How Fibbler keeps your data safe
A practical guide to our security, privacy, and data handling practices. Whether you're evaluating Fibbler or already a customer, this page gives you clear answers to the most common security, privacy, and compliance questions we get - no jargon, no fluff.
The short version
- All customer and application data is hosted in the EU on Google Cloud and Fly.io (European regions)
- Immutable infrastructure and security by design
- We don't process personal data as part of our core product, except your account email
- We store LinkedIn ads data in our database for performance and analytics. For customers using CRM sync, we also store HubSpot company ID/domain data, all with strict access controls and IP whitelisting
- We're not SOC 2 or ISO certified, but we completed a third-party audit by Aikido Security
- You control what gets connected, and nothing happens without your authorization
- Integrations can be paused or revoked at any time
Frequently asked questions
Where is data stored?
All customer and application data is hosted in the EU on Google Cloud's infrastructure, which operates in European regions. Our application services run on both Google Cloud and Fly.io, ensuring high availability and performance. No customer or application data is processed outside the EU. Google Cloud provides immutable infrastructure and security by design, ensuring your data remains secure and compliant.
Do you process personal data?
No. Fibbler does not process personal data (PII) as part of its core product. The only personal data we handle is your email address, which is used to create and manage your Fibbler account.
We do not process:
- CRM contacts
- Personal identifiers
- LinkedIn messages
- Sensitive information of any kind
What do you access in HubSpot, Salesforce, or LinkedIn - and why?
We only access company-level and deal/opportunity data required to power the analytics, attribution, and reporting features you explicitly enable.
Salesforce & HubSpot
We fetch data from the following object types using read-only access:
| Object | Fields accessed | Why it's used |
|---|---|---|
| Company/Account | name, domain, ID | To match CRM records to campaigns |
| Opportunity/Deal | name, amount, status, created/close dates, ID | For revenue attribution and funnel reporting |
| Campaign | name, ID | To group and track marketing campaign data |
| Custom Fields | field names only (not values) | To allow mapping of ad data into the CRM |
Do you store any of that data?
We store LinkedIn ads data in our database to improve performance and enable advanced analytics features. This includes campaign performance metrics, audience exclusions, and attribution data.
For customers using HubSpot CRM sync features, we also store company ID and domain information to improve performance and enable faster data matching. Other CRM data is still fetched in real time via API calls when you actively filter for it in the app.
For user-shared content that has been explicitly designated for sharing with others, we store this data in our database for a period of 7 days. All stored data is encrypted at rest using AES-256 encryption before being stored in the database, ensuring that even if the database is compromised, the data remains secure.
Do you push anything back into my CRM?
Only if you explicitly enable it. Some features allow syncing ads back into HubSpot or Salesforce (like updating a custom field), but this is:
- Off by default
- Fully user-controlled
- Limited to the exact fields and actions you've configured
We never write anything back unless you turn it on.
Do you sell or enrich customer data?
No. Never. We don't monetize, resell, enrich, or profile your data - and we never will.
Do you have a security certification?
We are not yet SOC 2 or ISO 27001 certified. We have completed an external third-party security audit by Aikido Security and are currently in the process of obtaining ISO 27001 certification, followed by SOC 2, including independent penetration testing as part of that process. Security Audit
Do you run penetration tests?
We perform internal security reviews and depend on Aikido's automated scanning and alerting to monitor our infrastructure, containers, and codebase. Manual third-party penetration testing is on our roadmap as we scale.
Do you have an incident response or recovery plan?
Yes. We maintain internal policies for:
- Business continuity
- Incident response
- Daily backups of stateful systems (like user accounts and settings)
If something breaks, we can restore customer-critical infrastructure within 24 hours. In the event of a personal data breach, we'll notify affected customers without undue delay and within 48 hours.
Infrastructure & Data Centers
We use a multi-cloud approach with Google Cloud and Fly.io to ensure high availability and security:
Google Cloud Platform (Primary Infrastructure)
- European regions for EU data residency
- SOC 2 Type II certified
- ISO 27001-certified data centers
- GDPR compliant infrastructure
- Immutable infrastructure and security by design
Fibbler uses Google Cloud Platform as its cloud provider; for more information about how Google manages security, read here.
