Your website can’t just be “kinda” compliant with privacy laws

Lots of analytics software claims to comply with various privacy laws, such as GDPR, PECR or the ePrivacy Directive, but most of them are putting you and your website visitors at risk.

Our latest innovation, EU isolation, was built in collaboration with EU legal experts, and is part of our commitment to simplify your compliance.

EU Isolation is our answer to the Schrems II ruling, and means all your EU traffic is processed by our German provider (Hetzner). This feature exists for all customers on all plans and happens without any programming or setup required.

NEW EU: Google Analytics is illegal

Here's why Fathom is your best option for GDPR compliance:

	Google Analytics	Other analytics	Fathom Analytics
Personal Data collected	😂 😂 😂	Sometimes	Never
Anonymized logs	No	Sometimes	Yes
EU traffic processed on EU-owned servers	No	Sometimes	Yes
Schrems II compliant	No	Sometimes	Yes
GDPR compliant	No	Sometimes	Yes

Why EU data isolation matters

If you’re a company in the EU, how and where you process data about website visitors matters for legal compliance. All of your EU traffic is processed on our EU servers, which are owned by a German legal entity, meaning your visitors are protected from FISA and EO12333.

If you’re a company outside the EU, then you still will no doubt have visitors from the EU who require you to follow the same regulations as above (or face hefty fines). That’s why Fathom takes care of this for you, automatically.

Since Fathom is a Canadian corporation (eh), no US entity ever has access to our EU infrastructure, and it’s therefore protected from the US government, allowing you to comply with GDPR (and the Schrems II ruling).

It doesn't matter if an analytics company is located in the EU (it doesn't mean they're automatically compliant). What matters more is how and where they process data (and who owns those servers).

EU Isolation means intelligently routing your visitors

Fathom’s EU Isolation method works by intelligently routing visitors to the right place to process their data. When we say “data,” we’re talking about the user’s IP address, which, along with a User-Agent, could be used to potentially identify an individual in the EU, making it “personal data.”

If a visitor is outside the EU, our EU-owned CDN (Bunny.net) sends their pageview to our US servers directly and anonymize their "data" (IP address).
If a visitor is inside the EU, our CDN sends their pageview to our European servers (owned by a German company, Hetzner) and anonymize their data by hashing and salting it. The secret key used to anonymize this data is stored on the EU servers and never leaves the EU. By doing this, the IP Address (personal data under GDPR) is stripped from the request inside of the EU before it hits our US-owned servers. The anonymous data is then stored on our main US servers for fast and easy retrieval on our customer dashboards, but there’s zero Personal Data associated with any of it.
We don't use US-based cloud providers, such as AWS, Linode, or DigitalOcean, for our EU Isolation infrastructure because they are subject to US spying laws. For consent-free analytics platforms, the new SCCs do not solve the issues raised by the Schrems II ruling.
If you wish to process all global traffic on our EU-owned infrastructure, you can turn on “Extreme EU Isolation” for any website and our US infrastructure will never receive "data" (IP address) of your website visitors.

In all scenarios, Fathom fully protects the privacy of every website visitor’s personal information.

You can read more about our data journey and compliance practices.

Frequently asked questions

AWS & DigitalOcean have servers in the EU, why couldn't you use them?

Because those EU servers are owned by US cloud providers, they're subject to FISA and they're completely defenceless against EO12333. The Schrems II ruling invalidated the EU-US privacy shield, meaning we could no longer rely on that as a legal transfer mechanism for us to process pageviews/events.

All internet requests include an IP address, which is Personal Data under the GDPR, so we couldn't transfer that to US-owned infrastructure without consent, even if the servers were located in the EU. If we didn't build EU Isolation, you would have to place ugly, detailed consent notices all over your website.

How fast and reliable is your EU infrastructure?

Our EU Cloud is monitored 24/7, highly available, multi-region and has enough capacity to process Bieber-level traffic. And, as usual, this feature is available to all customers on all plans.

Can I route all of my traffic through the EU?

Yes. Some of our customers want to route all of their traffic, even from folks in the US, through EU Isolation. This isn’t required by law, and is usually a case of not wanting US cloud providers to handle *any* traffic. If you want to route all of your traffic through the EU, even traffic outside of the EU, you can set EU Isolation to “Extreme” after you set-up a custom domain for your site.

Are other analytics companies breaking the law?

Other analytics companies that are using US-controlled cloud providers (DigitalOcean, AWS, etc.), are required to put SCCs in place, along with adequate supplementary measures to protect EU visitor Personal Data (IP address, etc.). Simple, right?

Unfortunately, the EDPB (European Data Protection Board) states the following in Use Case 6: Transfer to cloud services providers or other processors which require access to data in the clear:

94. A data exporter transfers personal data, whether by electronic transmission or by making it available to a cloud service provider or other processor to have personal data processed according to its instructions in a third country (e.g., for the provision of technical support or any type of cloud processing), and this data is not - or cannot- be pseudonymised as described in Use Case 2 or encrypted as described in Use Case 1 because the processing requires accessing data in the clear.

If

a controller transfers personal data to a cloud service provider or other processor,

the cloud service provider or other processor needs access to the data in the clear in order to execute the task assigned, and

the power granted to public authorities of the recipient country to access the transferred data in question goes beyond what is necessary and proportionate in a democratic society, where in practice problematic legislation of the third country applies to the transfers in question (see Step 3).
then the EDPB is, considering the current state of the art, incapable of envisioning an effective technical measure to prevent that access from infringing on the data subject’s fundamental rights. The EDPB does not rule out that further technological development may offer measures that achieve the intended business purposes, without requiring access in the clear.

95. In the given scenarios, where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys. Source: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

This is why we spent many months building Fathom's EU Isolation feature, working with our lawyers and privacy officer to get specific details correct. With our automatic EU Isolation feature, you don't have to worry about US-controlled cloud providers accessing data in the clear.

How do I enable EU isolation?

If you’re a Fathom customer, then congratulations, you’re already using EU isolation and complying with privacy laws! We enable this by default for everyone on every plan. You can turn on “Extreme” by going into your site settings and adjusting it there.

Is EU isolation available to me on my current plan?

Yes! Even with our lowest plan, you can take advantage of EU isolation for your Fathom account. It’s enabled by default.

Why process and anonymize an IP address in the first place?

Whenever you visit a website, your IP address and User-Agent are sent to that website's servers (that's just how the internet works). Some websites retain raw logs of that information, keeping tabs on what you're browsing. Whilst others (i.e Fathom) guarantee that your visit is anonymized and not used against you. You can read more about this on our data journey.

Fathom is a Canadian company, how does this work legally?

Canada has adequacy ruling under the GDPR. This means we can simply work with a German cloud hosting provider and not transfer any personal data (IP) of EU data subjects to US-controlled servers.

Get started for free View a live demo 7 day free trial No cookie notices required GDPR Compliant

Learn more about Fathom Analytics:

Why settle for analytics from only half of your website visitors?
What are simple website analytics?
Why Fathom Analytics is a great Google Analytics alternative.
How Fathom Analytics is GDPR, CCPA and PECR compliant website analytics.
Why Fathom Analytics is the best privacy-focused web analytics tool (and why digital privacy matters).
Why Fathom is website analytics for proudly bootstrapped companies.