Fullstory Information Security Addendum
Last Updated: May 20, 2026
Note: if you are looking for Fullstory’s “Trust Center” click here: https://trust.fullstory.com
This Information Security Addendum (“Security Addendum”) is incorporated into and forms a part of the Master Services Agreement or other written or electronic agreement between Fullstory, Inc. (“Fullstory”) and the customer entity that has executed such an agreement (“Customer”) for the provision of the Services (the “Agreement”). Customer’s signing of the Agreement and/or any Order Form will be treated as acceptance of this Security Addendum.
This Security Addendum applies to the extent that Fullstory processes Customer Data on behalf of Customer in the course of providing the Services.
1. Definitions
For purposes of this Security Addendum, the following terms will have the meanings set forth below. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement.
1.1. “Information Security Program” means Fullstory’s written information security program, as described in Section 2.
1.2. “Security Breach” means a breach of security that causes the unlawful or accidental destruction, alteration, damage or loss, unauthorized disclosure of, or access to, Customer Data, including Personal Data, transmitted, stored, or otherwise Processed by Fullstory or its Sub-processors, of which Fullstory becomes aware.
1.3. “Services” means the SaaS Services or Free Trial Services as defined in the Agreement.
1.4. “Sub-processor” means any third-party processor engaged by Fullstory to process Personal Data on Fullstory’s behalf in connection with the Services.
2. Fullstory Security Obligations
2.1. Information Security Program. Fullstory will maintain a comprehensive, written Information Security Program that includes administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Customer Data. This program is based on leading industry standards, including the ISO 27001 framework, and is designed to prevent unauthorized access to or disclosure of Customer Data. The Information Security Program will include, but not be limited to, the controls outlined in this Security Addendum. Fullstory’s Chief Information Security Officer (CISO), or a senior leader with equivalent responsibility, is responsible for the ongoing review and approval of the Information Security Program.
2.2. Personnel Security. Fullstory will ensure that its personnel with access to Customer Data are subject to confidentiality obligations and are qualified for their roles. Fullstory will: (a) conduct background checks on all personnel prior to employment, in accordance with applicable laws and regulations; and (b) require all personnel to complete security and privacy awareness training upon hire and on at least an annual basis thereafter.
2.3. Third-Party Vendor Management. Fullstory will maintain a program to assess the security and privacy practices of its Sub-processors. Prior to engaging a new Sub-processor, Fullstory will conduct a review of the Sub-processor's security posture to ensure it meets Fullstory’s security requirements. A list of Fullstory’s current Sub-processors may be found here: https://fullstory.com/legal/subprocessor-list.
2.4. Processing of Personal Data. Fullstory will process personal data on behalf of Customer during the Subscription Term in accordance with the terms of the Data Processing Addendum (“DPA”) available at https://www.fullstory.com/legal/form-of-standard-dpa/, unless the parties have separately executed a DPA, in which case such executed DPA will apply.
3. Security Controls
3.1. Access Control. Fullstory will implement and maintain technical and organizational measures to limit access to Customer Data to authorized personnel who have a business need to access it. Fullstory will enforce the principle of least privilege and will review such access rights on a regular basis. All administrative access to the production environment is restricted to a need-to-know basis, and must require multi-factor authentication.
3.2. Encryption. Fullstory will encrypt all Customer Data both in transit and at rest using strong cryptographic protocols. (a) In transit: Customer Data will be encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+, or SSH, ensuring that requests utilize the highest-strength cipher suites supported by each web client. (b) At rest: Customer Data will be encrypted at rest using AES-256 or a comparable industry-standard algorithm.
3.3. Vulnerability Management. Fullstory will maintain a vulnerability management program designed to identify, assess, and remediate vulnerabilities in the Services. This program will include: (a) regular internal and external vulnerability scanning of the production environment, and (b) at least annually, engaging an independent, CREST-certified third-party provider to perform a penetration test of the Services. A summary report of such penetration test will be made available to Customer upon request and is subject to confidentiality obligations. Fullstory will remediate any critical or high-severity vulnerabilities identified during such penetration tests in a timely manner.
3.4. Technical and Organizational Measures. Fullstory will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the services provided as further described at the Technical and Organizational Measures located in the Trust Center.
4. Security Breach Management
4.1. Incident Response Plan. Fullstory will maintain a written Security Breach response plan that includes procedures for the detection, investigation, containment, and remediation of Security Breaches. This plan will be reviewed and tested on a regular basis.
4.2. Notification of Security Breach. In the event of a Security Breach affecting Customer, Fullstory will notify Customer without undue delay after becoming aware of the Security Breach. Fullstory will provide Customer with timely updates about the Security Breach, including the nature of the incident, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to be taken by Fullstory to address the incident and mitigate its possible adverse effects.
5. Business Continuity and Disaster Recovery
Fullstory will maintain a Business Continuity and Disaster Recovery (BCDR) plan designed to ensure the availability of the Services in the event of a disaster or other significant disruption. This BCDR plan will be tested at least annually and a report of the results may be made available to Customer upon written request.
6. Customer Responsibilities
Customer agrees that it is responsible for: (a) configuring and managing its use of the Services in accordance with the Documentation; (b) managing the access rights of its users and ensuring the security of their authentication credentials; and (c) implementing appropriate security measures on its own systems.
7. Audits and Certifications
Upon Customer’s written request, and no more than once annually, Fullstory will provide Customer with a copy of its most recent SOC 2 Type II audit report and/or ISO 27001 and other ISO certificates. Fullstory's third-party certifications and audit results are available for self-service viewing at https://trust.fullstory.com (the “Trust Center”). Such reports and certifications are Fullstory's Confidential Information and are subject to the confidentiality obligations of the Agreement or a non-disclosure agreement, as applicable. Customer agrees that the provision of the reports and certifications described in this Section will be the sole means by which Customer may audit and verify Fullstory's security posture, and direct audits of Fullstory's data centers or facilities by or on behalf of Customer will not be permitted.