This website works best with JavaScript enabled. Learn how to enable JavaScript.

VWO Data Protection and Security Measures

Last updated

To ensure that customer data is safe and always protected on VWO servers, we implement stringent security measures and access policies, including data encryption, unauthorized access restriction, and anonymization options:

  • Pseudonymization: Pseudonymization protects your data by replacing personally identifiable information fields by one or more artificial or pseudonyms. For example, the name “Clyde” can be stored under a pseudonym like “qOerd.” The visitor UUID is stored only after pseudonymization by using one-way hash.
  • Anonymization: Anonymization conceals the identity of individuals and data identifiers of any nature that can apply to information such as name, email address, passwords, and others. For example, the last octet of IP addresses stored on the VWO server is anonymized by default. Also, we allow users to select and apply different anonymization formats.
  • Application Security: The VWO development team is trained on OWASP Secure Coding Practices and uses the industry best practices for building secure applications.
  • Code Repository: VWO code is stored in a code repository system hosted by our cloud data centre provider, IBM Softlayer.
  • Code Reviews: We have strict policies and least access privileges to code on our data centers. All commits, fixes, and updates to production code are strictly reviewed and approved by the Head of Engineering and lead engineers, only after these pass Unit Testing and QA in local and test environments.
  • Access Privileges: The data stored on production servers is accessible only to the Head of Engineering and lead engineers. No other member of VWO has access to customer data, unless a specific access permission is granted by the Chief Executive Officer and Head of Engineering for resolving any technical issue or for debugging purposes.
  • Data Backup: VWO takes an hourly backup of the database at our cloud data centers.
  • Encryption: All data reaching VWO servers from recordings, survey responses, or the custom dimension is encrypted by using the industry standard AES-256 encryption algorithm.
  • Secure Connections: VWO is connected to the web through HTTP or HTTPS protocols by using Secure Sockets Layer (SSL), a cryptographic protocol designed to protect against eavesdropping, tampering, and message forgery. The VWO application provides the option to enforce HTTPS-based use.
  • Application Access Policy
    • To ensure appropriate access rights, we adopt the role-based and least access privileges policies while creating accounts, adding users, or giving access rights.
    • You can restrict specific IP Addresses from accessing a VWO account.
    • Email alerts and notifications can be configured to send every activity taking places in a customer’s account.
    • There are provisions for users to sign out from all of their signed-in sessions.
    • Disable or delete users at any time.
    • Auto logoff if a user changes the password or if the user profile is disabled or deleted.
  • Operational Security
    • All VWO employees must undergo mandatory training on data protection and security.
    • VWO is committed to implementing industry best practices and security standards across policies, procedure, technology, and people on an ongoing basis.
    • ISO 27001:2013 (ISMS) and BS 10012:2017 (PIMS) standards certified.
  • Multi-Tenancy: All VWO customer data is hosted on our cloud data centers and is segregated logically by the VWO application.
  • Network Security: VWO is hosted on secure servers managed by IBM Softlayer. Any physical access to the IBM SoftLayer data centers is restricted for everyone. Firewalls are configured by using industry best practices, and all unnecessary ports are blocked. Internally, VWO uses VLAN for private networking, so the data flow is secure from public networks.
  • Product Security and Privacy: VWO has introduced different setting configurations to make sure that personal data is anonymized before storing it on VWO servers. All data passing through VWO servers is encrypted or hidden to ensure visitor privacy. To learn about different privacy settings and how to configure data security, click here.
  • Data Breach Response: In the event of a breach in data security, VWO will promptly notify you within forty-eight hours after the breach is detected. We have incident management policies and procedures to handle any such events or emergencies.
  • Disaster Recovery: VWO is hosted on Bare Metal Servers managed by IBM SoftLayer, an SSAE16-certified data center located in Singapore. Configuration data is distributed through a wide network of Content Delivery Network (CDN) and servers hosted at 10 locations in 8 countries. VWO does not store any customer data locally. For added security, customers can self-host their VWO test configurations and files on their local servers.
  • Session Management: Every time a VWO user signs in to the VWO account, the system assigns a new session identifier for the user. The session identifier is a 64-byte random generated value to protect the account against brute force attacks. All sessions time out after 7 days, requiring the users to sign in to their account again, and the currently active sessions are set to time out after 4 hours of inactivity. For optimal performance, you can configure to terminate all sessions after 15 minutes of inactivity.

Was this article helpful?

Thanks for your feedback!
Please email us at to tell us what you were looking for. We'll send the answer to your inbox.

Contact Us / Login