Disclaimer: The information below is not legal advice, and we don’t accept any legal liability. We have received our own legal advice, and this page is our interpretation of the law. If you have any concerns regarding GDPR compliance, please forward this page to your legal team.
Update: We've addressed the Schrems II ruling by launching EU Isolation and have documented our Schrems II Compliance, so please take a read.
The GDPR, General Data Protection Regulation (EU) 2016/679, is a piece of regulation that came out of the European Union and completely shook the world. You likely remember when it first landed, and the business world was panicking about compliance. Some people think it’s a law that’s overreaching, whilst others were incredibly grateful that lawmakers stepped in to protect their digital privacy.
We’ve been working with GDPR (and compliance with it) since we started our business. And yes, it is a good amount of work to get everything in order, but it’s an incredibly fair piece of legislation. When you dive into it, it’s obvious that the lawmakers wanted to leave flexibility in place for businesses whilst protecting the digital privacy of data subjects.
Is Fathom Analytics GDPR Compliant?
We believe so. Our GDPR compliance is relevant from two perspectives:
- When we process personal data for our own purposes, as a controller (for example processing related to customers, employees etc.)
- When we process personal data of our customers’ website visitors and we act as a data processor
The following information will focus on how Fathom is GDPR compliant when it comes to the latter; when we’re a processor. And whilst we’re not in a position to offer legal advice, we invest heavily on compliance and have a fantastic EEA-based privacy officer who keeps us up to date with all the latest changes.
Here’s what we do to ensure GDPR compliance:
- We focus on the intent of the GDPR. The fundamental goal of the regulation is to protect the privacy and personal data of people in the EU. With everything we do, we ask ourselves whether it poses any risk to our customers’ website visitors.
- We are big believers in data minimization. Collecting less data is one of the easiest ways to reduce the risk to data subjects.
- We have a lawful basis for the processing we do. And we run privacy risk assessments whenever we need to make a significant change (e.g. when we had to enable basic, heavily redacted IP access logs after we were DDoS attacked).
- We encourage our customers to do a Legitimate Interest Assessment, which can easily be prepared based on all the information provided on our website.
- We offer our customers a data processing agreement in line with Article 28(3) GDPR.
Our role as a data processor
As per the GDPR, you, as our customer, is the controller for the processing of any personal data on your website. For personal data related to your use of Fathom Analytics, we’re the processor, meaning that we process this data on your behalf.
As a processor, we’re subject to several GDPR requirements, for example:
- Enter into data processing terms (review with you, the controller, which include allowing for audits/inspections (Article 28(3)). Read more on this below.
- Ensure that everyone under our authority does as instructed and, importantly, is subject to confidentiality (Article 29, Article 28, Article 32(4)).
- Maintain records of the processing we carry out on your behalf (Article 30(2)).
- Cooperate with supervisory authorities (Article 31).
- Assess risks and implement both technical and organizational measures to ensure an adequate level of security (Article 32).
- Notify you promptly in the event of a personal data breach (Article 33).
Personal data we process (as a data processor)
We go into significant detail on this in our data journey page: In brief, we:
- Process personal data (IP Address and User-Agent) on your behalf, for as long as you’re a customer (after that, we delete the data).
- Keep pseudonymized data for around 48 hours. After that, the hash salts (explained here) are removed from our system, and there’s no feasible way for anybody to brute force them. The hash salts we use are SHA256 hashes, and brute-forcing this kind of hash would require 10^44 x Gross World Product (GWP). And GWP in 2019 was US$88.08 trillion. So although the data started as pseudonymized, there’s no real path to brute force these hashes once the hash salts have gone, as there are just too many possible combinations to try.
The data processing agreement (DPA), including audits/inspections
The DPA is the key document for the processing of personal data we do on your behalf. You’ll find it here: Fathom Analytics Data Processing Agreement.
The DPA is already a part of our contract when you become our customer, so you don’t have to obtain a signed copy for it to be valid (but if you want one, just follow the instructions on the page!).
As a controller, you not only have to ensure you have such binding agreements in place with all the processors you use—you also have to audit them. The GDPR doesn’t specify exactly how you’re supposed to do that, but, luckily, we have active data protection authorities helping with that!
Datatilsynet in Denmark, especially, provides practical guidance for auditing processors. Here’s a link to their nice overview page for all things Controllers and Processors. Our Danish isn’t great, though, so fortunately our (Norwegian) privacy officer has translated their guidance. Read it here: Auditing your GDPR processors.
The guidance comprises a point scale and six audit concepts. First, determine the risks associated with the processing and processor by evaluating various aspects. Then, tally the points and select the appropriate audit concept.
In short, the more sensitive, complex and comprehensive your processing is, the higher the score—and more rigorous audits.
For the majority of our customers, we think that Fathom Analytics will score about 1-3 points, depending on the number of website visitors. Then, considering our type of service, concept 1 or 2 will likely suffice, especially when comparing with the examples Datatilsynet provides in their guidance.
Further, to Datatilsynet’s guidance, you either won’t have to do active audits at all, or bi-yearly.
For both concepts, the following applies:
- If you use a trustworthy and reputable processor, you can expect them to comply with the data processing agreement (DPA).
- In this situation, you don't need to do anything unless you become aware of relevant incidents or changes. Security breaches or (major) organizational changes at the processor, whether reported in news stories or directly communicated by the processor, could be potential concerns.
- If you’d like more assurance, Datatilsynet states that a written confirmation from the processor, stating that all requirements in the DPA are continuously upheld, will suffice.
💡 In Datatilsynet’s example, a hairdresser scores 1 point, and only has to ensure that they have a valid DPA in place. (Our privacy officer thought this was a bit odd, though, since most hairdressers process allergies… 🤷🏻♀️). In their example with 3 points, a web shop using a payment processor, Datatilsynet considers it sufficient to only confirm the validity of the DPA every other year.
Finally, Datatilsynet recommends that you always save your correspondence with the processor. Less is not more when it comes to the GDPR. ;)
So the answer is, yes, we’ve built our software with the intent to be GDPR compliant, and we take the privacy of all your website visitors very seriously. All individuals should be protected on the internet, and we wouldn’t dream of profiling them or selling their browsing habits. Fathom Analytics’s business model is to charge for software, not to exploit and profit from your personal data.