Security overview

Lucky Orange makes data security and visitor privacy a priority and takes it seriously. We have taken steps to develop unique features and enact practices that ensure data for your business/organization and your visitors are both safe when you use Lucky Orange while keeping your visitors’ privacy protected and respected. 

These features and practices include:

• Avoiding sensitive data transmission
• Leveraging Google Cloud and AWS compliance and security
• Utilizing state-of-the-art data centers for physical security
• Using AES-256 standards for data storage encryption
• Being in compliance with GDPR and CCPA
• Encrypting all data transmitted from your visitors’ browsers to our servers
• Running continuously patched versions of product systems
• Restricting employee access to production data
• Committing to code reviews and automated testing

Avoiding sensitive data transmission 

Our goal is to give you the insight needed to properly analyze your visitors' behaviors without needing to ever send or store sensitive information. As a result, sensitive data should never leave your visitor’s computer. As we’ve discovered after being used on more than 300,000 websites, this sensitive data isn’t necessary or helpful in understanding visitor behavior, improving your customer experience and ultimately growing conversions. 

Methods we use to keep sensitive data safe

• Disabling the transmission of sensitive data to our servers. All keystrokes, whether in a sensitive or non-sensitive field, are captured as asterisks before being sent to our servers. 
• Marking sensitive HTML content with special CSS classes. Though content such as credit card numbers, social security numbers and keystrokes aren’t captured to protect visitor privacy, additional content can also be hidden through the use of special CSS classes. Click here with developer-focused details.
• Providing text scrambling options to further protect the possible transmission of sensitive data. Text scrambling adds that extra layer of protection for sensitive data.  When text scrambling is enabled, the format of the page will remain intact but the text itself will be scrambled randomly before being captured by Lucky Orange. Images are not scrambled.

Leveraging Google Cloud and AWS compliance and security

Lucky Orange core services are hosted on the Google Cloud Platform (GCP). Because of this, our core services leverage the enormous amount of work Google itself puts into security. As a result, our users benefit from this additional layer of protection. 

Several secondary systems, such as our content delivery network, are powered by Amazon Web Services (AWS) and leverage all of the security and compliance provided by AWS.

Utilizing state-of-the-art data centers for physical security

Lucky Orange production data is processed and stored within state-of-the-art data centers. These data centers use a layered security model, including safeguards such as:

• custom-designed electronic access cards 
• alarms 
• vehicle access barriers 
• perimeter fencing 
• metal detectors
• biometrics
• laser beam intrusion detection on the data center floor

Using AES-256 standards for data storage encryption 

All persistent data is encrypted at rest using the AES-256 standards or similarly high standards, allowing Google Cloud Platform (GCP) to have successfully completed ISO 27001, ISO 27017, ISO 27018, PCI DSS 3.2, SSAE-16, SOC 1, SOC 2, and SOC 3 certifications. See Google Cloud Security Compliance or click here to learn more what this means for Lucky Orange. 

Unless on a custom plan or explicitly stated elsewhere, our data is processed and stored in GCP in the United States via the us-central1 region.

Being in compliance with GDPR and CCPA

Lucky Orange's proactive approach to treating data as sensitive has allowed our collection process to be GDPR- and CCPA-complaint. To read more about our efforts in being compliant with these regulations: 

• Is Lucky Orange GDPR- and CCPA-compliant? 
• Why CCPA matters and 10 things you need to know
• Data Privacy Day: Champions in the protection of data privacy
• Answers to your GDPR questions

Encrypting all data transmitted from your visitors’ browsers to our servers

Lucky Orange encrypts all data transmitted from your visitors’ browsers to our servers as well as when the data is stored at rest in GCP. Even if your website does not utilize HTTPS (secure) encryption, our data will still be transmitted via an HTTPS connection.

Running continuously patched versions of product systems

All production systems are running recent, continuously patched versions of Linux or Kubernetes Container-Optimized OS. Additional hosted services, such as Google Cloud Bigtable, are comprehensively hardened Google infrastructure as a Service (IaaS) platforms.

Restricting employee access to production data

As a growing company, Lucky Orange has established and enacted policies that are based on the Principle of Least Privilege (PoLP). PoLP applies to the concept that any employee, program, device or process should have the minimum privileges to perform. It protects and secures privileged credentials, assets and data that limit access within the system. 

As a result, our employees have restricted access to product data based on their role. For employees who are granted permission to access production systems, two-factor authentication is enabled and access is limited to specific whitelisted IP addresses. 

Committing to code reviews and automated testing

All commits to production source code are subject to code review by a qualified developer, staging server reviews and a multitude of automated unit and end-to-end tests.