Acceptable Use Policy of Hotjar Systems & Hardware

1. Purpose

The purpose of this document is to specify and communicate the requirements for acceptable use of Hotjar's systems and hardware. Following this policy is a requirement for all Hotjar team members. Failing to comply with all or part of this policy can result in disciplinary actions up to and including termination.

Hotjar is committed to protecting the privacy of our team members and our customers. No portion of this policy is intended to encroach on their rights. Hotjar will always comply with applicable regulations in this regard.

This policy is structured in the following way:


2. Security Requirements for Laptops

2.1 Operating Systems for Hotjar Laptops

For security purposes, only the following operating systems are approved for use on Hotjar purchased laptops. Other operating systems, versions or a virtualization of a laptop operating system used to access Hotjar systems or services is not permitted, even when used as a "dumb terminal" with a remote connection to an approved OS.

  • Windows 10 Professional
  • Mac OS
  • Linux

2.2 Protection Against Malware

Malware (computer viruses, spyware and other forms of malicious code exploit) and vulnerabilities in software programs can cause loss and damage to information, software, and IT equipment. Hotjar requires the use of anti-Malware software on every computer. Our current standard per operating system is:

  • Windows 10 Professional - Windows Defender Security Center. You shouldn't have to do much other than make sure it's running and up to date.
  • Mac OS - Avast Free Mac Security. Make sure you untick all the boxes for the extra software and browser plugins so you don't install extra things. You shouldn't have to do much other than make sure it's running and up to date after that.
  • Linux -Download and install ClamTK, a GUI for ClamAV. There are pre-packaged versions for several distros. Make sure you setup "Update Assistant" for automatic updates. Then go into "Scheduler" and set up daily scans for a time when the computer is on, maybe consider lunch time. The interface is a bit clunky, and you might have to double click sections to open them. You should go into "History" and make sure your scans are up-to-date and threat free.

You must ensure that:

  • You have the software described above that is applicable to your computer. It needs to be installed and running in the configuration outlined.
  • You do not introduce a virus or malicious code onto your computer and other potential Hotjar systems, by downloading unauthorized or suspect software from the Internet or from computer media e.g. USB storage devices
  • All software and data which originates from outside Hotjar must be checked for viruses and malicious software prior to it being opened or used – if you need help email security@hotjar.com.
  • If you are suspicious of a virus or malicious code, you must stop using your computer immediately and notify security@hotjar.com.

2.3 Full Drive Encryption

To ensure the privacy of the data being stored on your local machine, we require that all hard drives are fully encrypted. Below are links for doing this within each operating system:

You must ensure that:

  • Your hard drive is encrypted at all times.
  • If for some reason you are unable to encrypt your hard drive due to a technical limitation or otherwise you must report the matter to security@hotjar.com.

2.4 Operating System Security Patching

Maintaining an operating system that is current with recent security patches is an essential part of keeping your computer safe from external threats.

Hotjar requires that your computer is regularly maintained with the latest security patches. Below are links for doing this within each operating system:

You must ensure that:

  • The operating system on your computer is running the latest critical security patches for your OS.
  • If for some reason you are unable to follow this policy you must immediately stop using your computer and report the matter to security@hotjar.com.

2.5 User Responsibilities of Computer Equipment

  • You must always take care of IT equipment allocated for your use, and treat it with respect as if it is your own.
  • All of the IT equipment and software that you have been assigned remains the property of Hotjar. All users have an obligation to ensure that this equipment is safeguarded and only used as intended by Hotjar.
  • You must protect your IT equipment against loss, theft and unauthorized access:
  • Always ensure that computer equipment is physically secure
  • Do not leave it unattended for example, when traveling or in a restaurant
  • Avoid keeping important files only on the computer to prevent them from being completely lost if a computer fails or is stolen.
  • Immediately report any lost or stolen equipment to security@hotjar.com.

Secure Disposal and Re-use of Equipment

All of Hotjar's information and software must be securely wiped from the computer or mobile equipment before disposal or re-use of the equipment. All equipment intended for disposal and re-use must be returned to Hotjar.

