User data and other identifying information can be highly sensitive, and so security and privacy are top concerns any time information is shared with a third party.
Pendo hosts your application data in a secure multi-tenant environment and is designed to give you full privacy control over your user data.
Pendo's data collection and security measures
The only critical information that Pendo needs is a unique identifier for each visitor in your application. This doesn't have to include any personally identifiable information for the user or the account. Though not required, most Pendo customers do pass additional information, such as an email or account name, which makes tracking easier, along with other demographic information to help build out segments.
The Pendo platform doesn't collect any user-entered text or information within form fields in your application. By default, the names of fields, buttons, and other elements are captured with the application data, which makes tracking easier, but no user-supplied information is included.
Pendo’s application and data are hosted and stored in Google’s AppEngine where they share the same infrastructure as Google’s primary services. The AppEngine allows Pendo to operate in a robust, fully multi-tenant infrastructure with the same reliability, performance, and security characteristics as Google’s own offerings. Google AppEngine is SOC 2, SOC 3, ISO 27001, FISMA, and PCI compliant, and Google completes multiple independent security audits annually.
All of the application data collected by Pendo is transmitted over TLS, encrypted at rest, and stored for each customer using separate AppEngine namespaces to ensure that no data is co-mingled.
By default, access to Pendo Services requires an email address and password combination. Users can alternatively request that Pendo disable password-based logins and require authentication with either:
- SAML-based authentication (such as Okta, Azure AD, or Duo).
- Google-based logins if their Google email and Pendo login addresses match.
Both options support two-factor authentication (2FA) with the chosen identity provider.
Pendo also conducts independent third-party security audits annually, and has passed stringent internal security audits from all companies when asked. On request, we can provide the results of our latest audit.
Data collected by Pendo
Metadata
We allow our customers to pass metadata to Pendo for each visitor and account. Once we have these attributes, they can be used to create segments for guide targeting, as well as general analysis. Common attributes customers pass to use include: User Role, Price Plan, E-mail Address, Account Creation Date, and so on.
These fields reflect the most recent attribute passed to Pendo. For example, if a user’s role changes, the attribute reflects the most recent role passed to Pendo. For more information, see Visitor and Account Metadata.
Page views
Pendo tracks page view events (page loads and URL changes) from visitors. Upon the loading of a page, Pendo collects the URL, some browser information, such as language and browser version, and the title of the page.
Click and focus events
To track Feature usage, Pendo tracks any time an element in your application is clicked (click events). Click events are used to track user interactions with buttons, links, and other clickable elements, providing insight into how users navigate through your application.
To track when visitors interact with a specific Feature in your application, Pendo tracks how users engage with particular elements in your application (focus events). Focus events can be used to track a wider range of non-click behaviors, such as hovering or tabbing through and highlighting elements on a page.
For more information about the HTML attributes that Pendo tracks within click events and focus events, see HTML attributes.
Performance Impact
Pendo’s Javascript files are hosted and served on Amazon’s Cloudfront CDN utilizing state-of-the-art edge caching. The Javascript file is minified and compressed to approximately 150KB and loads asynchronously. Data is securely transmitted through TLS from each visitor's browser to our server every two minutes and when the visitor navigates away from a page. Data is compressed prior to sending and each transmission is less than 2KB.
The JavaScript code is hosted and deployed in Amazon’s Cloudfront Content Distribution Network (CDN), with an extremely broad network of servers and edge caching to ensure rapid loading times. Amazon service level agreements guarantee 99.9% uptime for agent delivery.
Guides load with the Pendo agent. They aren't displayed until the current page is finished loading. The typical response time for guides is sub-second, with 99% of guides delivered in less than half a second.
Content Security Policy (CSP)
If you or your users are experiencing issues with your Content Security Policy (CSP), you might need to make an adjustment to allow our product. For more information, see the Content Security Policy (CSP) article.
Application API key
The application key is included in the Pendo install script, commonly referred to as "the snippet", installed in the header of the application. It can also be viewed in Subscription Settings in the Pendo subscription. The application API key maps the data that the agent collects to the application in Pendo. It isn't a secret key, and it doesn't provide read-access to data.
For more information about the Pendo install script, see the Developer's guide to installing Pendo.
The application key is sometimes confused with an integration key, but they aren't the same. Integration keys are secret values with read and write access to Pendo subscription data through the V1 API. Integration keys are managed by admins for the Pendo subscription.
For more information about integration keys, see the Pendo Integration Key article.