Trust Matters: Pendo's Commitment to You

At Pendo, performance, security and data privacy are first-order priorities, central to every product decision we make, and everything we do as a company. We continue to make substantial investments to protect the security, performance and integrity of your data, your users, or your application. This is our commitment to you.

Pendo's Data Privacy Principles

We organize our efforts around the following five guiding principles:

  1. Your data is your data — the overarching tenet of our data privacy policy is that your data will always be your data; we will always handle it with that in mind.
  2. Your data is encrypted — in transit and at rest, all of your data is encrypted using only industry-accepted tools, standards and best practices for data handling and security.
  3. Your data is segregated — no customer data is ever commingled nor do we allow querying across customer data.
  4. No data monetization — our business model is based on marketing and selling software and services, not data; we do not monetize customer data in any way.
  5. No PII required — personally identifiable, customer-level information is never required to take advantage of the full feature set of Pendo products.

Privacy Principles in Practice

Pendo has made substantial investments to enact these principles in practice, including:

Data Privacy Officer

Pendo has appointed a data privacy officer as the cross-functional company advocate for data privacy and security. Our DPO is a licensed attorney with substantial depth and experience in compliance-related matters.

SOC2 Type 1 Certification

Pendo has completed a SOC 2 Type 1 audit that included all five Trust Services Principles: Security, Confidentiality, Processing, Integrity, Availability, and Privacy with no exceptions in related controls.


Pendo has been working for months with an internal, cross-functional team to ensure we are ready for GDPR. Because privacy and security are a top priority at Pendo regardless of geography, we have decided to treat all of your data as if it is subject to GDPR, not just the data of EU residents.

Privacy Shield

Pendo is Privacy Shield Certified. Under the Privacy Shield Framework, Pendo certifies to and agrees to be held accountable by the U.S. Department of Commerce for its privacy and security commitments. Because Pendo is Privacy Shield Certified, we can confidently transfer your data across international borders.

Looking Forward

Pendo continues to expand investment in areas of data privacy and compliance. In addition to the practices noted above, we have plans to pursue SOC2 Type 2 certification, HIPAA and FedRAMP certifications in 2018.


For more information on security, privacy, and compliance please see our privacy policy, review the FAQs below, or contact us at for specific data privacy-related questions.

Privacy Policy

You can also download our engineering guide for best practices on deploying, configuring, and managing Pendo within your application for maximum performance and security.

Download Now

Frequently Asked Questions

Where does Pendo store data?

Data submitted to Pendo, and Pendo’s application are hosted and stored in a secure, multi-tenant environment provided by Google’s Cloud Platform. Data is stored for each customer using separate Google AppEngine namespaces, and a variety of techniques for logical separation, to ensure that no data is co-mingled. Currently, the Google physical architecture that hosts Pendo is located in the United States.

Is the data encrypted?

All data hosted by Pendo is encrypted. Pendo uses industry-accepted encryption products to protect data at rest, with 256 bit AES encryption. All data transfers within the data center are secured by SSL. All of the Customer Data collected by Pendo is transmitted over SSL if the customer application is accessed via SSL.

Does Pendo collect any personally identifying

The only identifying information that Pendo requires is a unique user ID for your end users. All other information is optional (but will provide for richer analysis and segmentation). Pendo does not collect any user-entered form field text in your application. You should avoid sending any of the following types of sensitive personal information to Pendo: government-issued identification numbers; specific financial information (such as credit or debit card numbers, any related security codes or passwords, and bank account numbers); information related to an individual’s physical or mental health; and information related to the provision or payment of health care.

How long does Pendo store customer information?

Pendo retains all customer data as long as you are an active subscriber. All data will be removed from Pendo starting 90 days after a subscription is cancelled. Pendo customers can request that specific records in their data be removed based on the request of an individual who is the subject of that data. Specific record removal may incur additional charges depending on your plan level.

Does Pendo support single sign on and/or 2-factor authentication?

You are in control of and responsible for user authentication. Access to Pendo requires an email address and password combination. We encourage you to use strong passwords. Alternatively, depending on your plan level, you can choose SAML for single sign-on or Google-based logins. Administrators can disable password-based logins, and require authentication through Google. Authentication through Google supports two factor authentication, as do many SAML implementations.

Is Pendo SOC 2 compliant?

Pendo has completed a SOC 2 Type 1 audit that included all five Trust Services Principles: Security, Confidentiality, Processing, Integrity, Availability, and Privacy with no exceptions in related controls. In addition, Google AppEngine is SOC 2, SOC 3, ISO 27001, FISMA, and PCI compliant.

Is Pendo GDPR Compliant?

Pendo is committed to complying with GDPR regulations ahead of the May 25 2018 enforcement date. We are partnering with our customers to ensure the privacy and security of their and their customer’s data, and have implemented a number of data acquisition, access, and retention policy changes. Read this article for additional detail about our GDPR compliance efforts.

Does Pendo conduct security audits?

Pendo undergoes third-party penetration testing on an annual basis.

Will Pendo slow down my application?

Pendo is designed to minimize the impact on your application. The client-side agent is only about 50 Kb and loads asynchronously. Data transmissions are queued and sent to the server every 2 minutes. Data is compressed before sending so that each transmission is less than 2 Kb.

How is the client agent distributed?

The JavaScript code is hosted and deployed in Amazon’s Cloudfront Content Distribution Network (CDN), with an extremely broad network of servers and edge caching to ensure rapid loading times. Amazon service level agreements guarantee 99.9% uptime for the agent delivery.

How will guides and walk-throughs affect my

Guides load with the Pendo agent. They will not be displayed until the current page is finished loading. The typical response time for guides is sub-second with guides almost always delivered in less than half a second.

© 2018 Pendo  |  Terms of Service  |  Privacy Policy

Let’s Get Started!

We’ll follow up straightaway to show you a quick product tour.

Sign Up for a Pendo Account!

Complete the form to register your free account.

Something went wrong, please try again.

Go Back
Close Icon