// Trust & Security Report
Heap Inc. (Contentsquare Group)
Product analytics platform with automatic event capture, session replay, and AI-powered insights. Includes Sense AI chatbot, Heap Illuminate for behavioral analysis, Heap Connect for data warehouse integration, and Heap Activate for behavioral targeting.
Certifications held
8
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on heap.io“Heap maintains SOC 2 facility hosting with strictly controlled access, professional security, and intrusion detection systems”
Verify on trust.contentsquare.com“SOC 2 Type II report available through Trust Portal; Contentsquare (parent company) holds SOC 2 Type II compliance”
Verify on heap.io“Heap is ISO 27001 certified, confirming commitment to information security management”
Verify on trust.contentsquare.com“Contentsquare holds ISO 9001:2015 quality management certification applicable to Heap services”
Verify on heap.io“Heap provides GDPR compliance capabilities through Data Processing Agreement (DPA) at contentsquare.com/privacy-center/data-processing-agreement/; supports Standard Contractual Clauses for EU/UK/Swiss data transfers via Data Privacy Framework”
> Show 3 unconfirmed / not-held certifications
source: heap.ioInformation under strict regulatory requirements (HIPAA) are not permitted to be collected by Heap. Heap explicitly states regulated data cannot be collected through the platform.
source: heap.ioNo public evidence of FedRAMP certification found on vendor domains
source: heap.ioPCI DSS data is explicitly not permitted to be collected through Heap. Platform prohibits collection of credit card and regulated financial data.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Multiple regions available including US (us-east-1 default) and EU data center. Data transfers outside collection region to US permitted under Data Privacy Framework and Standard Contractual Clauses. Premier plan supports region-specific storage.
Heap's AI Early Access Program terms indicate data may be used to improve services and products. The privacy policy does not explicitly address using visitor behavior data or customer data for training AI models beyond service improvement. Unclear if this includes LLM training.
// Security controls
Encryption in transit
Encrypted data transfer supported; SOC 2 facility hosting with strictly controlled access
heap.ioAccess control
Managed SCIM for enterprise access control; Audit logs available for all customers; SSO included at no additional cost
heap.ioEmployee security training
All staff undergo security training with continuous education on industry best practices
heap.ioThird-party audits
Regular independent audits conducted to verify compliance and security posture
heap.ioBusiness continuity
Business continuity and customer notification plans meeting financial services standards
heap.ioInfrastructure
Custom-built infrastructure capable of ingesting hundreds of thousands of events per second with zero loss in performance; hosted in SOC 2 facility
heap.io// Products & data scope
data: Captures every user interaction on web and mobile platforms without manual event tracking; includes funnels, journey maps, retention analysis
Available on all pricing tiers (Free, Growth, Pro, Premier). Includes Sense AI starting at Growth tier.
data: Records and playback of user sessions with privacy-respecting masking options
Add-on feature available on Pro and Premier tiers
data: AI chatbot and automated summaries powered by Claude; helps non-technical users get insights
Included in Growth, Pro, and Premier tiers. Early Access Program terms apply.
data: Data science tool for identifying correlation between user behaviors and conversion/retention
Available in Growth+ tiers
data: Syncs behavioral data to AWS-based data warehouse; integrates with S3
Available as add-on on Pro; included in Premier plan
data: Behavioral targeting and user segmentation for campaigns
Available as add-on on Pro; included in Premier plan
// What to watch
- HIPAA over-claim risk: Healthcare landing page (heap.io/heap-for-healthcare) markets to healthcare organizations but platform explicitly does NOT support HIPAA-regulated data collection. Marketing content could mislead prospects about compliance capabilities.
- Parent company consolidation: Heap was acquired by Contentsquare in 2023. SOC 2 and ISO certifications are held by parent company Contentsquare but explicitly apply to Heap services. Trust center and legal documents redirect to Contentsquare domain.
- AI training clarity gap: Heap's AI Early Access Program and AI features (Sense AI powered by Claude) could benefit from explicit opt-out mechanisms and clearer data usage policies for customer/visitor behavioral data used to improve AI services.
- Regulated data prohibition: Platform is not suitable for PCI, HIPAA, or other strictly-regulated data. Ensure customers understand this limitation before onboarding.
// At a glance
Pricing model
Freemium: Free tier (up to 10k monthly sessions), Growth (unlimited sessions, requires upgrade after limit), Pro and Premier (custom session pricing)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Heap Inc. (Contentsquare Group)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
heap.io