// Trust & Security Report

    Heap Inc. (Contentsquare Group) logo

    Heap Inc. (Contentsquare Group)

    Product analytics platform with automatic event capture, session replay, and AI-powered insights. Includes Sense AI chatbot, Heap Illuminate for behavioral analysis, Heap Connect for data warehouse integration, and Heap Activate for behavioral targeting.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    Heap maintains SOC 2 facility hosting with strictly controlled access, professional security, and intrusion detection systems

    Verify on heap.io
    SOC 2 Type II
    HELD

    SOC 2 Type II report available through Trust Portal; Contentsquare (parent company) holds SOC 2 Type II compliance

    Verify on trust.contentsquare.com
    ISO 27001
    HELD

    Heap is ISO 27001 certified, confirming commitment to information security management

    Verify on heap.io
    ISO 27017
    HELD

    Heap is ISO 27017 certified for cloud security controls

    Verify on heap.io
    ISO 27018
    HELD

    Heap is ISO 27018 certified for cloud privacy protections

    Verify on heap.io
    ISO 27701
    HELD

    Heap is ISO 27701 certified for privacy information management

    Verify on heap.io
    ISO 9001:2015
    HELD

    Contentsquare holds ISO 9001:2015 quality management certification applicable to Heap services

    Verify on trust.contentsquare.com
    GDPR
    HELD

    Heap provides GDPR compliance capabilities through Data Processing Agreement (DPA) at contentsquare.com/privacy-center/data-processing-agreement/; supports Standard Contractual Clauses for EU/UK/Swiss data transfers via Data Privacy Framework

    Verify on heap.io
    > Show 3 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Information under strict regulatory requirements (HIPAA) are not permitted to be collected by Heap. Heap explicitly states regulated data cannot be collected through the platform.

    source: heap.io
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification found on vendor domains

    source: heap.io
    PCI DSS
    NOT CONFIRMED

    PCI DSS data is explicitly not permitted to be collected through Heap. Platform prohibits collection of credit card and regulated financial data.

    source: heap.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Multiple regions available including US (us-east-1 default) and EU data center. Data transfers outside collection region to US permitted under Data Privacy Framework and Standard Contractual Clauses. Premier plan supports region-specific storage.

    Heap's AI Early Access Program terms indicate data may be used to improve services and products. The privacy policy does not explicitly address using visitor behavior data or customer data for training AI models beyond service improvement. Unclear if this includes LLM training.

    // Security controls

    Encryption in transit

    Encrypted data transfer supported; SOC 2 facility hosting with strictly controlled access

    heap.io

    Intrusion detection

    Professional security and intrusion detection systems in SOC 2 facility

    heap.io

    Access control

    Managed SCIM for enterprise access control; Audit logs available for all customers; SSO included at no additional cost

    heap.io

    Employee security training

    All staff undergo security training with continuous education on industry best practices

    heap.io

    Third-party audits

    Regular independent audits conducted to verify compliance and security posture

    heap.io

    Business continuity

    Business continuity and customer notification plans meeting financial services standards

    heap.io

    Infrastructure

    Custom-built infrastructure capable of ingesting hundreds of thousands of events per second with zero loss in performance; hosted in SOC 2 facility

    heap.io

    // Products & data scope

    Product AnalyticsCore Analytics

    data: Captures every user interaction on web and mobile platforms without manual event tracking; includes funnels, journey maps, retention analysis

    Available on all pricing tiers (Free, Growth, Pro, Premier). Includes Sense AI starting at Growth tier.

    Session ReplayQualitative Analytics

    data: Records and playback of user sessions with privacy-respecting masking options

    Add-on feature available on Pro and Premier tiers

    Sense AIAI-Powered Features

    data: AI chatbot and automated summaries powered by Claude; helps non-technical users get insights

    Included in Growth, Pro, and Premier tiers. Early Access Program terms apply.

    Heap IlluminateAdvanced Analytics

    data: Data science tool for identifying correlation between user behaviors and conversion/retention

    Available in Growth+ tiers

    Heap ConnectData Integration

    data: Syncs behavioral data to AWS-based data warehouse; integrates with S3

    Available as add-on on Pro; included in Premier plan

    Heap ActivateActivation

    data: Behavioral targeting and user segmentation for campaigns

    Available as add-on on Pro; included in Premier plan

    // What to watch

    • HIPAA over-claim risk: Healthcare landing page (heap.io/heap-for-healthcare) markets to healthcare organizations but platform explicitly does NOT support HIPAA-regulated data collection. Marketing content could mislead prospects about compliance capabilities.
    • Parent company consolidation: Heap was acquired by Contentsquare in 2023. SOC 2 and ISO certifications are held by parent company Contentsquare but explicitly apply to Heap services. Trust center and legal documents redirect to Contentsquare domain.
    • AI training clarity gap: Heap's AI Early Access Program and AI features (Sense AI powered by Claude) could benefit from explicit opt-out mechanisms and clearer data usage policies for customer/visitor behavioral data used to improve AI services.
    • Regulated data prohibition: Platform is not suitable for PCI, HIPAA, or other strictly-regulated data. Ensure customers understand this limitation before onboarding.

    // At a glance

    Pricing model

    Freemium: Free tier (up to 10k monthly sessions), Growth (unlimited sessions, requires upgrade after limit), Pro and Premier (custom session pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Heap Inc. (Contentsquare Group)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    heap.io

    > Browse all vendor trust reports