Security at Split

Split uses industry-standard security practices and never requires
user-identifiable data to be sent to Split servers.

Customer Data Protection

You Own Your Customer Data

We take customer data protection very seriously. You have complete control over what data is sent back to Split. Targeting features in our platform is based on locally available attributes (in-browser and in-database) that are present in your app along with the Split SDK. No user identifiable data is retained by default as sharing sensitive user data is not required to target features controlled by Split end users.

Independent Security Auditing

Split undergoes rigorous third-party security auditing by Gotham Digital Science on an annual basis. Split has achieved OWASP-10 certification; the full report is available upon request.

Gotham Digital Science OWASP
Industry-standard Access Control

Industry-standard Access Controls

Split accounts provide two-factor authentication, and administrators can view the 2FA status of any user at any time. Single sign-on is available via SAML and Google account sign-in. For users who create their own Split logins, passwords are stored using an industry-standard encrypted hash format and salted for increased customer data security.

Role-based access controls, managed via groups, allow administrators to set permissions by-environment and by-feature for individuals and teams.

Infrastructure Security

Infrastructure Security

Split’s production servers are hosted in AWS, and subject to all of Amazon’s cloud security protocols. Split’s policies provide limited access to its production environment, granted to only a few well-qualified engineers. Separate staging and production environments are utilized, and main datastore backups occur daily. DDOS protection is provided for Split at the edge via our CDN (Fastly) and through AWS Elastic Load Balancer.



Split employs SSL encryption in transit, with default communications handled over TLS 1.2 security. Split keys and secrets are stored using the Amazon AWS Key Management Service, and login tokens are salted and encrypted for increased security.