Your website can’t just be “kinda” compliant with privacy laws
Lots of analytics software claims to comply with various privacy laws, such as GDPR, PECR or the ePrivacy Directive, but most of them are putting you and your website visitors at risk.
Our latest innovation, EU isolation, was built in collaboration with EU legal experts, and is part of our commitment to simplify your compliance.
EU Isolation is our answer to the Schrems II ruling, and means all your EU traffic is processed in the EU. This feature exists for all customers on all plans and happens without any programming or setup required.
Here's why Fathom is your best option for GDPR compliance
No other analytics software goes to the measures we do to comply with GDPR, and do it in a way that doesn't hurt your SEO or page speed load times.
Start a free trialQuick setup Free for 30 days
|Personal Data tracked
|EU traffic processed on
|Schrems II compliant
Why EU data isolation matters
It doesn't matter if an analytics company is located in the EU (it doesn't mean they're automatically compliant). What matters more is how and where they process data (and who owns those servers).
If you’re a company in the EU, how and where you process data about website visitors matters for legal compliance. All of your EU traffic is processed on our EU servers, which are owned by a German legal entity, meaning your visitors are protected from FISA and EO12333.
If you’re a company outside the EU, then you still will no doubt have visitors from the EU who require you to follow the same regulations as above (or face hefty fines). That’s why Fathom takes care of this for you, automatically.
Since Fathom is a Canadian corporation (eh), no US entity ever has access to our EU infrastructure, and it’s therefore protected from the US government, allowing you to comply with GDPR (and the Schrems II ruling).
EU Isolation means intelligently routing your visitors
Fathom’s EU Isolation method works by intelligently routing visitors to the right place to process their data. When we say “data,” we’re talking about the user’s IP address, which, along with a User-Agent, could be used to potentially identify an individual in the EU, making it “personal data.”
Start a free trialQuick setup Free for 30 days
- If a visitor is outside the EU, our EU-owned CDN (Bunny.net) sends their pageview to our US servers directly and anonymize their "data" (IP address).
- If a visitor is inside the EU, our CDN sends their pageview to our European servers (owned by a German company, Hetzner) and anonymize their data by hashing and salting it. The secret key used to anonymize this data is stored on the EU servers and never leaves the EU. By doing this, the IP Address (personal data under GDPR) is stripped from the request inside of the EU before it hits our US-owned servers. The anonymous data is then stored on our main US servers for fast and easy retrieval on our customer dashboards, but there’s zero Personal Data associated with any of it.
- We don't use US-based cloud providers, such as AWS, Linode, or DigitalOcean, for our EU Isolation infrastructure because they are subject to US spying laws. For consent-free analytics platforms, the new SCCs do not solve the issues raised by the Schrems II ruling.
In all scenarios, Fathom fully protects the privacy of every website visitor’s personal information.
You can read more about our data journey and compliance practices.
Frequently asked questions (and answers)
AWS and DigitalOcean have servers in the EU, why couldn't you use them?
Because those EU servers are owned by US cloud providers, they're subject to FISA and they're completely defenceless against EO12333. The Schrems II ruling invalidated the EU-US privacy shield, meaning we could no longer rely on that as a legal transfer mechanism for us to process pageviews/events.
As all internet requests include an IP address, which is Personal Data under the GDPR, so we couldn't transfer that to US-owned infrastructure without consent, even if the servers were located in the EU. If we didn't build EU Isolation, you would have to place ugly, detailed consent notices all over your website.
Are other analytics companies breaking the law?
Other analytics companies that are using US-controlled cloud providers (DigitalOcean, AWS, etc.), are required to put SCCs in place, along with adequate supplementary measures to protect EU visitor Personal Data (IP address, etc.). Simple, right?
Unfortunately, the EDPB (European Data Protection Board) states the following in Use Case 6: Transfer to cloud services providers or other processors which require access to data in the clear (Source).
This is why we spent many months building Fathom's EU Isolation feature, working with our lawyers and privacy officer to get specific details correct. With our automatic EU Isolation feature, you don't have to worry about US-controlled cloud providers accessing data in the clear.
How fast and reliable is your EU infrastructure?
Our EU Cloud is monitored 24/7, highly available, multi-region and has enough capacity to process Bieber-level traffic. And, as usual, this feature is available to all customers on all plans.
How do I enable EU isolation?
If you’re a Fathom customer, then congratulations, you’re already using EU isolation and complying with privacy laws! We enable this by default for everyone on every plan.
Is EU isolation available to me on my current plan?
Yes! Base or Plus, you get full coverage here. So even with our lowest plan, you can take advantage of EU isolation for your Fathom account. It’s enabled by default.
Why process and anonymize an IP address in the first place?
Whenever you visit a website, your IP address and User-Agent are sent to that website's servers (that's just how the internet works). Some websites retain raw logs of that information, keeping tabs on what you're browsing. Whilst others (i.e Fathom Analytics) guarantee that your visit is anonymized and not used against you. You can read more about this on our data journey.
Fathom is a Canadian company, how does this work legally?
Canada has adequacy ruling under the GDPR. This means we can simply work with a German cloud hosting provider and not transfer any personal data (IP) of EU data subjects to US-controlled servers.