Zuko Analytics: Data Privacy and Security Overview

At Zuko, we understand that data privacy and security are top priorities for our clients. Our platform is built with privacy by design, ensuring that your data is handled securely and in compliance with global data protection standards. On this page we answer the most common questions prospective clients have about our data and security. The page is divided into two sections: Key Privacy and Security Practices (the most common questions we are asked by compliance teams) and Additional Information (secondary but still important considerations that we are sometimes asked).

Section 1: Key Privacy and Security Practices

How does Zuko track user behavior on forms?

  • Zuko uses lightweight, optimized vanilla JavaScript tracking to monitor user interactions with your forms, including events such as field clicks, keypresses, and form submissions.
  • Importantly, Zuko does not collect or store personally identifiable information (PII) entered by users into form fields. Only anonymized behavior data (such as clicks and keypresses) is processed.

Where is Zuko’s data hosted?

All data is hosted securely on Amazon Web Services (AWS) in the European Economic Area (EEA), specifically in the Republic of Ireland. AWS adheres to stringent security and compliance standards.

Does Zuko use cookies?

  • Zuko uses a first-party cookie (zukoVisitorId) to track unique visitors and
    measure form interactions. This cookie:
    • Does not contain any personal information from the user.
    • Is stored on the client’s domain, not Zuko’s.
  • Zuko also uses a cookie to track whether a visitor is new or returning.
  • Clients are responsible for obtaining appropriate user consent for the use of this
    cookie where required.
  • More information on Zuko’s cookies can be found here.

How does Zuko ensure secure data transfer and storage?

  • All data transmitted between client websites and Zuko is encrypted using HTTPS.
  • All data is encrypted in transit and at rest once it enters the Zuko platform.
  • Our platform implements multi-factor authentication (MFA) and access control policies to protect data at all times.

Will Zuko tracking affect the performance of our website?

  • We have never had an instance where the performance of a website that installed Zuko has been materially affected.
  • The Zuko JavaScript is 15 kb in size (only 6 kb transferred), and hosted in a globally available CDN (AWS). Our code is compressed to reduce size further.
  • We do not rely on any third party libraries.
  • Behaviour data is transmitted in the background, so the website user experiences no slow-down (see our speed test data here).

What certifications or reviews does Zuko have?

Zuko conducts regular internal security audits and external reviews to maintain robust security measures. While we are not officially ISO27001 or SOC2 certified, we align our practices with widely accepted standards and provide detailed security documentation upon request.

How does Zuko handle client data after contract termination?

When a client contract ends, Zuko retains data for one year unless an earlier deletion is requested. All data is securely destroyed after this period following our documented termination policy.

Does Zuko act as a data controller?

  • Zuko acts as a data processor for end-user behavioural data that occurs on our clients’ forms.
  • Zuko only acts as a data controller for information that is directly supplied to us by the client.
  • For more information on how this data is used, please refer to our privacy notice.

Does Zuko process any personal data?

  • Whilst Zuko doesn’t process any data that could be used to identify a form user, we do create a unique identifier for each user which may be classified as personal data under certain privacy regulations (such as GDPR). There is more information on that here. This unique identifier is only used in the attribution of returning events to the session on a form.
  • Zuko does process the personal data of our clients (name, email) on the bases listed in our privacy notice.

Who is responsible for data protection at Zuko?

Zuko has a designated Data Protection Officer (DPO) and adheres to all UK GDPR requirements. Clients can contact the DPO for additional questions or requests.

Section 2: Additional Information

What technical measures does Zuko use to protect its systems?

  • Zuko operates on a secure Virtual Private Cloud (VPC) architecture within AWS.
  • Data is encrypted at rest and in transit using AES-256 encryption.
  • Access to the Zuko tracking code is protected through role-based permissions and MFA.

How does Zuko handle security incidents?

  • Zuko has a documented Incident Response Plan that outlines procedures for identifying, managing, and reporting security incidents.
  • In the event of a breach, affected clients will be notified promptly in compliance with GDPR and other applicable regulations.

What kind of user activity does Zuko track?

  • Zuko tracks non-PII events such as:
    • Field focus and blur.
    • Keystroke events (anonymized).
    • Interaction timing and submission rates.
  • This data provides actionable insights into form performance without compromising user privacy.

Can clients self-host Zuko’s tracking code?

Yes, clients who require additional compliance measures may opt to self-host the Zuko tracking code on their infrastructure.

What agreements support Zuko’s role as a data processor?

  • Zuko provides a Data Processing Agreement (DPA) to clarify our obligations under GDPR and other privacy laws. This document outlines the roles and responsibilities of Zuko (as the processor) and the client (as the controller).

Does Zuko have an Information Security Policy?

Yes, the latest copy of the Information Security Policy is available upon request.

Does Zuko have Access Control Processes?

  • Yes, access to information is limited by role based on the principle of least privilege.
  • Zuko enforces multi-factor authentication on all remotely accessible services (both within our internal IT systems and on third party services).

What cryptographic frameworks are used to protect data?

  • HTTPS/TLS is used to encrypt data in transit
  • AWS KMS is used to encrypt data at rest (AES256)
  • Application passwords are salted and hashed prior to being stored

Does Zuko perform regular security testing?

Zuko conducts regular security reviews of its codebase and infrastructure. Vulnerabilities are triaged and remediated swiftly as part of our change management process.

Do employees receive an information security and data protection training programme?

Yes, training (including NCSC and GDPR) is supplied to all employees upon starting at Zuko with annual refresher courses.

What options exist for clients with additional compliance needs?

For clients with specific requirements, Zuko can provide detailed documentation on our security practices and assist with compliance audits.

Want to get started with Zuko?

Start a free trial that includes all features, or request a demo

Create A Trial Account
Book A Demo