Pendo is a custodian of your data. We allow you to view and process your data using our tools and software that you integrate with Pendo. To protect the integrity, security, and privacy of your data, we observe industry best practices and comply with multiple global privacy regulations, including but not limited to SOC2, GDPR, CCPA, and HIPAA.
Personally identifiable information (PII) in Pendo
Personally identifiable information (PII), or sensitive personal data, is any data that could be used to identify a specific individual, whether used alone or with other relevant data. PII includes email and mailing addresses, names, national ID numbers, credit card information, financial information, medical records and so on.
We don’t sell or distribute PII or customer data, and we give you full privacy control of your end-user data. You control your data and you control who can see it. Sensitive personal data isn't required for Pendo functionality.
IDs and metadata
Many Pendo subscriptions pass additional metadata such as an email or account name in their instance of Pendo, along with other demographic information to help build out segments, but it isn't required. If you're uncomfortable sharing PII, Pendo only needs a unique identifier (ID) for each user in your application to work effectively. This doesn't require any PII for the visitor or the account. It can be a randomly generated value that is anonymous to Pendo.
By default, the names of fields, buttons, and other elements within a page in your application are captured with the application data, which makes for easier tracking, but no user-supplied information is included. These page elements can include PII displayed in your application UI. It's possible to turn off text capture within the API, but this can limit the analysis that can be performed with your application data.
Pendo doesn't collect any user-entered text or information within form fields in your application unless you configure that data collection using Event properties.
By default, Pendo captures IP address and geolocation information from the browser that’s sending page and event data to Pendo. This can be turned off, but the information can be useful if you want to implement Pendo differently for visitors based on their location. For example, you might be concerned with maintaining data within EU data centers, in compliance with GDPR. In this case, your Pendo subscription can be set within our EU instance.
Data collected by Pendo
Pendo collects user interactions with your applications as raw “events”. Events have some default properties, including Visitor ID, which is a unique identifier for individual end-users (visitors). Pendo only requires a Visitor ID to collect event data, but you can also share additional user data with Pendo as metadata for use in analysis and to target in-app guidance.
You can choose whether this includes personally identifiable information (PII). For more information, see Data collection prevention strategies. Pendo also supports data deletion requests, both for the data we control and the data we process. For more information, see Data deletion and manipulation services.
Event data is sent to Pendo's backend, and is then stored and processed in Google Cloud Platform (GCP). Pendo tracks the following user interactions as events:
- Page View Events. These are page loads and URL changes. Upon the loading of a page, Pendo collects the URL, some browser information, such as language and browser version, and the title of the page (if enabled).
- Click Events. These are direct user interactions with buttons, links, and other clickable elements, providing insight into feature usage and what the end-user journey looks like
- Focus Events. These are non-click user interactions, such as highlighting elements through tabbing, providing insight into how users engage with features and navigate through your application.
For more information about the HTML attributes that Pendo tracks within Click Events and Focus Events, see HTML attributes in data collection.
We allow you to pass metadata to Pendo for each visitor and account. You can use these metadata fields to create segments for guide targeting and for general analysis.
Though not required, additional metadata enhances your ability to generate meaningful insights and to target guides effectively. The right set of metadata for your organization is a decision to discuss with your business, IT, and security stakeholders. Common examples of metadata that customers pass to us include: user role, price plan, e-mail address, and account creation date, and other demographic information.
Metadata fields reflect the most recent value passed to Pendo. For example, if a user’s role changes, the value reflects the most recent role passed to Pendo. For more information, see Configure visitor and account metadata.
Data risk management
This section summarizes how Pendo transmits and stores data so that your data is managed in a secure and efficient environment.
Privacy and confidentiality
To ensure privacy, Pendo prevents sensitive information from unauthorized access attempts by allowing you to set granular access controls based on specific roles and permissions and encrypting data to protect it. Application data collected by Pendo is transmitted over Transport Layer Security (TLS) and encrypted at rest using AES-256.
To ensure data remains trustworthy and accurate, Pendo hosts your application data in a secure multi-tenant environment where customer data is logically segregated to limit access to sensitive information.
To separate customer's data, we use:
- Google Cloud Datastore, which is a NoSQL database that separates subscriptions by namespace.
- Google Cloud Storage, which is an object store that separates subscriptions by buckets.
This allows Pendo to operate in a robust, multi-tenant infrastructure with the same reliability, performance, and security characteristics as Google's own offerings.
Availability and performance
Data is securely transmitted from each visitor's browser to our server through TLS. The frequency of transmission depends on how active the visitor. Data is sent as soon as enough data is cached to fill a network packet, or if the visitor navigates away from the page or is inactive for two minutes or more. Data is compressed prior to sending, and each transmission is less than 2 KB. When Pendo Session Replay is enabled, this transmission can be larger and can occur as often as every five seconds.
Depending on page elements and segmentation, a guide loads when the relevant page loads. Guides display depending on their activation type and the user's behavior on the page. The typical response time for guides is sub-second, with 99% of guides delivered in less than half a second.