2.6 User Access Control for Laptop

  • Do not leave your computer unlocked when powered on. Normally the system or application will force a lockout after a predetermined period of time and you will be required to re-enter your password and UserID to regain access. The lockout can be facilitated manually.
  • Do not allow anyone else to use your UserID and password.
  • Do not allow anyone else to use your computer.
  • Do not use someone else’s User ID and password to access the network unless specifically authorized to do so via that person and having the login credentials shared with you via LastPass.
  • Your computer must be locked for access using a password that is at least 12 characters in length or via biometrics measures.
  • Use good judgment when using removable media or any USB device. This is a common way that trojans and other forms of malware are transferred. Never assume anything you plug into a USB port is safe/clean.
  • Be careful when connecting to new and unfamiliar wifi networks. Public and open wifi systems should all be considered to be compromised.

2.7 Internet Use

Accessing the internet for legitimate business purposes is regarded as acceptable use. In addition, you may occasionally access the internet for personal use, such as personal email, travel etc. You must use your proper judgment as to what constitutes occasional access, however, it must be based on minimal access to the websites and services necessary for daily life that in no way interfere with fulfilling your role within Hotjar.

Unacceptable Use

The following are deemed as unacceptable use, regardless of whether it is for business or personal reasons:

  • Any activity that may adversely impact or damage the reputation of Hotjar.
  • Downloads of material which infringes any copyright, trademark, patent, trade secret or other proprietary rights of a third-party. This includes unauthorized copying of copyright material, digitization, and distribution of copyright photographs, software.
  • Downloading of any unlicensed or ‘hacked’ illegal software.
  • Knowingly accessing or sending:
  • Material likely to encourage an illegal act
  • Information about, or software designed for, breaching security controls or creating computer viruses
  • Material that is obscene, sexually explicit, defamatory, incites or depicts violence, or describes techniques for criminal or terrorist acts (unless it is related to a customer support issue)
  • Material that is illegal under local or International law
  • Material that conflicts with Hotjar's Core Values of Respect
  • Excessive personal use of the internet.
  • Compromising security controls of Hotjar, it's customers, or any other person or organization.
  • Any activities that intentionally adversely affect the ability of others to use Hotjar services.
  • Making any statement on your own behalf or on behalf of Hotjar that may cause offense, libel or damage the reputation of others.

If in doubt about whether or not an activity is considered unacceptable then do not do it. If you require advice then please contact security@hotjar.com.

3. Security Requirements for Mobile Phones and Tablets

3.1 Usage

Use of a personal mobile phone or tablet is permissible by Hotjar Team Members. Hotjar recognizes that the mobile/tablet is your personal device. We do not furnish any mobile devices to team members because they are not required for the way we work. However, if you choose to use your device for work purposes to allow convenience or ease of use you must recognize that any and all data related to Hotjar is the property of Hotjar even if it resides on your device.

Because of this, we require certain security requirements for these devices that are detailed below. Some applications such as Google also provide us with additional policy enforcement capabilities that include providing Hotjar with the ability to remote wipe your device. These measures will only be undertaken by the company in instances such as lost or stolen devices, fraud or for data protection measures/risk.

3.2 Operating Systems for Mobile Phones and Tablets

For security purposes, only the following operating systems are approved for use on mobile phones that access Hotjar systems. Jailbroken or rooted devices are not permitted.

  • Android
  • iOS

To ensure the best security possible, we ask that you apply security updates to the operating system of your device when they become available from the manufacturer or service provider.

3.3 Full Drive Encryption

To ensure the privacy of the data being stored on your device, we require that it be encrypted. You will need to check the settings of your device to ensure that this is enabled. If it is not enabled you will be unable to access certain mobile applications due to admin related policy enforcement.

3.4 Passwords for Mobile Devices and Tablets

Due to the extremely portable nature of mobile devices and tablets, it is essential that all devices be secured with reasonable password measures as specified below.

