Skip to main content
All CollectionsFAQs
Security Questionnaire
Security Questionnaire

A list of Driveway's security practices to ensure our customers' safety and the reliability of our service.

Harrison Johnson avatar
Written by Harrison Johnson
Updated over a week ago

At Driveway, we take security and compliance seriously. Below, you'll find a list of common security-related questions and information about the steps we take to ensure our customers' data is always handled safely.

Data Details

What information does the Driveway SDK have access to?

The Driveway SDK does not have access to user data or any customer information.

Its only purpose is enabling your users to view the interactive walkthrough version of your public Driveway guides without having to download the Driveway Chrome extension.

What permissions does the Driveway Chrome extension require?

Driveway's Chrome extension can be used to create and view Driveway guides. The extension requires access to the following data when downloaded from the Chrome Web Store to create guides:

  • Web history: A list of webpages a user has visited, as well as associated data such as page title and time of visit.

  • User activity: Ex. Clicks, mouse position, scroll, keystrokes.

  • Website content: Ex. Text, hyperlinks.

How does Driveway's Redaction feature work?

Driveway allows users to redact PII from the screenshots in the guides they create. Once redacted, the original screenshots are deleted from Driveway's database and cannot be recovered.

What data does Driveway require access to in order to create an account? Does this include Personal Data?

We require access to first name, last name, and email address for a user to use Driveway.

Does Driveway encrypt all data transmissions and data at rest?

All data is encrypted at rest with AES-256, block-level storage encryption, and in transit with TLS certificates.

Where will the data be stored physically (country)? And where will it be processed?

Data is stored and processed in the US. At this time, we are unable to support data storage and processing at a specifically-requested region.

What technical solutions are in place to protect data? (Firewalls, IPS/IDS etc)

Driveway leverages Heroku for its infrastructure and managed firewall, DDoS mitigation, Spoofing protection, and port scanning services for Driveway’s infrastructure. A variety of additional considerations are in place for data protection, physical, and environmental security. More information can be found here.

Compliance Standards and Mechanisms

What is Driveway's data retention schedule?

In the event that you would like your account deleted, we will permanently delete your account and content within 30 days, unless we need to retain any information to comply with our legal obligations, resolve disputes, or enforce our agreements.

How is data destroyed when requested and at the end of the retention period?

Data is permanently deleted from our database and its backup instances on request, and according to our retention schedule.

Which authentication mechanisms do you have in place for users of the application interface?

We require users to authenticate via Google Auth or their own username and password in order to access the Driveway web application. Our Chrome extension can be installed but guides created cannot be saved without a user authenticating.

Does Driveway take any steps to ensure GDPR compliance?

Yes, we have procedures in place for data portability (export provided on request), data deletion (at the production and snapshot-database level), and consent management.

Are you SOC 2 Type II certified?

Driveway is SOC 2 Type II certified and SOC 3 certified. You can get our SOC 2 Type II report by emailing us at You can view our public SOC 3 report here.

Are you taking any steps towards HIPAA compliance?

Driveway requires all vendors and contractors to sign a BAA and complete mandatory HIPAA training. All employees complete mandatory HIPAA training as well, with quarterly reviews

Is there a business continuity provision, disaster recovery program and in the event of a loss of service?

Our production database is automatically and continuously backed up over the previous 4 days, and can be recovered to a specific point in time over that period in the event of a catastrophic incident. This allows us to mitigate the risk associated with an accidental data deletion or data overwrite. Since we leverage Heroku to host our production database, this achieved through physical backups that persist incremental snapshots of the file system and WAL files to an encrypted S3 bucket in the US region.

Technical Measures

Does Driveway perform regular tests on backup & restore procedure?

We run these tests annually. Our last test of backup and restore procedure was January 2023.

What technology is used to process data?

We leverage a Postgres database and Redis instance to process data. These are both managed services, provisioned by Heroku.

What method is used to transfer data?

Data is transferred via HTTPS.

What are your password requirements (minimal length, complexity, expiration)

Passwords are rejected if they are less than 8 characters, entirely numeric, or appear on a list of 20,000 common passwords.

Authorization - what type of roles are supported?

Currently all users are granted the same level of access and permissions within the Driveway web app. We will introduce an additional license tier as part of our paid offering to differentiate users that have access to certain premium features in 2023.

Did this answer your question?