Privacy and security are fundamental components of Pendo’s software and services. This article covers what we do to ensure that our solutions don’t negatively impact the integrity of your data, your users, or your applications. For more information, see Data Privacy & Security at Pendo.
Pendo's privacy and security measures
We observe industry standards (SOC2, GDRP, HIPAA) to protect the security and privacy of your data. This section summarizes the privacy and security measures we take.
Vendor audit and approval process
User data and other identifying information can be highly sensitive, and so security and privacy are top concerns any time information is shared with a third party. Pendo implements a robust security and privacy program that carefully considers data protection across all services.
We perform an extensive compliance review and approval process before licensing or using third-party tools. We also conduct independent third-party security audits annually.
Hosting in a multi-tenant environment
Pendo hosts your application data in a secure multi-tenant environment, Google’s App Engine, sharing the same infrastructure as Google’s primary services. App Engine is a cloud computing service that hosts web applications in Google-managed data centers.
Applications developed, hosted, and stored in Google App Engine are sandboxed and run across multiple servers. This allows Pendo to operate in a robust, multi-tenant infrastructure with the same reliability, performance, and security characteristics as Google’s own offerings.
Data encryption
All data is encrypted using industry-accepted tools and best practices for data handling and security. All of the application data collected by Pendo is transmitted over Transport Layer Security (TLS) and encrypted at rest using AES-256.
Additionally, customer data is logically segregated to limit access to sensitive information. We store data for each customer using separate App Engine namespaces to ensure that no data is co-mingled.
Access and authentication
By default, access to Pendo services requires an email address and password combination. Users can alternatively request that Pendo disable password-based logins and require authentication with either:
- SAML-based authentication (such as Okta, Azure AD, or Duo).
- Google-based logins if their Google email and Pendo login addresses match.
Both options support two-factor authentication (2FA) with the chosen identity provider.
Pendo is designed to give you full privacy and security control over your user data. You have the ability to set granular access controls to grant and restrict capabilities based on specific roles and permissions. For more information, see Roles and Permissions in Adopt.
Security audits
Pendo completes an SOC2 Type 2 audit every year, covering all five Trust Service Principles.
Additionally, Google App Engine is SOC2, SOC3, ISO-27001, FISMA, and PCI compliant, and Google completes multiple independent security audits annually.
We’ve also passed stringent internal security audits from all clients when asked and we can provide the results of our latest audit on request.
General Data Protection Regulation (GDPR) compliance
By default, Pendo captures the IP address and geolocation information for the browser sending the page and event data. As part of our commitment to the General Data Protection Regulation (GDPR), this can be disabled.
Security and privacy of the Pendo Launcher
Pendo has historically been installed by inserting a JavaScript snippet (install script) into a company’s own web applications to help them improve the user experience with in-app guidance, analytics, and feedback tooling.
To install Pendo on third-party applications as part of Pendo Adopt, we developed the Pendo Launcher, which includes the Pendo agent within it. The Pendo Launcher is a browser extension that allows you to collect data and deliver in-app guidance to visitors of the third-party applications used by your company.
This section summarizes the additional privacy and security benefits of using the Pendo Launcher to install Adopt.
Privately publishing on browser web stores
Rather than loading the Pendo agent from the Content Delivery Network (CDN) provided by Amazon Web Services (AWS) CloudFront with an install script, the Pendo Launcher is privately published through the browser’s web application stores (such as Chrome and Edge).
To appear in these web stores, the Pendo launcher must be fully compliant with their privacy and security policies. Additionally, man-in-the-middle attacks and cross-site scripting are avoided because the Pendo Launcher must be deployed directly from the browser’s web store.
Because the Pendo Launcher must be deployed directly from the browser’s web store, certain permissions must be granted to the extension for Pendo to work properly. These are web browser requirements that can't be adjusted.
By default, the extension collects no data about visited webpages. It only collects data on web applications that have been configured within the application settings in Adopt. You can learn more about this process in the Deploying Adopt on your applications section below. Below is a list of permissions from each browser's web store.
Chrome and Edge
Read and change all your data on all websites
This permission allows Pendo to collect Page load and Feature click behavior on the application domains configured within your subscription and provides the in-app guidance you configure in Adopt.
Know your email address
This allows Pendo to identify your users based on their current browser session ID. This is an optional identification method. Pendo doesn't collect this information by default.
Firefox
For more information about the specific permission requests from Mozilla, see their article: Permission request messages for Firefox extensions.
Access browser tabs
This permission allows Pendo to collect data about Page load behavior on the application domains configured within your subscription.
