Security and Privacy


Security and privacy questions are often top of mind anytime information is shared with a third party. User data and other identifying information can be highly sensitive. Pendo hosts your application data in a secure multi-tenant environment, and is designed to give you full privacy control with your user data.

To work effectively, the only critical information that Pendo needs is a unique identifier for each user in your application. This does not have to include any personally identifiable information for the user or the account, merely a unique identification. As noted earlier, most Pendo users do end up passing additional information such as an email or account name which makes tracking easier, along with other demographic information to help build out segments, but this is not required.

The Pendo platform does not collect any user-entered text or information within form fields in your application. By default the names of fields, buttons, and other elements within the page are captured with the application data which makes for easier tracking, but no user-supplied information is included.


Note: While it is possible to disable all text capture within the API, this can potentially limit the use of historical data for Feature tagging.


Pendo’s application and data are hosted and stored in Google’s AppEngine where they share the same infrastructure as Google’s primary services. The AppEngine allows Pendo to operate in a robust, fully multi-tenant infrastructure with the same reliability, performance, and security characteristics as Google’s own offerings. Google AppEngine is SOC 2, SOC 3, ISO 27001, FISMA, and PCI compliant, and Google completes multiple independent security audits annually.

All of the application data collected by Pendo is transmitted over SSL, encrypted at rest, and stored for each customer using separate AppEngine namespaces to ensure that no data is co-mingled.

By default, access to Pendo Services requires an email address and password combination. Users may alternatively request Pendo disable password-based logins and require authentication via either (a) SAML based authentication (e.g., Okta, Azure AD, Duo), or (b) Google-based logins or if their Google email and Pendo login addresses match. Both (a) and (b) support two factor authentication via the chosen identify provider.

Pendo conducts independent 3rd-party security audits annually as well, and has passed stringent internal security audits from all companies when asked. On request, we can provide the results of our latest audit.


What Data Does Pendo Collect?


We allow our customers to pass us metadata for each visitor and account. Once these attributes are passed, they can be used to create segments for guide targeting, as well as general analysis. Common attributes customers can pass include: User Role, Price Plan, E-mail Address, Account Creation Date, etc.

It is important to note that these fields will reflect the most recent attribute passed to Pendo. For example, if a user’s role changes, it will reflect their most recent role passed to Pendo. More information on metadata.

Page Views

Pendo tracks page view events from end users. Upon page load, Pendo will collect the URL of the page, some browser information (such as language and browser version), and the title of the page.

Click and Focus Events

More information on what HTML attributes Pendo tracks within click and focus events can be found here.

Note: Click and Focus events are not collected for Pendo Vox customers.


Performance Impact

Pendo’s Javascript files are hosted and served on Amazon’s Cloudfront CDN utilizing state-of-the-art edge caching. The Javascript file is minified and compressed to approximately 100KB and loads asynchronously. Data is securely transmitted via SSL from each user’s browser to our server every two minutes and when a page is navigated away from. Data is compressed prior to sending and each transmission is less than 2KB.

The JavaScript code is hosted and deployed in Amazon’s Cloudfront Content Distribution Network (CDN), with an extremely broad network of servers and edge caching to ensure rapid loading times. Amazon service level agreements guarantee 99.9% uptime for the agent delivery.

Guides load with the Pendo agent. They will not be displayed until the current page is finished loading. The typical response time for guides is sub-second with 99% of guides delivered in less than half a second.


Content Security Policy (CSP)

If you or your users are running into an issue with your Content Security Policy (CSP), you may need to make an adjustment to allow our product. More information on CSP here.

Application API Key

The application key is included in the Pendo snippet installed in the header of the application. It can also be viewed within Subscription Settings in the Pendo subscription. The application API key maps the data the agent collects to the application in Pendo. It is not meant to be a secret key, and it does not provide read-access to data.

The application key is sometimes confused with an integration key, but they are not the same.  Integration keys are secret values with read and write access to Pendo subscription data via the V1 API. The integration keys are managed by admins for the Pendo subscription.