FunnelAnalytics – Data Security Statement

Last updated: 11/26/25

At FunnelAnalytics (operated by Firebrain, LLC), the security and privacy of your data and your visitors' data is our highest priority. Below is a transparent overview of the technical and organizational measures we implement to protect all data processed by our platform.

1. Data Hosting & Infrastructure

• All customer data, session recordings, and analytics are hosted on Amazon Web Services (AWS) in the United States (us-east-1 region).
• Data centers are SOC 2 Type II, ISO 27001, and PCI DSS Level 1 compliant.
• Data is encrypted at rest using AES-256 and in transit using TLS 1.3.

2. Access Control

• Strict role-based access control (RBAC); only a small number of authorized engineers can access production systems, and only when justified.
• All employee access is protected by multi-factor authentication (MFA) and monitored.
• Employees undergo background checks and annual security training.

3. Sensitive Data Masking (by default)

• Credit card fields, passwords, email fields (optional), and any custom-defined fields are automatically masked in session replays and heatmaps.
• Raw keystrokes in sensitive fields are never recorded or stored.

4. Network & Application Security

• Web Application Firewall (WAF) and DDoS protection via AWS Shield.
• Regular third-party penetration testing and vulnerability scanning.
• Automated security updates and patch management.

5. Encryption

• Full-disk encryption on all servers and databases.
• Customer-specific encryption keys for session replay storage.
• End-to-end encryption for data in transit between your website, our edge servers, and our processing pipeline.

6. Backups & Disaster Recovery

• Daily encrypted backups with 30-day retention.
• Backups stored in a separate AWS region.
• Tested business continuity and disaster recovery plan (RTO < 4 hours, RPO < 1 hour).

7. Incident Response

• 24/7 monitoring and alerting for security events.
• Documented incident response plan with mandatory breach notification if required by applicable law.
• To date, FunnelAnalytics has never experienced a data breach affecting customer or visitor data.

8. Compliance & Certifications

• CCPA/CPRA Service Provider commitments
• SOC 2 Type II report available under NDA to enterprise customers
• PCI DSS compliance (as a Level 4 merchant; payment data is never stored by us)

9. Your Responsibilities

While we secure our platform, you remain responsible for:

• Installing the tracking script only on websites you own or have explicit permission to track
• Providing proper notice and obtaining consent where required by law
• Configuring masking rules for any additional sensitive fields on your site

Firebrain, LLC
Email: hello@funnelanalytics.co

This statement is reviewed and updated at least annually or following any material change in our infrastructure or practices.