Fly.io (Supporting Services)
- European regions for EU data residency
- SOC 2 Type 2 certified
- Hardware runs on ISO 27001-certified data centers
Transfer Impact Assessment (TIA)
As required by GDPR Article 46, we have conducted a Transfer Impact Assessment to ensure all data processing meets EU data protection standards.
Key Finding
All customer and application infrastructure and data hosting is located within the European Economic Area (EEA). Our core product and customer data is processed exclusively within the EU.
Consent-based website analytics data may be processed by third-party providers outside the EEA under appropriate safeguards, such as Standard Contractual Clauses, in accordance with GDPR.
Analytics and attribution tools
Fibbler uses third-party analytics and attribution tools to measure website usage, conversions, and revenue attribution. These tools only process data after explicit user consent has been provided.
All third-party analytics providers act as data processors and are bound by Data Processing Agreements in accordance with the GDPR. Access to analytics data is restricted to authorised personnel and used solely for operational, analytical, and security-related purposes.
Sub-processors
Fibbler uses the following sub-processors to deliver our services. Customer and application data is processed exclusively within the European Economic Area (EEA), unless otherwise stated below.
| Sub-processor | Location | Purpose | Data Processed |
|---|---|---|---|
| Google Cloud (Cloud Run, Cloud SQL) | Belgium region (EU) (GDPR DPA, SOC 2, ISO 27001) | Primary infrastructure and database hosting | Application data, LinkedIn ads data |
| Fly.io | EU region (DPF-certified) | Application hosting and server infrastructure | Processes application requests and scheduled jobs |
| Redis | EU-hosted | Caching layer | Temporary session and cache data |
| Sentry | EU-hosted | Error monitoring and logging | Error logs and performance metrics (no customer PII) |
| Resend | EU-hosted | Transactional email delivery | Email addresses for account notifications only |
| HubSpot | EU data hosting | Marketing emails, announcements, updates | Contact email for company communications only |
| Stripe | EU operations | Payment processing | Billing metadata only; no customer PII or data shared |
| Datafa.st | International (non-EU/EEA) – Data processor | Website analytics and revenue attribution | Cookies, IP addresses, and pseudonymous website usage data |
Note: LinkedIn Insights and Datafa.st (analytics and attribution tools) are used only on our marketing website (fibbler.co) for visitor analytics and attribution. They are not present on the Fibbler application (app.fibbler.co) and do not process any customer or application data.
All sub-processors are subject to strict security terms and GDPR compliance requirements. We continuously monitor our sub-processors to ensure they maintain appropriate security standards and, where applicable, appropriate safeguards for international data transfers in accordance with GDPR.
Database Security & Access Controls
Our database infrastructure is protected by multiple layers of security:
- Database access is restricted to whitelisted IP addresses only
- All database connections are encrypted using TLS
- Database accounts have minimal required permissions
- Regular security updates and patches are applied
- Database access is logged and monitored in real-time
- Backup data is encrypted and stored separately
Only authorized personnel with specific business needs can access the database, and all access is logged and audited regularly.
Our Security Measures (summary)
We apply technical and organizational measures to protect your account and integrations, including:
- Encrypted data transfer (TLS)
- Database access restricted to whitelisted IP addresses only
- Real-time monitoring and alerting
- Access controls and internal audit logging
- Dependency scanning and vulnerability alerts
- Annual third-party security audits (Aikido)
Need a DPA or NDA?
Most companies don't need extra paperwork to use Fibbler. But we understand that larger organizations may have vendor vetting, legal, or procurement requirements.
We now offer:
- A standard Data Processing Agreement (DPA) aligned with GDPR
- A Mutual Non-Disclosure Agreement (NDA) for vendor evaluation
These documents are available upon request. Just email support@fibbler.co and we'll be happy to help.
Important documents
- Privacy Policy – details how we process limited personal data in accordance with GDPR
- Terms of Service
- Security Audit
Still have questions?
Just email support@fibbler.co - we'll respond quickly and are happy to help your legal or security team get what they need.