  • Passwords must be at least 8 characters long
  • Pattern-based passwords are not permitted
  • Biometric Passwords (i.e. fingerprints and facial recognition are allowed)
  • Auto-lock of the device, prompting a password to be re-entered, after 1 minute of inactivity must be enabled.

3.5 User Responsibilities of Mobile Devices

  • Each Hotjar Team Member is permitted to use no more than two devices (a phone and a tablet) to access Hotjar systems.
  • Do not allow anyone else to use your device.
  • Immediately report any lost or stolen equipment to security@hotjar.com.
  • If you sell, damage beyond use, or replace your mobile device you must ensure it is reformatted and restored to default factory setting.
  • You must protect your devices against loss, theft and unauthorized access. Do not leave it unattended for example, when traveling or in a restaurant.

3.6 Exceptions for Mobile/Tablets

  • If you are only using your personal device for the following purposes related to Hotjar (and not using it with any other Hotjar related apps) you do not need to comply with the above related Mobile requirements:
  • Manage and generate your 2FA codes (i.e. Google Authenticator)
  • Expensify
  • Zoom
  • VictorOps
  • Bamboo
  • If you have a special circumstance that you believe might warrant an exception to any of the above requirements relating to mobile/tablets or if you feel another App should be added to the exemption list please send an email to security@hotjar.com.

4. Acceptable Use of Hotjar Systems and Data

4.1 System/Application Password Security

General

  • User Access to the systems is controlled by the use of UserIDs and passwords. Unless specifically stated, all UserIDs and passwords are unique to each individual and consequently, you will be accountable for all actions on systems that are linked to your login ID.
  • You are personally responsible for controlling access to your computer and therefore it is necessary that you strictly follow the measures stated below.

Passwords

In many cases, the system will enforce password length and quality. If this is not the case you must:

  • Change temporary passwords on first use.
  • Use LastPass to randomly generate and store your passwords.
  • Unless restricted by the system, a password should always adhere the following:
  • Minimum of 12 characters
  • Not a password you've used in the past or are currently using for another system
  • Must contain at least one upper case, lower case, number, and special character
  • When the system allows for it you must always enable two-factor authentication (2FA)

You must not:

  • Write down passwords, or disclose them via email. They should only be shared via LastPass.
  • Makeup passwords outside of LastPass. This includes using the save password function with web browsers.
  • Use Default passwords.

If you suspect that your password has been compromised, that password must be changed immediately. Immediately after changing the password that is suspected of being compromised, you must report the suspected compromise security@hotjar.com.

Google Sign In

Where applicable, Hotjar permits the option to log in to approved tools or services via Google Sign In. Tools or services that

You must not:

  • Log in to another individual's account, using the Google Sign In.
  • Log in to shared accounts or services, using the Google Sign In.

4.2 Email Use

All usage of Hotjar's email correspondence must be regarded as the property of Hotjar and must not be regarded as private. You should note that Hotjar's systems may be subject to monitoring and inappropriate use may result in further action, including disciplinary action up to and including dismissal. This policy applies when using Hotjar email on any network or device.

You must:

  • Obey the law and comply with relevant legislation. You are responsible for observing copyright, intellectual property rights and licensing agreements that may apply to information, documents and software.
  • Take care if emails are received from unknown and unexpected sources. Do not open suspicious emails and their attachments or web links, as these may contain malicious software.
  • When possible it's preferable to open and edit files completely through the Google Drive/Docs interface as this will prevent the infection of local machines
  • It is good practice to save attachments to the local desktop (or other relevant computer folders) before opening them so that they can be automatically checked for malicious software content.
  • If in doubt, either permanently delete suspect emails (delete them from the ‘deleted items’ folder too) or contact security@hotjar.com.
  • If appropriate, immediately share information about the threat with the team either through email or instant messaging.

