Plausible

Audited

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

Plausible doesn't mention having a DPO or GDPR correspondent but has a privacy dedicated email contact available on its website: privacy@plausible.io

Privacy Policy

Compliant
Partially Compliant
Not Compliant

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
Estonia 🇪🇪  (EU) 🇪🇺

Storage Facilities:
All analytics data is processed by German cloud provider Hetzner, in Germany.

Possibility to host Plausible Analytics on controller premises.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

Plausible doesn’t transfer analytics data outside the EU.

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

For every subcontractor, Plausible assesses its commitment to privacy and signs a DPA including controller-processor Standard Contractual Clauses.

Plausible has made public its list of subprocessors: https://plausible.io/privacy

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

In case of data breach, Plausible will notify the controller without undue delay by email (not later than 48 hours after having become aware of it) and provide a description of the incident as well as periodic updates about the incident, including its impact.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

Data requests will be forwarded to the controller without delay.

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

Plausible will provide assistance to the controller for DPIAs.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

Employees required to access analytics data are informed of the confidential nature of the data and comply with the GDPR obligations sets out in the DPA.

Security Policy

Compliant
Partially Compliant
Not Compliant

Plausible doesn’t mention having a security policy.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:
Cloud security relying on Hetzner.

Other measures:
data anonymisation, data pseudonymisation (hash), DDoS protection, back ups in a redundant site.

Data Encryption

Compliant
Partially Compliant
Not Compliant

Data is encrypted in transit (HTTPS) and at rest.

Restriction of access

Compliant
Partially Compliant
Not Compliant

Plausible allows external access or processing of personal data to employees submitted to confidentiality clauses for IT support and maintenance.

Reuse of data

Compliant
Partially Compliant
Not Compliant

Plausible doesn’t reuse analytics data or share it with third-parties.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

Plausible doesn’t collect cookies.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

NO, data is stored in the EU by an European cloud provider.

Updates
March 22, 2022
Privacy Score has increased
March 22, 2022
Listed on PrivacyBoard with a score of
March 22, 2022
Has been audited by PrivacyBoard
View the audit
March 22, 2022
Privacy Score has increased
79
94
March 22, 2022
Listed on PrivacyBoard with a score of
94
March 22, 2022
Has been audited by PrivacyBoard
View the audit
March 16, 2022
Privacy Score has increased
79%
March 16, 2022
Listed on PrivacyBoard with a score of
79%
March 16, 2022
Has been audited by PrivacyBoard
View the audit