Security

We use multiple cloud providers to help us deliver our service.

Note: while we do use Amazon Web Services (AWS), all of your EU website traffic is processed via EU isolation. Your EU website visitors' Personal Data (IP address or user agent) never touches US infrastructure. Your compliance is a number one priority for us. We have a detailed section on Privacy law compliance, with a detailed data journey if you'd like to learn more.

The following is an overview of the security of various services we use to power Fathom:

Service providers

The following is a list of the key service providers we rely on to power Fathom Analytics.

bunny.net (CDN)

Analytics collection is routed via our EU-based CDN, bunny.net, to achieve EU isolation. The CDN is distributed worldwide, and your website visitors will hit the data center closest to them.

We use SSL / TLS to ensure connections between your website visitors and our CDN are encrypted.

Bunny automatically routes EU data to Hetzner Online GmbH (for GDPR compliance via EU isolation or to Amazon Web Services (AWS) for non-EU traffic.

Hetzner Online GmbH

Hetzner Online GmbH powers our EU Isolation set-up, where we keep Personal Data (as per GDPR definition) isolated in the EU. Our Hetzner cluster is highly available, distributed across Nuremberg (Germany), Falkenstein (Germany) and Helsinki.

Hetzner employs the following security measures to protect our infrastructure:

• Video-monitored high-security perimeter fencing around the entire data center park
• Entry via electronic access control terminals with a transponder key or admission card
• Ultra-modern surveillance cameras for 24/7 monitoring of access routes, entrances, security door interlocking systems and server rooms
• Certified in accordance with DIN ISO/IEC 27001, an internationally recognized standard for information security
• More information can be found here

Fathom Analytics employs the following security measures to protect our Hetzner infrastructure:

• Access to our Hetzner infrastructure is limited to engineers based in Germany and Canada.
• Continuous Integration is self-hosted via GitLab, not GitHub, to ensure no US service, company, or individual has access to our EU Isolation infrastructure.

Amazon Web Services (AWS)

Amazon Web Services is utilized to process website traffic for traffic outside of the EU.

As you might imagine, Amazon Web Services has incredible levels of security:

• Cloud Security
• Compliance Programs

Fathom Analytics employs the following security measures to protect our AWS infrastructure:

• Access keys are regularly audited and, where appropriate, deleted
• Only management has direct access to our AWS account

SingleStore

SingleStore is the world's leading database provider, and we use them to store analytics data and application data. Of course, when data is routed via EU Isolation, no Personal Data hits SingleStore, as it's a US provider.

SingleStore employés the following security measures:

• SingleStore has secured industry-leading security certifications, including ISO/IEC 27001 and SOC 2 Type 2
• Data encryption is supported at the time of ingest and when delivered across nodes using SSL and TLS 1.2. Easy to integrate third-party encryption for data at rest.
• Database clusters are isolated from each other to guarantee the confidentiality and integrity of our data.
• End-to-end encryption both for data in transit and data at rest.

Fathom Analytics employees the following security measures to protect our SingleStore infrastructure: * Utilization of complex usernames and passwords, which are cycled periodically for maximum security, along with a UUID connection hostname, which nobody ever sees outside of the management team * We practice data minimization, meaning we only store what we need to, with zero excess data entering the database

Additional security measures

We take the following steps to ensure the highest level of protection for the service:

• We heavily restrict access to our infrastructure and personal data. Employees and contractors do not have access to information such as your address, as we treat this with extreme confidentiality. Our support staff would have access to your email & full name only when required for support requests.
• Confidentiality obligations bind all employees, contractors, and agents
• App security: All access to Fathom Analytics is secured over SSL (HTTPS), ensuring the information is encrypted. We utilize managed services to ensure we have the best engineers in the world working on our infrastructure, and we hire the best engineers possible when we have to build infrastructure ourselves (e.g. EU Isolation)
• Our servers are all highly available, meaning that, in the event of a failure, there is an active-standby (often in another availability zone)
• We utilize SQS as our queue system, which is a highly available queue system, to ensure we don't lose essential jobs
• 256-bit SSL encryption within our application and for payment processing.
• We one-way hash your Fathom password, meaning we can't covert it back to a plain text original
• We run multiple firewalls to protect from DDoS & spam attacks
• We utilize external monitoring to ensure we are notified in the rare event of a service issue. Outside of that, we have managed service providers who have huge teams of engineers managing our infrastructure for us.

If you have any questions about security at Fathom Analytics, please reach out at support@usefathom.com, and we'd be happy to answer your questions.

We also have a security bounty program

We reward ethical researchers who share critical security issues as part of our commitment to privacy and security. That way, we can prioritize resolving issues as quickly as possible to protect our customers. Learn more here.