Heap Trust Center

Over 10,000 businesses trust Heap to power their analytics. Maintaining that trust is our paramount concern.

This page gives you access to relevant information regarding our approach to privacy, security, and compliance.

Download Heap's SOC Reports

Heap utilizes enterprise-grade best practices to protect our customers’ data, and works with independent experts to verify its security, privacy, and compliance controls, and has achieved SOC 2 Type 2 report against stringent standards.

Trust Center Information

Heap is the future of digital insights. Heap’s low-code, easy-to-use digital analytics software illuminates key digital behaviors and pinpoints valuable quantitative and qualitative insights so teams can quickly act with confidence and create the best possible digital experiences for their end-users.

Heap takes our customers’ security and privacy concerns seriously ~ making it our priority.   We apply administrative, operational, and technical security controls to help ensure that our customer data is handled and processed in a responsible and secure manner.  

The Basics

At Heap we know the value of fast insights, so let’s break down the basic facts first:

  • Our system is hosted on AWS in Region `us-east-1` (N. Virginia, USA).

  • Heap keeps a very short list of carefully vetted production vendors and signs DPAs with all of them. You can find a list of our sub-processors here. 

  • Heap conducts regular independent audits for SOC2 (annually), penetration-testing (annually), and HIPAA (every 2 years).

  • Heap observes the requirements of applicable data privacy law, including lawful international data transfers.

  • All your data is encrypted-at-rest and protected in-transit with TLS 1.2.

  • The production environment employs firewalls, immutable infrastructure, dockerized workloads, and an integrated Intrusion Detection System / SIEM.

  • All employees receive regular security training, and all workstations are provisioned with endpoint protection pre-installed.

More details on all these topics can be found below.

Compliance and Independent Audit

Heap has a dedicated compliance team and an in-house Data Protection Officer to ensure the continuous quality of our security and privacy processes, governing the processing of your data.

SOC2 Type II

Heap holds a SOC2 Type II attestation that is tested by Qualified Security Assessors covering the trust principles of Security, Availability, Confidentiality, Privacy and Processing Integrity by a reputable firm on an annual basis.  We also conduct independent white-box and black-box penetration testing.

If you would like an overview of our processes, you can request a copy of our SOC3 report. If you would like to see more details about our controls and processes, you can also request our SOC2 Type II report from support@heap.io or through your account manager. 


Although Heap itself is not subject to HIPAA, we recognize that some of our customers may be Covered Entities or Business Associates with obligations under HIPAA. To ensure those customers can be confident using Heap, we perform a HIPAA audit every two years.

Personal Data and Ownership

Privacy is a broad and complex topic regulated by various, intersecting legal schemas. As a data analytics tool, Heap is designed to allow our customers to view aggregate trends across their user base. In other words, personal data is not required for Heap to operate effectively. That said, many of our customers elect to share metadata with us, which is in itself identifiable or when combined with other data elements becomes personally identifiable. As a result, Heap has designed our privacy and security controls to provide adequate protection for this kind of data.

What Personal Data might get captured through the Heap Services?

You and your business team are responsible for your configuration of Heap, in alignment with your internal business practices. You are the owner of any information shared with us.Our product is designed to leave you in control of the decisions about sharing personal data with Heap.

  • Email Addresses

Heap does not automatically capture email addresses or other unique identifiers from your system, unless you explicitly configure it to do so.

  • IP Addresses

Heap does capture IP addresses by default, but this can be turned off by configuration.

Shared-responsibility Model

Under the shared-responsibility model between Heap as Data Processor and your company as Data Controller:

Heap Responsibilities:

  • Implementing a security program designed to protect your information while it is in our possession.

  • Conducting diligence on our sub-processors to ensure their data protection practices align with the commitments we make to our customers.

  • Implementing logical separation designed to keep each customer’s data segregated and prevent commingling of personal data.

  • Providing processes to respond to valid data subject requests, including tools and APIs as available.

  • Committing not to sell or distribute your data to third parties other than authorized sub-processors or integration partners you configure.

Customer Responsibilities:

  • Determining what data you will use Heap services to collect, including if you will collect any personal data.

  • Conducting due diligence on Heap, including determining if our products can meet any unique data privacy requirements you have.

