// Trust & Security Report
Hotjar Ltd., Malta (subsidiary of Contentsquare)
Website behavior analytics platform with session replay, heatmaps, surveys, form analytics, and AI-powered insights. Includes Sense AI for automated analysis.
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.contentsquare.com“Contentsquare is... holds a SOC 2 Type II report.”
Verify on hotjar.com“Hotjar is ISO 27001, 27701, 27017 & 27018 certified, these internationally recognized standards confirm their commitment to information security, privacy, and compliance.”
Verify on hotjar.com“Hotjar is PCI DSS compliant which means that our security policies, and procedures meet the requisite standard. Additionally, Hotjar holds a Certificate of PCI-DSS Merchant Compliance. Hotjar performs an annual PCI DSS assessment.”
Verify on hotjar.com“Hotjar has undertaken the required business and technological steps to operate in a manner compliant with GDPR. Additionally, Hotjar has appointed a Data Protection Officer (DPO) to ensure that Hotjar processes all personal data it collects in compliance with the GDPR.”
Verify on trustlists.org“Hotjar's trust center at trust.contentsquare.com includes security policies, compliance certifications (SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 27701, PCI DSS, NIST), and other documentation.”
> Show 1 unconfirmed / not-held certifications
source: paubox.comHotjar will not sign a business associate agreement, and therefore is not HIPAA compliant. Hotjar lists compliance with GDPR, CCPA, LGPD, PCI-DSS, and SOC 2 Type II, but HIPAA is not included in its compliance commitments.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Ireland (AWS eu-west-1 region, with redundancy across 3 availability zones)
Contentsquare AI models are trained on aggregated, anonymized behavioral data only. Customer data is never shared with third parties or used to train external AI models. All AI features comply with enterprise-grade security and privacy standards.
// Security controls
Network Access Control
All traffic blocked by default, only required ports opened. Elevated access requires VPN with 2-factor authentication.
hotjar.comInfrastructure Redundancy
Production infrastructure deployed across 3 availability zones in eu-west-1 AWS region in highly-available configurations
help.hotjar.comData Isolation
Application and database servers run inside Amazon VPC with limited access on need-to-know basis
help.hotjar.comSensitive Data Protection
Credit card and sensitive payment data explicitly not stored by Hotjar. Payment processing delegated to Braintree (Level 1 PCI DSS compliant provider).
hotjar.comDefault Privacy Mode
User keystrokes automatically suppressed by default. No recording of credit card details, phone numbers, or sensitive form data.
hotjar.com// Products & data scope
data: Behavioral interaction data (clicks, scrolling, mouse movement, session replays, surveys). No credit card data. Aggregated/anonymized for AI training only.
Now integrated into Contentsquare unified platform. Free plan includes heatmaps, session replay, surveys, error monitoring, funnels, 10+ integrations. Growth plan adds advanced features.
// What to watch
- Hotjar is now part of Contentsquare Group (acquired 2021, legally merged July 2025). Trust center and compliance information now consolidated at trust.contentsquare.com.
- Does NOT provide HIPAA BAA. Not suitable for healthcare/regulated industries processing protected health information.
- Data Processing Agreement (DPA) is included in Terms of Service and cannot be separately downloaded/signed. Ensure ToS acceptance covers GDPR DPA requirements.
- AI training uses aggregated/anonymized data only—clear policy, no individual customer data used for external model training.
- No self-hosting option; data residency is Ireland only (eu-west-1).
- DPA is incorporated by reference in ToS; customers do not have option for separate DPA signature.
- Recent acquisition/consolidation—verify support continuity and no changes to Hotjar-specific service terms during transition to Contentsquare.
// At a glance
Pricing model
Freemium (free plan with 200k sessions/month) + paid growth/scale tiers
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Hotjar Ltd., Malta (subsidiary of Contentsquare)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.contentsquare.com