Security Portal

Get full access to this Security Portal
Had access before? Reclaim access

Overview

FullStory is a new kind of platform, designed to help companies answer any question they might have about their digital experience.

Built on a powerful analytics engine, FullStory connects digital interactions to the metrics that matter most to businesses. It proactively surfaces top opportunities for optimization, allowing teams to understand issues, prioritize fixes, remediate bugs, and measure the impact of changes.

With FullStory, product, engineering, and UX teams can align around their customer, break down internal information silos, and achieve company objectives together—faster. The end result? A digital experience their customers and users love.

Compliance

CCPA Logo
CCPA
GDPR Logo
GDPR
HIPAA Logo
HIPAA
ISO 27001 Logo
ISO 27001
PCI DSS Logo
PCI DSS
Privacy Shield Logo
Privacy Shield
SOC 2 Logo
SOC 2
SOC 3 Logo
SOC 3
ISO 27701 Logo
ISO 27701
Get full access to this Security Portal
Had access before? Reclaim access

FullStory is reviewed and trusted by

VMwareVMware
PelotonPeloton
VroomVroom
AdobeAdobe
JetBlue AirwaysJetBlue Airways
TravelersTravelers
GNCGNC
ForbesForbes
FortiveFortive
Mammut Sports GroupMammut Sports Group
William HillWilliam Hill
SoundCloudSoundCloud
13 Documents
ISO 27001
SOC 3 Report
SOC 2 Report
Network Diagram
Pentest Report
Security Whitepaper
Vulnerability Assessment Report
SIG Lite
Cyber Insurance
Business Continuity Policy
Information Security Policy
Other Policies

Risk Profile

Data Access LevelPublic
Impact LevelModerate
Recovery Time Objective< 24 Hours
See more

Product Security

Role-Based Access Control
Audit Logging
Data Security
See more

Reports

HIPAA Report
Network Diagram
PCI DSS
See more

Self-Assessments

SIG Lite

Data Security

Access Monitoring
Backups Enabled
Data Erasure
See more

App Security

Responsible Disclosure
Code Analysis
Runtime Application Self Protection
See more

Access Control

Data Access
Logging
Password Security

Infrastructure

Anti-DDoS
BC/DR
Google Cloud Platform
See more

Endpoint Security

Disk Encryption
Endpoint Detection & Response
Mobile Device Management
See more

Network Security

Data Loss Prevention
Firewall
IDS/IPS
See more

Corporate Security

Email Protection
Employee Training
HR Security
See more

Policies

Acceptable Use Policy
Access Control Policy
Anti-Malicious Software Policy
See more

Security Grades

Qualys SSL Labs
https://fullstory.com
A+
https://app.fullstory.com
A+

Trust Center Updates

FullStory's Response to Palo Alto DoS Vulnerability

Response to customers

While FullStory is a fun company, we don’t play around when it comes to security and privacy. Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information in the highest regard.

FullStory does not use any Palo Alto services to deliver our product, and are not affected by this vulnerability.

Palo Alto DoS Vulnerability Background

To learn more on the background of the vulnerability: https://security.paloaltonetworks.com/CVE-2022-0028

Published at 08/16/2022, 8:50 PM

FullStory’s Response to Okta Breach

Response to customers

While FullStory is a fun company, we don’t play around when it comes to security and privacy. Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information in the highest regard. FullStory was NOT one of the impacted customers of the Okta breach. Below is some additional information regarding the background, cause, and remediation steps we took regarding the Okta breach in order to maintain the trust you have in our company.

Okta Breach Background

To learn more on the background of the breach: https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/.

Okta’s Response

Okta detected an unsuccessful attempt to compromise the account of their third-party engineer. Okta alerted the third party provider, terminated the user’s active Okta sessions, and suspended the user’s account. Okta states there is no impact to Auth0, HIPAA, and FedRAMP customers.

Okta stated that the potential impact to customers is limited to the access that support engineers have. Upon conclusion of their third parties forensic exam Okta determined 366 customers were impacted.

FullStory & Okta Relationship Transparency Summary:

FullStory uses Okta as our single sign-on (SSO) provider. Using a SSO provider helps to streamline and secure access management for our employees to authorized systems and terminate their access upon job role change or if they exit the company. This in turn keeps our systems safe from unauthorized access or privilege creep, essentially where someone gets more access than they need when moving positions internally.