  • Securing your access credentials and ensuring Heap is used in accordance with your approved business and privacy practices.

  • Receiving requests from data subjects, confirming their identity and passing requests to Heap, as needed.

  • Review the list of sub-processors and any integration partners applicable to your business’ use case.

Heap provides tools and documentation to support your business in meeting applicable privacy requirements. While Heap cannot make a determination on your behalf regarding compliance with data privacy laws, you can review our available privacy features and resources here.

Security Philosophy:


Heap uses the National Institute of Standards and Technology (NIST) and Center for Internet Security (CIS) hardening standards as the basis for our  configuration standards. 

Physical Security

Heap operates a purely cloud-based production environment in an AWS operated US-based data center. AWS’s environment is covered by a SOC2 Type II report and ISO-27001 certification.

System and Network Security

Our production software runs as containerized workloads on top of immutable infrastructure servers that are regularly refreshed to apply the latest security patches. Heap ensures applications are not susceptible to vulnerabilities by executing code reviews and performing vulnerability scans, and web application penetration testing.

All operational interfaces for Heap employees are secured through a BeyondCorp architecture authenticated through SSO using passwords and MFA tokens.

Heap’s production environment is monitored by AWS security tools and a dedicated IDS/SIEM system, which actively scans for intrusion and exfiltration attempts and alerts dedicated on-call staff 24x7 if needed.

All data is encrypted in-transit using TLS1.2 and at-rest in our production environment using AWS KMS keys. All production and customer secrets are stored and encrypted in a dedicated Vault system.

Human Security & Device Management

Heap maintains policies that describe requirements for hiring, termination, and other employee-related guidelines, which include performing background checks on all new employees.

To ensure that employees are aware of their privacy and security responsibilities, Heap has implemented Security awareness training that all employees complete upon hire and annually thereafter.

All employee computers are managed and monitored by our IT team to ensure they have the latest O.S., firewalls, encrypted disks and anti-virus enabled. 

Employee Access

We use various logical access control systems, including AWS IAM, to enforce logical access restrictions. Before logical access is granted to new employee users, access is formally requested. Once user access has been approved, users are assigned unique IDs that are provisioned with least privilege access. Users have only the access that their specific job responsibilities require. The organization enforces MFA for all users, and requires MFA to be enabled for remote access to systems.

Application Development

Development is performed on local computers during which engineers check outcode and then issue a pull request (PR) for code to be reviewed by another team member. The testing environment is physically and logically separated from development and production environments.

To further secure the development process, we restrict access to source code, implement version controls and execute code review and testing. We also perform code reviews, vulnerability scans and applicable penetration testing in an effort to prevent application vulnerabilities.

Data Redundancy & Recovery

Heap’s system architecture has multiple redundancies to protect against accidental data loss, including replayable redundant capture audit-trails, replicated processing queues, and a cell-based redundant relational data-store with duplicate copies of all data and continuous delta backups. We perform weekly routine data restorations for failed database servers without impacting our customers.

Heap also maintains business continuity plans to restore operations and ensure availability of information following interruption to, or failure of, critical business processes. The plans are updated and tested yearly.

Incident Management

Heap implements a formal incident response process for identifying, reporting, containing, and eradicating incidents and breaches. Real security events are analyzed and lessons learned are used to perform training for all employees with incident management responsibilities. Heap also provides communication channels for customers and personnel to report suspected breaches. You can report any security incident at security@heap.io.

All of our subprocessors are listed here.

You can read our privacy policy here.

Our current status is always available here.

Heap is committed to complying with all U.S. export laws and regulations and foreign law, where applicable.  Heap develops and implements policies and procedures to ensure compliance with applicable export laws and regulations.  

As one of the leading providers of a digital experience software services platform, Heap is committing to provide access to its products in accordance with its export laws and regulations. It is the responsibility of all Heap employees to ensure that under no circumstance should a transaction occur contrary to this policy.  

Country Information 

Heap prohibits export to any destinations subject to U.S. embargoes or trade sanctions.  The following countries are subject to U.S. embargo or restricted trade sanctions: 

If you are unable to access Heap and feel that it is in error, please reach out to legal@heap.io.