Security at Split

Split uses industry-standard security practices and never requires user-identifiable data to be sent to Split servers.

Download the Security Overview

You Own Your Customer Data

Split gives you control over what data is sent back to Split, if any. Targeting features in Split is based on locally-available attributes (in-browser, in-database) live in your app, alongside the Split SDK. Split retains no user-identifiable data by default, and sharing sensitive user data is not required to target features controlled by Split to end-users.

Independent Security Auditing

Split undergoes rigorous third-party security auditing by Gotham Digital Science on an annual basis. Split has achieved OWASP-10 certification; the full report is available upon request.

Industry-standard Access Controls

Split accounts provide two-factor authentication, and administrators can view the 2FA status of any user at any time. Single sign-on is available via Google account sign-in, and for users who create their own Split logins, passwords are stored using an industry-standard encrypted hash format and salted for increased security.

Role-based access controls, managed via groups, allow administrators to set permissions by-environment and by-feature for individuals and teams.

Infrastructure Security

Split’s production servers are hosted in AWS, and subject to all of Amazon’s cloud security protocols. Split’s policies provide limited access to its production environment, granted to only a few well-qualified engineers. Separate staging and production environments are utilized, and main datastore backups occur daily. DDOS protection is provided for Split at the edge via our CDN (Fastly) and through AWS Elastic Load Balancer.


Split employs SSL encryption in transit, with default communications handled over TLS 1.2 security. Split keys and secrets are stored using the Amazon AWS Key Management Service, and login tokens are salted and encrypted for increased security.