At Contentsquare (to which Heap and Hotjar have recently been incorporated), the security, confidentiality and availability of your data is of utmost importance to us. We have invested heavily in our security program which is based on a Defense in Depth model. Our cybersecurity program aligns with the NIST Cybersecurity Framework and our policies, procedures, and standards are based on the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 Framework. Contentsquare is ISO 27001, ISO 27017, ISO 27018 and ISO 27701 certified and holds a SOC 2 Type II report.
Contentsquare’s security program is managed by our chief information security officer (CISO). The CISO is supported by cybersecurity members that are leading and managing DevSecOps, product security, security governance, third-party risk assurance and information technology risk.
Security Update regarding CVE-2026-31431 (Copy Fail)
Dear Customers,
Following the public disclosure on April 29, 2026 of a critical Linux kernel vulnerability tracked as CVE-2026-31431 and nicknamed “Copy Fail”, we immediately initiated a comprehensive assessment of all potentially affected systems and infrastructure.
We are writing to confirm that Contentsquare services and customer data remain secure. Specifically:
• Proactive Assessment & Rapid Response: Upon identification of CVE-2026-31431, our security team promptly invoked our incident response protocol. We conducted a thorough scope assessment across our full infrastructure, including all Linux-based systems and workloads. Interim mitigations were applied immediately while awaiting official patches from our vendors.
• Patch Deployment Near Complete: We are pleased to confirm that the vast majority of our production systems and services have been successfully patched against CVE-2026-31431, with zero downtime and zero failed deployments throughout the process. A small number of remaining workloads are actively being remediated and are expected to reach full patch coverage imminently.
• No Impact on Customer Data: Our investigation confirms that no customer data was accessed, exfiltrated, or impacted as a result of this vulnerability. No breach or unauthorized access has been identified within our systems or those of our sub-processors.
• Ongoing Monitoring: We’re continuously monitoring all systems for any signs of exploitation, and any newly identified affected assets are being remediated without delay.
We remain committed to the highest standards of security and transparency. If you have any questions or require a formal written confirmation, please contact us at security@contentsquare(.)com.
Sincerely,
The Contentsquare Security Team
Security Update regarding Axios supply chain compromise
Dear Customers,
Following recent supply chain attack reports regarding specific compromised Axios releases, our security team performed a comprehensive audit of our development and build environments.
We are writing to confirm that Contentsquare services and customer data remain secure.
We are also writing to confirm the following:
-
Proactive Mitigation: Upon identification of the affected package versions, we immediately invoked our incident response protocol. As a standard proactive security best practice, we completed a comprehensive rotation of internal credentials and environment secrets to ensure the continued integrity of our systems.
-
No Impact on Customer Data: Our investigation confirms that no customer data was accessed or impacted. The scope was limited to internal build processes, which have since been cleared.
-
Supply Chain Resilience: To further harden our environment, we have formalized new security policies requiring stricter version-pinning and a minimum release age requirement for all third-party dependencies. We are currently implementing these architectural controls to further minimize exposure to future supply chain risks.
We remain committed to transparency and the highest standards of data protection. If you have any questions, please contact us at security@contentsquare(.)com.
Sincerely,
The Contentsquare Security Team