GDPRunpack
The all-in-one Notion
workspace to help you easily
comply with the GDPR

Analytics Tools Privacy Assessment

We've assessed Google Analytics alternatives on privacy matters to help businesses choose wisely now that Data Protection Authorities have deemed Google Analytics incompatible with safe storage requirements.
Compliant
Partially compliant
Partially compliant
Compliant
Compliant
Partially compliant
Compliant
Compliant
Partially compliant
Compliant
Compliant
Compliant
Compliant
Compliant
Not compliant
Compliant
Compliant
Partially compliant
Compliant
Compliant
Not compliant
Compliant
Partially compliant
Not compliant
Compliant
Compliant
Not compliant
Not compliant
Compliant
Not compliant
Compliant
Compliant
Not compliant
Compliant
Partially compliant
Compliant
Compliant
Compliant
Not compliant
Compliant
Compliant
Partially compliant
Compliant
Compliant
Compliant
Compliant
Compliant
Compliant

Designated DPO or GDPR correspondent

Compliant

DPO is external. It is ePrivacy GmbH represented by Prof. Dr. Christoph Bauer who can be reached on privacy@matomo.org or by post.

Partially Compliant

A DPO is said to be designated but no direct contact or identity was found on Fathom’s website and policies.

Partially Compliant

Simple doesn't mention having a DPO or GDPR correspondent but has a privacy dedicated email contact available on its website: privacyquestions@simpleanalytics.com 

Privacy Policy

Distinction between website and cloud privacy policies explained:

- A cloud privacy policy concerns processing activities operated by the analytics tool (relationship: controller to processor)
- A website privacy policy concerns processing activities operated on the website for commercial and marketing purposes (relationship: controller to controller)

Compliant

Regarding cloud and website: https://usefathom.com/privacy

Partially Compliant

Regarding cloud:
No privacy policy concerning processing activities operated by the analytics tool was found on Simple website.

Regarding website:
https://simpleanalytics.com/privacy-policy 

Country & Type of Data storage

Compliant

Company Headquarters:
New Zealand

Storage Facilities:
Servers, databases and logs are hosted in Frankfurt, Germany (cloud provider is AWS New Zealand). Offsite backups are stored in Dublin, Ireland.

Possibility to host Matomo Analytics on client premises.

Compliant

Company Headquarters:
Canada

Storage Facilities:
EU traffic is processed by German cloud provider Hetzner in Germany and Iceland.

EU residents’ personal data is pseudonymized before being transferred on US servers (cloud provider is AWS), except if option « Extreme EU isolation » is contracted by the controller which ensures data stays in the European Union.

Partially Compliant

Company Headquarters:
The Netherlands (EU)

Storage Facilities:
Data are hosted in The Netherlands but Simple doesn’t specify if they use an external cloud provider or not and what is its nationality.

Data transfers outside the EU

Compliant

The adequate level of protection in New Zealand has been approved by the European Commission.

Every transfer of personal data by Matomo to a country which is not a member state of either the EU or the EEA is submitted to prior consent of the controller.

Compliant

The adequate level of protection in Canada has been approved by the European Commission.

However, Fathom doesn’t transfer data to Canada but to the US after it being pseudonymized.

If chosen by the controller, Fathom option “Extreme EU isolation” ensures data is never transferred outside the EU.

Compliant

Data is deemed not transferred outside the EU.

Data Breach Notification

Compliant

In case of data breach, Matomo will inform without undue delay the controller by email and provide a description of the incident as well as periodic updates, including the impact on the controller.

Compliant

In case of a data breach, Fathom will notify the controller without undue delay after becoming aware of the breach, and assist the controller in providing necessary information.

Partially Compliant

Simple shares technical incidents on its website: https://status.simpleanalytics.com/?ref=simpleanalytics.com

However, Simple doesn’t mention providing assistance to controller in case of data breach.

Right Requests Process

Compliant

Data request will be forwarded to the controller without delay.

Compliant

Reasonable assistance will be provided for the fulfilment of the controller’s obligation to respond to data subjects' right requests.

Not Compliant

Simple doesn’t mention providing assistance to controller in case of a data subject's right request.

Data Privacy Impact Assessment

Compliant

Matomo will provide assistance to the controller for DPIAs.

Partially Compliant

Fathom explains conducting DPIAs on its processing activities but doesn’t mention assistance to controller if needed.

Not Compliant

Simple doesn’t specify having conducted DPIAs or providing assistance to controller if needed.

Employee Trainings

Compliant

All employees required to access the personal data are deemed informed of the confidential nature of the personal data.

Compliant

Persons authorized to process the personal data are subject to confidentiality obligations.

Not Compliant

Simple doesn't mention employee trainings or submission to NDAs.

Security Policy

A security policy is paramount to set organizational and technical principles in place in a business. However, as it often contains sensitive information about the business, it can therefore not be made publicly available.

Not Compliant

Matomo doesn’t mention having a security policy.

Compliant

Fathom mentions having a security policy but has not made it public.

Not Compliant

Simple doesn’t mention having a security policy.

Organizational and technical security measures

Compliant

Server security:
Cloud security relying on Amazon New Zealand.

Other measures:
Users authentication, authorization management, virtual private cloud implementation, firewall rules, bug bounty program, security trainings for employees, encrypted data in transit (HTTPS) and at rest, access journaling and alerting, security incidents tracking, replication of data backups.

Compliant

Server security:
Cloud security relying on Amazon US and Hetzner for German/Icelandic servers.

Other measures:
Hashes (user signature) daily generated via secret key (SHA256) - this equals data pseudonymisation, prevention against DDoS spam attacks, self-audits on data processing activities and systems, strong passwords, data encryption, two-factor authentication.

Not Compliant

Server security:
Simple doesn’t specify organizational and technical security measures on data hosting servers.

Other measures:
Anonymized data (user agents), password encryption, backups on external servers.

Data Encryption

Compliant

Data is encrypted in transit (HTTPS) and at rest.

Partially Compliant

Fathom mentions data encryption but doesn’t precisely says if data is encrypted at rest or in transit.

Compliant

Data is encrypted at rest.

Restriction of access

Compliant

A subset of employees has access to the products and to personal data via controlled interfaces. Access is enabled through “just in time” requests for access; all such requests are logged.

Backend production environment is accessible by a dedicated group of Privileged Users approved by senior management. Privileged Users may only access backend production environment via a bastion host (2 factor authentication and SSH to log in).

Compliant

Fathom only allows external access or processing of personal data in accordance with their instructions and only when strictly necessary (for instance, IT support).

Not Compliant

Simple doesn’t mention any specific restrictions of access to personal data.

Reuse of data

Compliant

Matomo does not pursue its own purposes with this data processing.

Compliant

Fathom only processes personal data pursuant to controller instructions.

Partially Compliant

Simple mentions it will process data confidentially but not if it will be reuse or not.

Submission to Cloud Act/FISA

Under Cloud Act and FISA, American intelligence services can ask to be granted access to personal data when servers are located in the US and when a cloud company is American. To counteract this, personal data can be anonymized or stored only in the European Union (or in an adequate country) by a cloud provider which is not American.

Compliant

NO, when data is stored on controller premise.

NO, if controller enables data anonymization when using the Cloud solution.

Compliant

NO, if controller selects “Extreme EU isolation” storage option. If not, data is only pseudonymized through SHA256 when transferred to Amazon US servers.

Compliant

NO, data is stored in the EU and anonymized (therefore no more considered personal).