EU DPA declares Google Analytics illegal because it runs on US cloud providers. Fathom is a Canadian company, and all of your EU traffic never leaves German-owned servers.
Sign inFree trial

Fathom Analytics Data Processing Agreement

Last updated: December 14, 2021

If you're a customer and would like to sign our DPA, you can download it here, sign it, and send it back to dpa@usefathom.com.

1. Introduction

These Data Processing Terms (“Data Processing Terms”) constitute an integral part, and shall be read within the context of, at any time applicable, with Fathom Analytics terms and conditions (“Terms and Conditions”), accessible at: usefathom.com/terms. The Service is operated by Conva Ventures Inc. (“us”, “we”, or “our”).

The Data Processing Terms apply only when you, as a subscriber to the Service:

  1. is subject to Regulation 2016/679 The General Data Protection Regulation (“GDPR”), and,
  2. use the Service with an active account, in accordance with the Terms and Conditions.

These Data Processing Terms govern our processing of personal data as processor, on behalf of you as controller. All terms used herein which coincide with terms used in the GDPR shall have the meaning assigned to them in the GDPR.

2. Purpose and Subject Matter

We will process personal data on behalf of you as the controller, for the purposes of providing the Service in accordance with the Terms and Conditions. We anonymize and aggregate personal data when using data to provide, improve or modify the Services. Processing of personal data will cover the categories of personal data that are facilitated for by the Service, for the purposes specified above and only to the extent necessary to fulfil such purposes. This is limited to IP address and User-Agent.

The categories of data subjects are visitors to websites where you have incorporated our Service. Additional information on how we implement privacy-by-design and data minimisation can be found on our website at: usefathom.com/data. For the sake of clarity, we temporarily store the IP address & User Agent of data subjects to keep count of traffic the Service receives, in order to protect the Service and prevent DDoS attacks.

3. Your Rights and Obligations as Controller

You agree and warrant that:

  1. You have a legal basis to submit the personal data to us for processing, and that you are responsible for the accuracy, integrity, content and legality of the personal data processing, including the legality of any third country transfer or additional instructions;
  2. The processing of personal data is not in violation of the GDPR and any local law applicable to You;
  3. You, as controller of the processing, is the party responsible to notify applicable regulatory authorities and/or data subjects in case of a personal data breach, pursuant to the GDPR and other applicable data protection regulations;
  4. You, by way of your risk assessment, have verified that the Services’ security measures are appropriate and proportionate to the applicable processing;
  5. We have provided sufficient guarantees in terms of logical, technical and organizational security measures.

4. Our Obligations as Processor

We will:

  1. only process personal data in accordance with these Data Processing Terms and the Terms and Conditions, or pursuant to your reasonable written instructions.
  2. ensure that persons authorized to process the personal data are subject to adequate confidentiality obligations.
  3. ensure that EU data subjects’ IP Address and User Agent are processed, and anonymized, on EU-controlled servers (EU Isolation), owned by a German company, before such anonymized data is processed on any of our US-controlled infrastructure. This measure is a response to the Schrems II ruling (C-311/18 - Facebook Ireland and Schrems).
  4. seek to ensure appropriate security when processing personal data, by means of planned and systematic organisation and technical measures pursuant to GDPR article 32.
  5. by appropriate technical and organisational measures, insofar as this is possible, provide reasonable assistance with your obligations pursuant to GDPR article 32 to 36 and for the fulfilment of your obligation to respond to requests for exercising the data subject’s rights as set out in GDPR Chapter III.
  6. in case of a personal data breach, notify you without undue delay after becoming aware of the personal data breach, and assist in providing information necessary for you to comply with your obligations under GDPR article 33 and 34.
  7. Unless prohibited by law, notify you of government access requests, and only disclose personal data to government authorities or third parties when strictly necessary to comply with a legally binding request.

5. Audit

You accept and acknowledge that security audits and inspections will be performed through an independent third party. We will ensure regular self-audits on our data processing activities and systems, as well as our technical and organisational measures. The results of audits and inspections will be made available to you upon request, and we will reasonably assist in providing additional information should the audit results not be satisfactory for you to demonstrate compliance with statutory data protection regulations.

6. Use of Sub-processor

We will, by written agreement with our sub-processors, ensure that any processing of personal data carried out by a sub-processor is governed by the same obligations and limitations as those set out in these Data Processing Terms. We currently use the sub-processors listed in Appendix 1, which you provide us with your prior and specific authorization to do. You also provide us with your general written authorisation to change an existing or add a new sub-processor. We will provide 14 days notice of any plans to change an existing or add a new sub-processor. You are entitled to object to such an addition or change, and must do so by terminating your use of the Service.

7. Deletion of Data

Due to the nature of our Services, we do not process, including storing, any personal data we process on your behalf, for longer than 24 hours. Should your account expire or the Terms and Conditions otherwise terminate, all personal data will be automatically deleted within 24 hours. The deletion of personal data will be done in a secure manner and in accordance with requirements.

8. Duration and termination

These Terms shall come into effect upon the date of execution. The termination or expiration of this Agreement shall not relieve the data processor from their confidentiality obligations.

9. Governing Law and Jurisdiction

These Terms are governed in accordance with the laws of the Province of British Columbia and the federal laws of Canada applicable therein. Any dispute arising in connection with this Agreement, which the parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of British Columbia.

10. Severability

If any term or provision of these Terms are determined by a court of competent jurisdiction to be illegal, invalid, or unenforceable, the provision will be severed from this Agreement and the remaining provisions will continue in full force and effect without amendment.

Appendix 1

The following sub-processors are used to operate the Service:

Sub-processor Purpose Location
Hetzner Online GmbH Infrastructure hosting Germany
BunnyWay d.o.o. Content Delivery Network Slovenia
Amazon Web Services, Inc. (AWS) Infrastructure hosting USA* (non-EEA data subjects)

*AWS is only used for processing of personal data for data subjects outside of the EEA.




If you're a customer and would like to sign our DPA, you can download it here, sign it, and send it back to dpa@usefathom.com.