Privacy Battles
Fathom
Privacy Score
94
%
⚔️
Abralytics
Privacy Score
28
%

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

A DPO is said to be designated but no direct contact or identity was found on Fathom’s website and policies.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn't mention having a DPO or GDPR correspondent and doesn’t display a privacy dedicated contact channel.

Privacy Policy

Compliant
Partially Compliant
Not Compliant

Regarding cloud and website: https://usefathom.com/privacy

Compliant
Partially Compliant
Not Compliant

Regarding website and cloud: https://www.abralytics.com/privacy

It is unclear whether the privacy policy available on Abralytics website applies both for the website and cloud service.

Besides, it doesn’t provide sufficient information to data subjects regarding Article 13 and 14 of the GDPR (data retention periods, legal basis, etc.).

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
Canada 🇨🇦

Storage Facilities:
EU traffic is processed by German cloud provider Hetzner in Germany and Iceland.

EU residents’ personal data is pseudonymized before being transferred on US servers (cloud provider is AWS), except if option « Extreme EU isolation » is contracted by the controller which ensures data stays in the European Union.

Compliant
Partially Compliant
Not Compliant

Company Headquarters:

Ireland (EU)

Storage Facilities:

Data is hosted in the EU but Abralytics doesn’t specify in which country, nor which external cloud provider it uses and what is its nationality.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

The adequate level of protection in Canada has been approved by the European Commission.

However, Fathom doesn’t transfer data to Canada but to the US after it being pseudonymized.

If chosen by the controller, Fathom option “Extreme EU isolation” ensures data is never transferred outside the EU.

Compliant
Partially Compliant
Not Compliant

Data is deemed not transferred outside the EU, but that information needs to be verified (cloud provider and its nationality are unknown).

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to written agreements substantially similar to Fathom’s DPA: https://usefathom.com/dpa

Fathom has made public its list of subprocessors: https://usefathom.com/dpa

Prior to modifying the list of subprocessors, the controller will be notified by email and is able to object.

Fathom conducts risk assessments for every data processor used.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention any subcontractors nor its process to contract with them.

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

In case of a data breach, Fathom will notify the controller without undue delay after becoming aware of the breach, and assist the controller in providing necessary information.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention directly notifying controllers of a data breach in a determined delay, nor providing assistance to controllers to notify the breach to the Supervisory authority.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

Reasonable assistance will be provided for the fulfilment of the controller’s obligation to respond to data subjects' right requests.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention providing assistance to controllers in case of a data subject's right request.

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

Fathom explains conducting DPIAs on its processing activities but doesn’t mention assistance to controller if needed.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t specify having conducted DPIAs or providing assistance to controllers if needed.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

Persons authorized to process the personal data are subject to confidentiality obligations.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn't mention employee training or submission to NDAs.

Security Policy

Compliant
Partially Compliant
Not Compliant

Fathom mentions having a security policy but has not made it public.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention having a security policy.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:
Cloud security relying on Amazon US and Hetzner for German/Icelandic servers.

Other measures:
Hashes (user signature) daily generated via secret key (SHA256) - this equals data pseudonymisation, prevention against DDoS spam attacks, self-audits on data processing activities and systems, strong passwords, data encryption, two-factor authentication.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention having a security policy.

Data Encryption

Compliant
Partially Compliant
Not Compliant

Fathom mentions data encryption but doesn’t precisely says if data is encrypted at rest or in transit.

Compliant
Partially Compliant
Not Compliant

Data encryption is never mentioned.

Restriction of access

Compliant
Partially Compliant
Not Compliant

Fathom only allows external access or processing of personal data in accordance with their instructions and only when strictly necessary (for instance, IT support).

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention any specific restrictions of access to personal data.

Reuse of data

Compliant
Partially Compliant
Not Compliant

Fathom only processes personal data pursuant to controller instructions.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t sell any data. Controllers stay owners of personal data.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

YES, Fathom technology doesn’t require cookies.

Compliant
Partially Compliant
Not Compliant

YES, Abralytics doesn’t collect cookies.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

NO, if controller selects “Extreme EU isolation” storage option. If not, data is only pseudonymized through SHA256 when transferred to Amazon US servers.

Compliant
Partially Compliant
Not Compliant

NO, data is stored in the EU and anonymized (therefore no more considered personal).