Privacy and security are fundamental components of Pendo’s software and services. This article covers what we do to ensure that our solutions don’t negatively impact the confidentiality, integrity, and availability of your data, your users, or your applications. It also summarizes additional actions you can take to ensure security and privacy, including JWT installation and configuring your Content Security Policy (CSP).
For information about data collection and compliance, including storage, availability, and performance, see Data collection and compliance.
The privacy and security measures outlined in this article apply to all Pendo customers, regardless of the implementation method you choose. If you’re implementing Pendo using the Pendo Launcher browser extension, we recommend that you also read the Pendo Launcher security and privacy article.
For more information about the privacy and security measures we take, see Data Privacy & Security at Pendo. If you have any security-related concerns or issues, contact security@pendo.io.
Hosting in a multi-tenant environment
Pendo hosts your application data in a secure multi-tenant environment using managed Google Cloud Platform (GCP) Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS). GCP’s services are SOC 2 Type II, ISO 27001, FedRAMP, and PCI compliant, and Google completes multiple independent security audits annually.
Additionally, Pendo takes advantage of Google’s highly available services to distribute running processes and data storage across multiple recovery zones and geographic regions.
Pendo security audits
Pendo completes an SOC2 Type II audit every year, covering all five Trust Service Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. To date, Pendo’s reports have been issued with no exceptions in related controls.
We also conduct independent third-party security audits annually and undergo third-party penetration testing twice per year. The results of these audits are available on our Trust Page site. We have also passed stringent internal security review audits from numerous large enterprise clients.
Vendor audit and approval process
End-user data and other identifying information can be highly sensitive, and so security and privacy are top concerns any time information is shared with a third party. Pendo strictly limits the vendors that our customers’ data is shared with, and we perform a compliance review before onboarding new vendors as well as annually thereafter. For a list of our current sub-processors, see Security at Pendo.
Data privacy
Because user data and other identifying information can be highly sensitive, we invest in data compliance and observe industry standards (SOC2, GDPR, HIPAA). For more information, see Data collection and compliance, which covers:
- How we deal with Personally Identifiable Information (PII) by default.
- The data we collect (event data and metadata).
- How data is transmitted, encrypted, and stored.
Access and authentication
By default, access to Pendo services requires an email address and password. Pendo users can alternatively request that Pendo disable password-based authentication and require authentication with either:
- SAML-based authentication (such as Okta, Azure AD, or Duo).
- Google-based logins if their Google email and Pendo login addresses match.
Both options support two-factor authentication (2FA) with the chosen identity provider (IdP).
Pendo is designed to give you full privacy and security control over end-user data. You have the ability to set granular access controls to grant and restrict capabilities based on specific roles and permissions. For more information, see Roles and permissions.
Other security and privacy configurations
Customers who implement Pendo using the install script can take additional measures to mitigate perceived security and privacy risks.
JSON Web Token (JWT) installation
Most Pendo customers implement Pendo using the install script without JWT. With a standard direct implementation of Pendo, Pendo exists on the frontend of your application. If you’re concerned that a bad actor could send fake metadata to Pendo, you can complete a JWT installation. This allows our backend to verify that the metadata sent by the install script hasn’t been tampered with.
This implementation method requires additional steps for activation, changes to the install script, backend development, and continuous rotation of tokens to function properly. For more information, see Installation using signed metadata with JWT.
Content Security Policy (CSP)
You might want to modify your CSP to further manage sensitive data and to prevent Cross Site Scripting (XSS) and data injection attacks. If you have a strict CSP, you might need to modify it to allow Pendo to run effectively. For more information, see Content Security Policy (CSP).
Allowlists by domain
If your visitors operate in a restricted network environment where access is limited to pre-approved domains through a firewall, VPN, or web filter, you might need to allow traffic explicitly to Pendo servers. For more information, see Hostname list for visitors in restricted network environments.