulnerabilities in software programs can cause loss and damage to information, software, and IT equipment. Hotjar requires the use of anti-Malware software on every computer. Our current standard per operating system is:

You must ensure that:

2.3 Full Drive Encryption

To ensure the privacy of the data being stored on your local machine, we require that all hard drives are fully encrypted. Below are links for doing this within each operating system:

You must ensure that:

2.4 Operating System Security Patching

Maintaining an operating system that is current with recent security patches is an essential part of keeping your computer safe from external threats.

Hotjar requires that your computer is regularly maintained with the latest security patches. Below are links for doing this within each operating system:

You must ensure that:

2.5 User Responsibilities of Computer Equipment

Secure Disposal and Re-use of Equipment

All of Hotjar's information and software must be securely wiped from the computer or mobile equipment before disposal or re-use of the equipment. All equipment intended for disposal and re-use must be returned to Hotjar.

2.6 User Access Control for Laptop

2.7 Internet Use

Accessing the internet for legitimate business purposes is regarded as acceptable use. In addition, you may occasionally access the internet for personal use, such as personal email, travel etc. You must use your proper judgment as to what constitutes occasional access, however, it must be based on minimal access to the websites and services necessary for daily life that in no way interfere with fulfilling your role within Hotjar.

Unacceptable Use

The following are deemed as unacceptable use, regardless of whether it is for business or personal reasons:

If in doubt about whether or not an activity is considered unacceptable then do not do it. If you require advice then please contact security@hotjar.com.

2.8 Mobile Device Management

Hotjar has implemented a /wiki/spaces/WP/pages/2311749678 solution, to help support our team with endpoint security settings outlined in this policy. Please ensure that:

3. Security Requirements for Mobile Phones, Tablets and Single-Purpose Devices.

3.1 Usage

Use of a personal mobile phone or tablet is permissible by Hotjar Team Members. Hotjar recognizes that the mobile/tablet is your personal device. We do not furnish any mobile devices to team members because they are not required for the way we work. However, if you choose to use your device for work purposes to allow convenience or ease of use you must recognize that any and all data related to Hotjar is the property of Hotjar even if it resides on your device.

Because of this, we require certain security requirements for these devices that are detailed below. Some applications such as Google also provide us with additional policy enforcement capabilities that include providing Hotjar with the ability to remote wipe your device. These measures will only be undertaken by the company in instances such as lost or stolen devices, fraud or for data protection measures/risk.

3.2 Operating Systems for Mobile Phones, Tablets and Single Purpose Devices.

For security purposes, only the following operating systems are approved for use on mobile phones that access Hotjar systems. Jailbroken or rooted devices are not permitted.

To ensure the best security possible, we ask that you apply security updates to the operating system of your device when they become available from the manufacturer or service provider.

3.3 Full Drive Encryption

To ensure the privacy of the data being stored on your device, we require that it be encrypted. You will need to check the settings of your device to ensure that this is enabled. If it is not enabled you will be unable to access certain mobile applications due to admin related policy enforcement.

3.4 Passwords for Mobile Devices and Tablets

Due to the extremely portable nature of mobile devices and tablets, it is essential that all devices be secured with reasonable password measures as specified below.

3.5 User Responsibilities of Mobile Devices

3.6 Exceptions for Mobile/Tablets

3.7 Single-Purpose Devices

Approved single-purpose devices are permitted by Hotjar. We recognize the productivity value such devices offer for non-critical tasks such as note-taking, time-keeping, personal development, or annotation. Single-purpose reflects the functionality of the device that only has one specific use, rather than an iPad or other tablets that have many.

Such devices should not be considered as an alternative or replacement to a laptop, and can only access a limited number of services, that are pre-approved. These devices are considered as personal and not company-owned, as such you must recognize that any and all data related to Hotjar is the property of Hotjar even if it resides on your device.

For security reasons, only the following devices are approved for use with Hotjar.

Some applications such as Google also provide us with additional policy enforcement capabilities that include providing Hotjar with the ability to remote wipe your device. These measures will only be undertaken by the company in instances such as lost or stolen devices, fraud or data protection measures/risk.

If you feel other single-purpose devices should be added to the approved list, then please follow the Request a New Tool, Application or Service.

3.8 Acceptable Use and User Responsibility of Single-Purpose Devices

4. Acceptable Use of Hotjar Systems and Data

4.1 System/Application Password Security

General

Passwords

In many cases, the system will enforce password length and quality. If this is not the case you must:

You must not:

If you suspect that your password has been compromised, that password must be changed immediately. Immediately after changing the password that is suspected of being compromised, you must report the suspected compromise security@hotjar.com.

4.2 Ownership of Information

You should be aware that:

4.3 Protection of Customer Information

The Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) protect individuals from the misuse of their personal data. They cover data held in both electronic and paper forms. Compliance with Hotjar's Security policies, standards, and procedures will ensure that the security of customer data is not compromised as a result of intentional or unintentional systems misuse.

Notes entered in Customer Relationship Management (CRM) systems and support ticket systems such as Intercom and Zendesk, are subject to these regulations, and our customers are entitled to see any call notes or other details we hold about any of the calls they have made to us. Therefore:

4.4 Storing Hotjar Work/Data

All team members will ensure that any data that they create or change on behalf of Hotjar is saved only on a device purchased by Hotjar and backed up only into one of our cloud services on a regular and recurring basis. Our standard service for this is Google Drive but there may be system-specific services/requirements. Therefore you should ensure that:

4.5 Reporting of Security Incidents

In order for Hotjar to manage and deal with security incidents successfully, they must be captured and logged. If you suspect or have knowledge of a security incident or a breach of Hotjar's security policy and standards, or a software malfunction, or a security weakness in any information system, you must report the concern immediately, to security@hotjar.com.

Examples of a security incident include:

If the security incident is an actual or suspected breach by a team member or third party, then the security incident must be immediately reported to security@hotjar.com, and as relevant, People Operations.

In all cases, Hotjar's Security Officer is ultimately responsible for ensuring that the Security Incident is documented and shared with PeopleOps

4.6 Google Sign In

Where applicable, Hotjar permits the option to log in to approved tools or services via Google Sign In.

You must not:

5. Responsibilities