Access browser activity during navigation
This permission allows Pendo to collect data about Page load behavior on the application domains configured within your subscription.
Access your data for all websites
This permission allows Pendo to collect the Feature click behavior on the application domains configured within your subscription and provides the in-app guidance you configure in Adopt.
Disabling code blocks
As part of its Manifest V3 (MV3) API for Chromium extensions, Google Chrome has mandated that “injection of remote code is not allowed”. For details, see Google's Overview of Manifest V3.
This standard has been accepted by most browser companies, including Microsoft (Edge) and Mozilla (Firefox). This prevents Pendo from running Javascript code that isn't bundled as part of the Pendo Launcher extension and reviewed by Google’s Web Store team. As a result, Pendo is unable to pass in code blocks that are defined separately from the extension itself. Thus, we've removed the ability to pass code blocks for extension applications.
Instead, we provide a robust UI to help you build impactful guides without the need for coding. The UI includes configuration, format, and styling options that you can use instead of writing code. For more information on guide format and style options, see Guide Themes.
Data collection in Pendo
Pendo requires a unique identifier for individual end-users (visitors), but you can also share additional user data with Pendo, and you can choose whether this includes personally identifiable information (PII). You can use this data in analysis and to target in-app guidance.
Personally identifiable information (PII)
PII isn’t required to take advantage of our products and features. The only information that Pendo needs is a unique identifier for each visitor. The Pendo platform also doesn't collect any user-entered text or information within form fields because this might contain PII. By default, the names of fields, buttons, and other elements are captured with the application data, which makes tracking easier, but no user-supplied information is included.
Metadata
Though not required, most Pendo customers do pass in additional information as metadata, such as Role, Title, or Start Date, along with other demographic information to help build segments.
In general, additional metadata enhances your ability to generate meaningful insights and target guides effectively, but might require you to make decisions around employee privacy. The right set of metadata for your organization is a decision to discuss with your business, IT, and security stakeholders.
Pendo supports data deletion requests, both for the data we control and the data we process.
Events
Event data collected using the Pendo Launcher is sent to Pendo's backend, and is then stored and processed in Google Cloud Platform (GCP). Pendo tracks the following user interactions:
- Page View Events. Page loads and URL changes. Upon the loading of a page, Pendo collects the URL, some browser information, such as language and browser version, and the title of the page (if enabled).
- Click Events. User interactions with buttons, links, and other clickable elements, providing insight into feature usage and what the end-user journey looks like
- Focus Events. Non-click user interactions, such as highlighting elements through tabbing, providing insight into how users engage with features.
EU and US data collection
You can deploy the Pendo Launcher differently for visitors in Adopt based on their location. For employers concerned with maintaining data within EU data centers, your Pendo subscription can be set within our EU instance. If this is the case, then you must configure the extension with an additional configuration key to indicate this state. This is set alongside the API Key and is set as “dataEnvironment”: “eu” within the deployment settings for a user.
Deploying Adopt on your applications
The Pendo Launcher – the browser extension that installs Adopt – collects data through Javascript code that runs inside the browser of your web applications. This makes it a powerful tool, as well as providing extra protections for end-user privacy on the internet.
The JavaScript code for Adopt only runs on webpages that have been configured by your Pendo administrators. We provide tools for admins to control which pages Adopt is running on, and ensure that end-users are aware of where and when Adopt is active on their browser. For more information, see Privacy center in this article.
An application in Pendo corresponds with a specific website, or sets of websites, that you plan to deploy Adopt on so that you can deliver guides and gather analytics on them. Pendo Administrators can configure Adopt to track your web applications by completing the Extension Application form in Adopt.
Navigate to Settings > Applications and select a specific Application from the list. From Application Settings, you can update the list of websites tracked by a particular Application with the domains for your web application. For example, your Salesforce application might be configured by including the example.force.lightning.com domain.
This filtering is specifically managed by an extension API, webNavigation. The extension uses an onCommitted hook to identify URL changes (webNavigation.onCommitted), and then passes the resulting url through an events.UrlFilter. This ensures that the extension only injects the Pendo agent onto pages that match the set of hostnames you provide.
Privacy center
On any page, the Pendo Launcher indicates whether it's active based on whether the extension icon is gray (inactive) or pink (active).
The Privacy Center provides general information about the Pendo Launcher, as well as information that's specific to your organization’s configuration, including a list of all applications that belong to the subscription. If any of the apps match the user’s currently viewed webpage, then that application is highlighted in the On This Page section.
Users with the Pendo Launcher installed can access the Privacy Center by right-clicking the extension icon in the browser toolbar and selecting Show Privacy Center.