You must not:

  • Use email for political purposes, personal advertising or anything that conflicts with Hotjar's Core Values.
  • Configure your email for automatic forwarding unless there is a justified business requirement, authorized by security@hotjar.com.
  • Use email to store or transmit:
  • Pornographic, obscene, offensive, racist, defamatory, harassing or intimidating material;
  • Unsolicited messages (known as spam), hoax and nuisance emails. If such emails are received, never reply to or forward them to other users.
  • Attempt to neither ‘spoof’ emails, transmit anonymous emails, nor change the origin or content of emails that have been sent or received.

4.3 Ownership of Information

You should be aware that:

  • All Hotjar information is ultimately the property of Hotjar and/or our customers, who have entrusted us to keep their data safe.
  • Hotjar may monitor, inspect, search and/or record any activities occurring on Hotjar resources without limitation. This includes electronic communications, without notice of any kind.
  • Team Members using Hotjar resources have no expectation of privacy except when using personal applications on their personal mobile devices.

4.4 Protection of Customer Information

The Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) protects individuals from misuse of their personal data. They cover data held in both electronic and paper form. Compliance with Hotjar's Security policies, standards and procedures will ensure that the security of customer data is not compromised as a result of intentional or unintentional systems misuse.

Notes entered in Customer Relationship Management (CRM) systems and support ticket systems such as Intercom and Zendesk, are subject to these regulations, and our customers are entitled to see any call notes or other details we hold about any of the calls they have made to us. Therefore:

  • Comments and notes and other details, just like any other documents, could be disclosed in litigation. Unprofessional statements made about a colleague, customer, supplier or a third party, even those intended as a joke, can be viewed as harassment, libel or slander and could result in you, the Company or both being sued.
  • You must not use any terms that are defamatory; what may be intended as a joke or light-hearted comment could cause offense to others.
  • You must not use any information obtained from these systems for any purpose other than your legitimate work for the Company.
  • You must not copy any of the information in these systems for any purpose other than your legitimate work for the Company.

4.5 Storing Hotjar Work/Data

All team members will ensure that any data that they create or change on behalf of Hotjar is saved only on a device purchased by Hotjar and backed up only into one of our cloud services on a regular and recurring basis. Our standard service for this is Google Drive but there may be system specific services/requirements.Therefore you should ensure that:

  • You minimize storage of data solely to Hotjar owned/furnished devices and officially approved cloud services.
  • You regularly back up any data that exists on your Hotjar furnished computer to Google Drive or whatever system is appropriate for that data.
  • You never store any Hotjar data on an appliance or system that is not owned by Hotjar (e.g. your personal laptop, mobile phone, tablet, or a cloud service managed by Hotjar).
  • You never backup Hotjar data to an external storage device without approval from security@hotjar.com.

4.6 Reporting of Security Incidents

In order for Hotjar to manage and deal with security incidents successfully, they must be captured and logged. If you suspect or have knowledge of a security incident or a breach of Hotjar's security policy and standards, or a software malfunction, or a security weakness in any information system, you must report the concern immediately, to security@hotjar.com.

Examples of a security incident include:

  • Loss of equipment or sensitive data
  • Physical damage to IT equipment;
  • Compromise of sensitive documents and information;
  • Unauthorized use of another user’s profile (masquerading of user identity);
  • Divulging a password to another user without authority;
  • Improper use of email or the Internet, e.g. harassing emails, downloading or distribution of pornographic images;
  • Unauthorized copying of information;
  • Damage to property that could impact information security;
  • Access to premises without authority;
  • Theft of IT equipment.

If the security incident is an actual or suspected breach by a team member or third party, then the security incident must be immediately reported to security@hotjar.com, and as relevant, Human Resources.

In all cases, Hotjar's Security Officer is ultimately responsible for ensuring that the Security Incident is documented and shared with HR if pertinent.

5. Responsibilities

  • Team Leads are directly responsible for enforcing the policy and standards within their team, and for adherence by their team.
  • All Hotjar team members have a responsibility to adhere to the policy and standards regardless of their status.

Hotjar's Security Officer has direct responsibility for maintaining this policy and providing advice on implementation.