Heap’s Commitment to Security
COMMITMENT TO SECURITY
Heap takes the security seriously. We invest in security technology, certifications, and human training, then back up those defenses with compliance certifications and white hat attacks.
Watch the video to see how Heap keeps E-Trade’s data safe.

Privacy
Safeguard your customers’ data with automatic PII detection, custom install configurations, and a Secure Delete User API. All data sent to Heap is encrypted using TLS.

Encryption
Heap encrypts all data entering or leaving Heap infrastructure with TLS/HTTPS. All of our databases (all located in AWS) are encrypted at rest. Each account’s data is logically separated, and access to data is protected by authentication and authorization controls.

Compliance
Stay up-to-date with privacy legislation and policy compliance. Heap is both SOC 2 and GDPR compliant. Heap’s data infrastructure partners hold industry-leading security certifications such as SOC 2 and ISO 27001.
A comprehensive approach
comprehensive security
We invest heavily in securing our infrastructure, and Heap is certified to the highest industry standards across the globe.

GDPR Compliance
Heap takes a proactive approach to privacy. In addition to internal policies, personnel training, a Secure User Deletion API, and GDPR compliant data processing agreements, Heap has an on staff Data Protection Officer. For more info on our GDPR processes check out our blog.

Security Monitoring
Security is our top priority. We get binannual pen tests from third-party auditors. We also have an Intrusion Detection System that proactively monitors our application servers and infrastructure. Additionally, we enforce security training and compliance from all employees. For more information about our security and compliance policies, contact dpo@heap.io.

Encryption
Heap encrypts all data entering or leaving Heap infrastructure with TLS/HTTPS. Additionally, all of our databases (all located in AWS) are encrypted at rest. Each account’s data is logically separated, and access to your data is protected by strong authentication and authorization controls.

Custom Configurations
Heap offers a number of custom configuration settings to avoid capturing PII. In addition to a built-in PII detector (which we actively monitor), Heap lets you disable all text capture and prevent data collection on any given element.
culture or security
A culture of security
Heap complements technical defenses with security awareness, comprehensive policies, and robust processes.
Data Protection Officer
Heap has an on-staff Data Protection Officer (DPO) to manage personnel security compliance and training. This DPO also oversees Heap’s proactive approach to privacy, security, and governance concerns and has both CIPP/E and CIPM certifications.
Policies and Procedures
Our policies ensure that we comply with applicable standards and regulations and offer business continuity and customer notification plans to satisfy your requirements.
Physical Security
Heap is hosted in a SOC 2 certified facility. Physical access is strictly controlled by professional security staff, state-of-the-art intrusion detection system, and other electronic means. All staff must badge in and all visitor access to Heap is monitored and stored in auditable logs.
Personnel Security
All Heap employees undergo security awareness training and are continuously updated on information security awareness via newsletters and relevant security notifications. Information security practices are reinforced through constant testing that mimics real attacks.