Security

Last updated:

It is critical that everyone in the PostHog team follows these guidelines. We take people not following these rules very seriously - it can put the entire company and all of our users at risk if you do not.

Security policies

We are in the process of obtaining our SOC 2 certification, which has required us to put together a number of (short!) policies to ensure compliance. You will have been invited to Drata to review these and to complete security training as part of your onboarding.

All of our policies can be found in our Drata portal, so this section of the Handbook just serves to make these policies publicly available in case you need to refer back quickly, or if a customer asks. These are only linked as PDFs so we only need to keep the policies up to date in Drata.

GDPR compliance

For the purposes of GDPR, customers use PostHog in one of two ways:

  • PostHog Cloud
  • Self-hosting and managing a PostHog instance (PostHog Open Source, PostHog Scale and PostHog Enterprise)

If a customer is using PostHog Cloud, then PostHog is the Data Processor and the customer is the Data Controller. We have some GDPR obligations here.

If a customer is self-hosting PostHog then they are both the Data Processor and the Data Controller because they are responsible for their PostHog instance. We do not have access to any of their user data, so we do not have specific GDPR obligations here.

As a Data Controller to PostHog Cloud customers, we are obliged to maintain documentation that records details of our data processing agreements with those customers. Charles is our Data Protection Officer and is responsible for maintaining this.