Decibel Complies with GDPR by Default, Offering No-Nonsense Peace of Mind

Timothy de Paris
by Timothy de Paris

The EU’s General Data Protection Regulation (GDPR) comes into effect this year. Here at Decibel, we know the amount of work digital and legal teams have put into preparing for GDPR. That’s why, as a data processor, we don’t want to add to that workload: Decibel complies with GDPR by default, and any custom configuration clients may require for their particular setup is quick, easy, and simple to activate.

Our focus at Decibel is to empower you to improve digital experiences for your customers, not cause legal headaches. So, before I dive into the detail, here are three key takeaways to offer no-nonsense peace of mind:

  1. Decibel has undertaken a third-party audit for GDPR compliance, which was successfully completed last year
  2. We have a standard data protection agreement, present within our contracts, that is fully compliant with GDPR
  3. We have built-in, easy-to-use functionality that enables you to configure Decibel for any specific data protection requirements

The remainder of this article discusses how our cultural and technological approach - Privacy by Design, and Data Protection by Design - enables us to confidently offer these assurances.

Protecting Personally Identifiable Information

In a recent post, I discussed Decibel's commitment to user privacy and protecting personally identifiable information:

Almost all websites deal with personally identifiable information (PII), ranging from a username and account numbers on a login screen, to medical information and credit card numbers within an account. Such information is extremely sensitive, and in most cases has little to no relevance when it comes to improving user experiences.
As a result, at Decibel we take a proactive, Privacy by Design approach to ensure that when our session replay technology is deployed on our clients’ websites to improve user experiences, the PII of users never reaches our servers.
[...] Indeed, data security and privacy has been hard coded not just into our system architecture, but into our company culture. How? Every Decibel employee goes through rigorous privacy and security training during their induction, and attends regular subsequent training seminars. This ensures that, when it comes to setting an example in data security and user privacy, it’s not only the technology at Decibel that does so – it’s the people too.

In what follows, I briefly summarize just some of the measures we have in place that make Decibel fully ISO27001 and GDPR compliant. The complete list is discussed in detail in our Security and Privacy Whitepaper. If you would like a copy of the full document, please contact your account manager.


1. Any data collected by Decibel will always be owned by you

Without exception, any and all data Decibel collects from your digital properties, and any reports and output we generate from this data, is owned by you.

2. Built-in functionality enables you to easily comply with GDPR

Be it providing customers with a copy of their data or deleting records on their request, Decibel provides you with the tools to simply and quickly comply with rights introduced by GDPR.

3. PII is masked by default

Decibel masks all user keystrokes by default. Our on-page masking algorithm is irreversible and occurs on the user’s device, so the unmasked data is never sent to our servers, and once masked it is no longer possible to reveal PII within a session replay.

A client has the option to opt-in to record keystrokes on specific form fields if the client feels this information is pertinent to improving user experiences – for example a search field may help inform clients on what users are looking for, helping improve the website’s organization and navigation.

Certain fields, however, are always masked, and can never be opted-in – including credit card numbers and social security numbers. This feature can be optionally applied to email addresses too.

4. Opted-in data is encrypted

If a client does opt in to record keystrokes on a specific form field, like a search field, this data is subject to industry-standard levels of encryption that fully ensure its secure transmission and storage.

Learn more about Decibel and GDPR

To receive more information about Decibel and GDPR compliance - including how we deal with the physical location and segregation of data, backups and data deletion, internal access to data, auditing, and penetration testing - please contact your account manager for a copy of our full Security and Privacy Whitepaper.

Security Privacy GDPR

Timothy de Paris
Written by Timothy de Paris

Tim is Chief Technology Officer at Decibel Insight.