Fullstory Hardening Guide

Data Last updated: 2025-02-05

Digital experience intelligence platform hardening for Fullstory including SAML SSO, data privacy controls, and access management

Product Docs API Docs Hardening Guide

Overview

Fullstory is a digital experience intelligence platform providing session replay and analytics. As a platform capturing user sessions and interaction data, Fullstory security configurations directly impact data privacy and user trust.

Intended Audience

Security engineers managing analytics platforms
IT administrators configuring Fullstory
Product teams managing digital experience tools
GRC professionals assessing data security

How to Use This Guide

L1 (Baseline): Essential controls for all organizations
L2 (Hardened): Enhanced controls for security-sensitive environments
L3 (Maximum Security): Strictest controls for regulated industries

Scope

This guide covers Fullstory security including SAML SSO, privacy controls, access management, and data governance.

Authentication & SSO
Access Controls
Data Privacy
Compliance Quick Reference

1. Authentication & SSO

1.1 Configure SAML Single Sign-On

Profile Level: L1 (Baseline)

Framework	Control
CIS Controls	6.3, 12.5
NIST 800-53	IA-2, IA-8

Description

Configure SAML SSO to centralize authentication for Fullstory users.

Prerequisites

Fullstory admin access
Enterprise plan
SAML 2.0 compatible IdP

ClickOps Implementation

Step 1: Access SSO Settings

Navigate to: Settings → Security → Single Sign-On
Enable SAML SSO

Step 2: Configure SAML

Configure IdP settings:
- SSO URL
- Entity ID
- Certificate
Download Fullstory metadata for IdP

Step 3: Test and Enforce

Test SSO authentication
Enable SSO enforcement
Configure admin fallback

Time to Complete: ~1-2 hours

1.2 Enforce Two-Factor Authentication

Profile Level: L1 (Baseline)

Framework	Control
CIS Controls	6.5
NIST 800-53	IA-2(1)

Description

Require 2FA for all Fullstory users.

ClickOps Implementation

Step 1: Configure via IdP

Enable MFA in identity provider
All SSO users subject to IdP MFA
Use phishing-resistant methods for admins

2. Access Controls

2.1 Configure User Roles

Profile Level: L1 (Baseline)

Framework	Control
CIS Controls	5.4
NIST 800-53	AC-6

Description

Implement least privilege using Fullstory roles.

ClickOps Implementation

Step 1: Review Roles

Navigate to: Settings → Team
Review available roles:
- Admin
- Standard
- Viewer
Assign minimum necessary role

Step 2: Apply Least Privilege

Use Viewer for read-only access
Limit Admin access
Regular access reviews

2.2 Limit Admin Access

Profile Level: L1 (Baseline)

Framework	Control
CIS Controls	5.4
NIST 800-53	AC-6(1)

Description

Minimize and protect administrator accounts.

ClickOps Implementation

Step 1: Inventory Admins

Review admin accounts
Document admin access
Identify unnecessary privileges

Step 2: Apply Restrictions

Limit admins to 2-3 users
Require SSO for admins
Monitor admin activity

3. Data Privacy

3.1 Configure Privacy Controls

Profile Level: L1 (Baseline)

Framework	Control
CIS Controls	3.1
NIST 800-53	AC-3

Description

Configure privacy controls to protect user data.

ClickOps Implementation

Step 1: Configure Exclusions

Navigate to: Settings → Privacy
Configure element exclusions
Mask sensitive form fields
Exclude sensitive pages

Step 2: Configure Data Masking

Enable private by default mode
Mask input fields
Block sensitive data capture

3.2 Configure Data Retention

Profile Level: L2 (Hardened)

Framework	Control
CIS Controls	3.1
NIST 800-53	SI-12

Description

Configure data retention policies.

ClickOps Implementation

Step 1: Configure Retention

Set appropriate retention period
Configure data deletion
Support deletion requests (GDPR/CCPA)

4. Compliance Quick Reference

SOC 2 Trust Services Criteria Mapping

Control ID	Fullstory Control	Guide Section
CC6.1	SSO/2FA	1.1
CC6.2	User roles	2.1
CC6.7	Privacy controls	3.1

NIST 800-53 Rev 5 Mapping

Control	Fullstory Control	Guide Section
IA-2	SSO	1.1
AC-6	User roles	2.1
AC-3	Privacy controls	3.1

Appendix A: References

Official Fullstory Documentation:

API & Developer Documentation:

Fullstory Developer Portal

Compliance Frameworks:

SOC 2 Type II, SOC 3, ISO 27001:2022, ISO 27017, ISO 27018, ISO 27701, ISO 42001 — via Trust Center
First in its industry to achieve ISO 42001 (AI Management System) certification
Annual comprehensive internal and independent external audits

Security Incidents:

No major public security incidents identified affecting the Fullstory platform.

Changelog

Date	Version	Maturity	Changes	Author
2025-02-05	0.1.0	draft	Initial guide with SSO and privacy controls	Claude Code (Opus 4.5)

Contributing

Found an issue or want to improve this guide?

Report outdated information: Open an issue with tag content-outdated
Propose new controls: Open an issue with tag new-control
Submit improvements: See Contributing Guide

Fullstory Hardening Guide

Overview

Intended Audience

How to Use This Guide

Scope

Table of Contents

1. Authentication & SSO

1.1 Configure SAML Single Sign-On

Description

Prerequisites

ClickOps Implementation

1.2 Enforce Two-Factor Authentication

Description

ClickOps Implementation

2. Access Controls

2.1 Configure User Roles

Description

ClickOps Implementation

2.2 Limit Admin Access

Description

ClickOps Implementation

3. Data Privacy

3.1 Configure Privacy Controls

Description

ClickOps Implementation

3.2 Configure Data Retention

Description

ClickOps Implementation

4. Compliance Quick Reference

SOC 2 Trust Services Criteria Mapping

NIST 800-53 Rev 5 Mapping

Appendix A: References

Changelog

Contributing