DPO is external. It is ePrivacy GmbH who can be reached on email@example.com or by post.
Regarding cloud: https://fr.matomo.org/matomo-cloud-privacy-policy/
Regarding website: https://fr.matomo.org/privacy-policy/
New Zealand 🇳🇿
Servers, databases and logs are hosted in Frankfurt, Germany (cloud provider is AWS New Zealand). Offsite backups are stored in Dublin, Ireland.
Possibility to host Matomo Analytics on client premises.
The adequate level of protection in New Zealand has been approved by the European Commission.
Every transfer of personal data by Matomo to a country which is not a member state of either the EU or the EEA is submitted to prior consent of the controller.
Subcontractors are subjects to written agreements substantially similar to Matomo’s DPA: https://fr.matomo.org/matomo-cloud-dpa/
Matomo has made public its list of subprocessors: https://fr.matomo.org/matomo-cloud-privacy-policy/
Prior to modifying the list of subprocessors, the controller will be notified by email and is able to object.
In case of data breach, Matomo will inform without undue delay the controller by email and provide a description of the incident as well as periodic updates, including the impact on the controller.
Data request will be forwarded to the controller without delay.
Matomo will provide assistance to the controller for DPIAs.
All employees required to access the personal data are deemed informed of the confidential nature of the personal data.
Matomo doesn’t mention having a security policy.
Cloud security relying on Amazon New Zealand.
Users authentication, authorization management, virtual private cloud implementation, firewall rules, bug bounty program, security trainings for employees, encrypted data in transit (HTTPS) and at rest, access journaling and alerting, security incidents tracking, replication of data backups.
Data is encrypted in transit (HTTPS) and at rest.
A subset of employees has access to the products and to personal data via controlled interfaces. Access is enabled through “just in time” requests for access; all such requests are logged.
Backend production environment is accessible by a dedicated group of Privileged Users approved by senior management. Privileged Users may only access backend production environment via a bastion host (2 factor authentication and SSH to log in).
Matomo does not pursue its own purposes with this data processing.
YES, if controller disables « cross domain tracking » and « third party cookies » functionalities.
NO, when data is stored on controller premise.
NO, if controller enables data anonymization when using the Cloud solution.