FullStory Response & Actions to Okta Breach

FullStory immediately contacted our Okta representative to inquire if we were one of the 366 customers that were impacted on March 22 2022. Okta confirmed that FullStory was not an impacted customer. FullStory independently confirmed that our systems were not compromised by completing the following additional steps:

  1. Reviewed our Okta audit logs to our superuser/admin accounts to look for any suspicious activity.
  2. Verified that no privileged accounts were created around the time of the suspected breach (January 21, 2022) that we did not create ourselves.
  3. Conducted assessments of our critical third-parties. This included developing a due diligence questionnaire on breach response. After concluding our assessment we did not identify any of our critical third parties who were affected by the Okta breach.

Conclusion

FullStory was not impacted by the Okta breach. Further we did not discover any security issues and did not identify any of our critical third parties as being an Okta customer impacted by the breach.

Published at 07/06/2022, 5:19 PM

FullStory’s Response to Log4j

Response to customers

While FullStory is a fun company, we don’t play around when it comes to security and privacy. Trust is one of our core watchwords and we hold our responsibility as protectors of our customers' information and protection of our services in the highest regard. FullStory did NOT find any indicators of compromise that would indicate a successful attack of our systems. Below is some additional information regarding the background, cause, and remediation steps we took regarding the Log4j vulnerability in order to maintain the trust you have in our company.

Log4Shell Vulnerability Background

On December 9, 2021, security researchers discovered a flaw in the code of a software library used for logging. The software library, Log4j, is built on a popular coding language, Java, that has widespread use in other software and applications used worldwide. This flaw in Log4j is estimated to be present in over 100 million instances globally. This vulnerability and associated attacks against it are being characterized as Log4Shell in the cybersecurity community.

The flaw, also known as a vulnerability by the security community, was rated a 10 out of 10 on the Common Vulnerability Scoring System, or CVSS, due to the potential impact that it can have if leveraged by attackers. Details of the vulnerability can be found in the National Vulnerability Database (NVD) under the heading CVE-2021-44228.

As of Dec. 14, researchers discovered that the fix developed for CVE-2021-44228 was incomplete and the vendor, Apache, released a new fix. On Dec. 17, two new issues were confirmed and the next day, Apache released another fix. We expect this cycle of vulnerability-fix vulnerability-fix will continue as attackers and researchers continue to focus on Log4j. For more information including recommended remediation actions and resources: https://www.cisecurity.org/log4j-zero-day-vulnerability-response

FullStory Response & Actions to Log4j

FullStory worked diligently to ensure that our environment is safe from exploitation and that we have deployed all mitigating measures possible. Keeping customer data safe is our highest priority and our security team is working hard to ensure it remains safe and secure.

Once we became aware of this vulnerability we immediately took steps to determine if our systems had been exploited by CVE-2021-44228. We had found no Indicators of Compromise within our infrastructure to suggest a successful attack had taken place.

In accordance with our defense in depth strategy, we deployed mitigations to prevent a successful attack. Below is a list of the mitigation actions we took:

  1. Updated our web-application firewall (WAF) rules
  2. Ensured our WAF agents were fully patched
  3. Reviewed our code to ensure we were properly sanitizing user input within our application layer
  4. Tested various permutations of the exploit’s payload against this layered defense
  5. The code paths that would be vulnerable to this exploit are not exposed directly to the internet so any payloads must first pass through our layered defenses rendering them benign.
  6. Created a Log4j questionnaire to send to our data processors and applicable third-parties in order to complete a security assessment.
  7. Confirmed the security posture of our applicable third-parties and data processors in regards to CVE-2021-44228 was adequate.

Conclusion & Update

FullStory was not impacted by the Log4j vulnerability.

Currently we are patched against this vulnerability up to Log4j v2.16 and will continue to monitor the ecosystem for any new variations of this exploit to ensure we stay one step ahead of threat actors.

Completed assessments of our third-parties and data processors and found no non-compliance with remediation efforts or any parties that were vulnerable.

In regards to CVE-2021-45046, we performed an investigation and determined that our implementation was unaffected by this new variant of the Log4j vulnerability.

To protect against any potential future exploits see plan to roll out Log4j v2.17.1 on 1/12/22.

Published at 07/06/2022, 5:16 PM

Welcome to the FullStory's Security Trust Center

As an organization that is security conscious and values security, we are excited to announce the official launch of the FullStory Security Trust Center. By using this portal, you can request access to our compliance documents, review our standardized questionnaires such as the SIG and gain a general understanding of our security posture.

Over time, our team will be making changes to this portal as we implement new tools and processes in our environment. You can use the Subscribe button to receive email notifications for when our team has an important update, such as if we have an updated compliance report or if we have a status update regarding a major security vulnerability that has been recently discovered.

-The FullStory Security Compliance Team

Published at 07/05/2022, 7:13 PM

If you think you may have discovered a vulnerability, please send us a note.