This website works best with JavaScript enabled. Learn how to enable JavaScript.

VWO Data Protection and Security Measures

Last updated

To ensure that customer data is safe and always protected in VWO servers, we implement stringent security measures and access policies including data encryption, restricting unauthorized access, and anonymization options:

  • Pseudonymization: Pseudonymization protects your data by replacing personally identifiable information fields by one or more artificial or pseudonyms. For example, the name ‘Clyde’ can be stored under a pseudonym like ‘qOerd’. Visitor UUID is stored only after pseudonymization using one-way hash.
  • Anonymization: Anonymization conceals the identity of individuals and data identifiers of any nature that can apply to information such as name, email address, passwords, etc. For example, the last octet of IP addresses stored in VWO server is anonymized by default. Also, we allow users to select and apply different anonymization formats.
  • Application Security: VWO development team is trained on OWASP Secure Coding Practices and uses the best industry practices for building secure applications.
  • Code Repository: VWO code is stored in a code repository system hosted by our cloud data centre provider, IBM Softlayer.
  • Code Reviews: We have strict policies and least access privileges to the code on our data centers. All commits, fixes, and updates to production code are strictly reviewed and approved by the Head of Engineering and Lead Engineers, only after they pass Unit Testing and QA in local and test environments.
  • Access Privileges: Data stored on production servers is accessible only to the Head of Engineering and Lead Engineers. No other member of VWO has access to customer data, unless specific access permission is granted by the Chief Executive Officer and Head of Engineering for resolving any technical issue or for debugging purpose.
  • Data Backup: VWO takes an hourly backup of the database at our cloud data centres.
  • Encryption: All data flowing into VWO servers from recordings, survey responses, or custom dimension is encrypted using the industry standard AES-256 encryption algorithm.
  • Secure Connections: VWO is connected to the web via HTTP or HTTPS protocols using Secure Sockets Layer (SSL), a cryptographic protocol designed to protect against eavesdropping, tampering, and message forgery. VWO application provides option to enforce HTTPS based usage.
  • Application Access Policy
    • To ensure appropriate access rights, we adopt role-based and least access privileges policy while creating accounts, adding users, or giving access rights.
    • You can restrict specific IP Addresses from accessing a VWO account
    • Email alerts and notifications can be configured to send every activity taking places in a customer’s account.
    • Provisions for users to sign-out from all their logged-in sessions.
    • Disable or delete users at any time
    • Auto-logout if a user changes the Password or if the user is disabled/deleted
  • Operational Security
    • All VWO employees must undergo mandatory training on data protection and security
    • VWO is committed to implementing industry best practices and security standards across policies, procedure, technology, and people on an ongoing basis.
    • ISO 27001:2013 (ISMS) and BS 10012:2017 (PIMS) standard certified
  • Multi-Tenancy: All VWO customer data is hosted in our cloud data centres and is segregated logically by the VWO application.
  • Network Security: VWO is hosted on secure servers managed by IBM Softlayer. Any physical access to the IBM SoftLayer data centres is restricted for everyone. Firewalls are configured using industry best practices and all unnecessary ports are blocked. Internally, VWO uses VLAN for private networking so the data flow will be secure from public networks.
  • Product Security and Privacy: VWO has introduced different setting configurations to make sure that personal data are anonymized before storing them to VWO servers. All data passing through VWO servers is encrypted or hidden to ensure visitor privacy. To learn about the different privacy settings and how to configure data security, click here.
  • Data Breach Response: In the event of a breach in data security, VWO will promptly notify you within forty-eight (48) hours after the breach is detected. We have incident management policies and procedures to handle any such events or emergencies.
  • Disaster Recovery: VWO is hosted on Bare Metal Servers managed by IBM SoftLayer, an SSAE16 certified data centre located in Singapore. Configuration data are distributed via a wide network of Content Delivery Network (CDN) and servers hosted in 10 locations in 8 countries. VWO does not store any customer data locally. For added security, customers can self-host their VWO test configurations and files on their local servers.
  • Session Management: Every time a VWO user logs in to the account, the system assigns a new session identifier for the user. The session identifier is a 64 bytes randomly generated value to protect the account against brute force attacks. All sessions will timeout after 7 days requiring users to log in to their account again, and currently active sessions are set to timeout after 4 hours of inactivity. For optimal performance, you can configure to terminate all sessions after 15 minutes of inactivity.

Was this article helpful?

Thanks for your feedback!
Please email us at to tell us what you were looking for. We'll send the answer to your inbox.

Contact Us / Login