Security and privacy questions are often top of mind anytime information is shared with a third party. User data and other identifying information can be highly sensitive. Pendo hosts your application data in a secure multi-tenant environment, and is designed to give you full privacy control with your user data.
To work effectively, the only critical information that Pendo needs is a unique identifier for each user in your application. This does not have to include any personally identifiable information for the user or the account, merely a unique identification. As noted earlier, most Pendo users do end up passing additional information such as an email or account name which makes tracking easier, along with other demographic information to help build out segments, but this is not required.
The Pendo platform does not collect any user-entered text or information within form fields in your application. By default the names of fields, buttons, and other elements within the page are captured with the application data which makes for easier tracking, but no user-supplied information is included.
Pendo’s application and data are hosted and stored in Google’s AppEngine where they share the same infrastructure as Google’s primary services. The AppEngine allows Pendo to operate in a robust, fully multi-tenant infrastructure with the same reliability, performance, and security characteristics as Google’s own offerings. Google AppEngine is SOC 2, SOC 3, ISO 27001, FISMA, and PCI compliant, and Google completes multiple independent security audits annually.
All of the application data collected by Pendo is transmitted over SSL, encrypted at rest, and stored for each customer using separate AppEngine namespaces to ensure that no data is co-mingled.
By default, access to Pendo Services requires an email address and password combination. Users may alternatively request Pendo disable password-based logins and require authentication via either (a) SAML based authentication (e.g., Okta, Azure AD, Duo), or (b) Google-based logins or if their Google email and Pendo login addresses match. Both (a) and (b) support two factor authentication via the chosen identify provider.
Pendo conducts independent 3rd-party security audits annually as well, and has passed stringent internal security audits from all companies when asked. On request, we can provide the results of our latest audit.
What Data Does Pendo Collect?
We allow our customers to pass us metadata for each visitor and account. Once these attributes are passed, they can be used to create segments for guide targeting, as well as general analysis. Common attributes customers can pass include: User Role, Price Plan, E-mail Address, Account Creation Date, etc.
It is important to note that these fields will reflect the most recent attribute passed to Pendo. For example, if a user’s role changes, it will reflect their most recent role passed to Pendo. More information on metadata.
Pendo tracks page view events from end users. Upon page load, Pendo will collect the URL of the page, some browser information (such as language and browser version), and the title of the page.
Click and Focus Events
Guides load with the Pendo agent. They will not be displayed until the current page is finished loading. The typical response time for guides is sub-second with 99% of guides delivered in less than half a second.
Content Security Policy (CSP)
If you or your users are running into an issue with your Content Security Policy (CSP), you may need to make an adjustment to allow our product. More information on CSP here.
Subscription API Key
The subscription key is included in the Pendo snippet installed in the header of the application. It can also be viewed within Subscription Settings in the Pendo subscription. The subscription API key maps the data the agent collects to the subscription in Pendo. It is not meant to be a secret key, and it does not provide read-access to data.
The subscription key is sometimes confused with an integration key, but they are not the same. Integration keys are secret values with read and write access to Pendo subscription data via the V1 API. The integration keys are managed by admins for the Pendo subscription.