// Trust & Security Report
FullStory, Inc.
Behavioral analytics and digital experience intelligence platform. Products: FullStory Analytics (user behavior), Workforce (employee experience), Anywhere (data activation), StoryAI (AI insights), FullCapture (session replay), Guides & Surveys, FullStory MCP (AI integration)
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.fullstory.com“SOC 2 Type 2 Report evaluates controls against Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy, with testing of operational effectiveness over a 12-month period. Available under NDA for customers and prospective customers with executed MSA.”
Verify on trust.fullstory.com“SOC 3 Report is publicly available and provides independent auditor's opinion on control effectiveness.”
Verify on help.fullstory.com“ISO 27001:2022 Information Security Management System with 93 controls implemented.”
Verify on fullstory.com“ISO 27017:2015 Cloud Security guidelines. Provides information security controls applicable to cloud services.”
Verify on fullstory.com“ISO 27018:2019 Protection of PII in cloud environments. Compliance requirements based on GDPR, CPRA, POPIA, and LGPD regulations.”
Verify on help.fullstory.com“ISO 27701 Privacy Information Management System extension to ISO 27001, enhancing security system with dozens of privacy-specific controls.”
Verify on globenewswire.com“FullStory is the first in behavioral data analytics to achieve ISO/IEC 42001:2023 certification for Artificial Intelligence Management System with 38 controls. As stated: 'Fullstory Becomes First In Behavioral Data Analytics To Achieve ISO/IEC 42001 Certification'”
Verify on help.fullstory.com“FullStory complies with GDPR requirements and provides Data Processing Agreement (DPA) with Standard Contractual Clauses for lawful data transfers. DPA is required for customers with EU data subjects.”
Verify on fullstory.com“FullStory provides CCPA Addendum to help customers understand CCPA compliance impacts and requirements.”
> Show 3 unconfirmed / not-held certifications
source: help.fullstory.comFullStory offers Business Associate Agreement (BAA) but explicitly prohibits customers from sending sensitive health data. Policy states: 'prohibit Customers from sending us any sensitive data' including medical records, diagnostic data, and genetic information. PHI allowed is limited to non-sensitive identifiers (names, emails, IP addresses). BAA serves as protection in case of misconfiguration, not authorization for health data capture.
source: trust.fullstory.comNo public evidence of FedRAMP authorization found in official trust center or security documentation. One search result mentioned FedRAMP but official FullStory compliance pages do not list this certification.
source: trust.fullstory.comOne search result referenced CSA STAR Level 1 compliance but this is not confirmed in official FullStory trust center or comprehensive compliance documentation pages.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Data residency options: NA1 (North America, default, Google Cloud us-central1) and EU1 (European Union, available since August 2022, Google Cloud europe-west3). Customers can designate location at account creation.
FullStory may use aggregated and de-identified data for product improvement and analytics. The privacy policy states: 'We may use and share information in an aggregated or de-identified manner at our discretion, including for research, analysis, modeling, marketing, and improvement of our Services.' Explicit prohibition on selling customer data: 'does not sell the data of our Customers or their Users collected through the Services to third parties or otherwise share it with non-agent third parties.'
// Security controls
Data Processing Model
FullStory functions as a Data Processor; customers retain sole ownership and control of their data. Customers are Data Controllers and bear responsibility for proper configuration.
help.fullstory.comEncryption in Transit
Data transmitted via HTTPS/TLS (standard for web applications). Specific encryption standards documented in trust center.
trust.fullstory.comData Masking & Exclusion
Private by Default allowlist approach. Exclude (`.fs-exclude`) removes elements entirely. Mask (`.fs-mask`) replaces text with placeholder wireframe text. Unmask is default setting. Automatic exclusion of password inputs, payment card fields (`[autocomplete^=cc-]`), and hidden inputs.
help.fullstory.comAcceptable Use Policy
Prohibits collection of sensitive data including social security numbers, passwords, health information, payment card details. Violations are enforced through contractual terms.
help.fullstory.comData Retention
General rule: data retained only as long as needed to complete purpose or as required by law. Retention depends on relationship duration, transaction completion time, data sensitivity, consent specifics, and legal obligations.
fullstory.comInfrastructure & Hosting
Uses Google Cloud Platform for infrastructure. Multiple global regions for data residency. Data centers in US and EU available.
help.fullstory.comAdministrative Controls
Maintains appropriate administrative, physical, and technical safeguards per Data Processing Addendum. Capped liability for failures except in cases of gross negligence or fraud.
fullstory.com// Products & data scope
data: Customer website/app behavioral data. Captures user interactions, sessions, form submissions. Subject to data masking rules.
Core product for digital behavior capture. Features: FullCapture (complete session recording), Heatmaps, Funnels, Journey Maps, Sentiments, Rage Click detection.
data: Employee workflow and experience data from internal applications.
Parallel product targeting internal tool usage and employee experience optimization.
data: Customer-collected behavioral data for third-party integrations.
Enables sharing of insights and data with external platforms and tools.
data: Aggregated behavioral analytics for AI-driven recommendations.
Uses behavioral data to identify opportunities and provide recommendations. Powered by FullStory's AI capabilities.
data: Behavioral context for external AI tools and agents.
Model Context Protocol integration enabling real-time behavioral context to AI systems.
data: Product tours, contextual surveys, NPS feedback.
In-product guidance delivery and feedback collection.
// What to watch
- HIPAA status is complex: FullStory offers BAA but actively prohibits sensitive health data capture, limiting utility for HIPAA-regulated entities. This is a restriction, not a certification.
- FedRAMP compliance was mentioned in one general search result but is NOT listed in FullStory's official trust center or comprehensive compliance documentation. This claim could not be verified from vendor primary sources.
- CSA STAR Level 1 was mentioned in one search result but not confirmed in official trust center documentation.
- AI training practices could be more explicit: FullStory states they use aggregated/de-identified data for 'improvement' but does not provide granular opt-out options for AI/ML model training distinct from general product improvement.
// At a glance
Pricing model
SaaS subscription-based with tiered plans (Standard, Growth, Enterprise). Usage-based or contract pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on FullStory, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.fullstory.com