How Fibbler keeps your data safe
A practical guide to our security, privacy, and data handling practices. Whether you're evaluating Fibbler or already a customer, this page gives you clear answers to the most common security, privacy, and compliance questions we get - no jargon, no fluff.
The short version
- All customer and application data is hosted in the EU on Google Cloud and Fly.io (European regions)
- Immutable infrastructure and security by design
- We don't process personal data as part of our core product, except your account email
- We store LinkedIn ads data, Google Ads campaign data, and CRM data (company records and deals) in our database for attribution, analytics, and MCP features, all with strict access controls and IP whitelisting. Customers with a DPA signed before April 2026 are exempt from CRM data storage. If you disconnect or cancel, stored CRM data is deleted within 30 days
- ISO 27001 and SOC 2 certifications are in progress (started January 2026). Third-party audit completed by Aikido Security
- You control what gets connected, and nothing happens without your authorization
- Integrations can be paused or revoked at any time
- MCP (connect your data to LLMs like Claude, ChatGPT, and Cursor) is available on the Unlimited plan only and requires CRM data storage
- Website visitor company identification is powered by our partner Dealfront (Leadfeeder), used both on fibbler.co and as part of the Google Ads attribution add-on. Dealfront is ISO 27001 and ISO 27701 certified with all data hosted in the EU. We have a Data Processing Agreement in place with Dealfront
Frequently asked questions
Where is data stored?
All customer and application data is hosted in the EU on Google Cloud and Fly.io. No customer data is processed outside the EU. See the Infrastructure section below for details.
Do you process personal data?
The only personal data we handle is your email address for account management. We do not process individual contact records from your CRM, personal identifiers, LinkedIn messages, or sensitive information of any kind.
We do store company-level and deal/opportunity data from your CRM (company names, domains, deal amounts, deal stages) to power attribution and analytics features. This is business data, not personal data.
What do you access in LinkedIn, Google Ads, HubSpot, Salesforce, and Attio - and why?
We only access company-level and deal/opportunity data required to power the analytics, attribution, and reporting features you explicitly enable.
LinkedIn Ads
We access your LinkedIn Ads account via the LinkedIn Marketing API:
| Data | Access | Fields | Why it's used |
|---|---|---|---|
| Campaigns | Read | name, ID, status, objective | To display and attribute campaign performance |
| Performance Metrics | Read | impressions, clicks, spend, engagements | For attribution and ROI reporting |
| Company Engagement | Read | company name, domain, engagement data | To match ad engagement to CRM accounts |
| Campaign Targeting | Write | targeting exclusions (job titles, companies) | For Audience Exclusions and Impression Caps features (only when enabled by you) |
HubSpot, Salesforce & Attio
We access the following data from your CRM:
| Object | Access | Fields | Why it's used |
|---|---|---|---|
| Company/Account | Read | name, domain, ID | To match CRM records to campaigns |
| Opportunity/Deal | Read | name, amount, status, created/close dates, ID | For revenue attribution and funnel reporting |
| Campaign | Read | name, ID | To group and track marketing campaign data |
| Custom Fields | Read | field names only (not values) | To allow mapping of ad data into the CRM |
| Custom Fields | Write | Fibbler-created fields on Company/Account (HubSpot & Salesforce only) | For CRM Sync: creates fields to store LinkedIn ad engagement data (only when enabled by you) |
Attio integration is read-only. CRM Sync write access only applies to HubSpot and Salesforce, and only when you explicitly enable it.
Google Ads (optional add-on)
We access campaign and performance data via the Google Ads API. All access is read-only.
| Data | Access | Fields | Why it's used |
|---|---|---|---|
| Campaigns | Read | name, ID, status, type, budget | To display campaign performance and attribution |
| Ad Groups / Keywords | Read | name, ID, text, match type, metrics | To group performance and connect search terms to pipeline |
| Performance Metrics | Read | clicks, impressions, spend, conversions | For attribution and ROI reporting |
| Website Visitor Data (via Dealfront) | Read | company name, industry, visit behavior | To match website visits to Google Ads campaigns and CRM deals |
Do you store any of that data?
We store LinkedIn ads data, Google Ads campaign data, and CRM data in our database to power attribution, analytics, and MCP features. This includes campaign performance metrics, audience exclusions, attribution data, CRM company records (name, domain), and deal/opportunity records (amount, stage, dates).
CRM data is synchronized on a regular schedule and kept up to date while your integration remains connected. If you disconnect or cancel, stored CRM data is deleted within 30 days. Customers with a DPA signed before April 2026 are exempt from CRM data storage unless they agree to a revised DPA. If you prefer not to have CRM data stored, you can opt out by contacting support@fibbler.co.
All stored data is encrypted at rest using AES-256 encryption.
Do you push anything back into my CRM?
Only if you explicitly enable it. CRM Sync allows pushing LinkedIn ad engagement data into HubSpot or Salesforce by creating custom fields on your Company/Account records. This is:
- Off by default
- Fully user-controlled
- Limited to the exact fields and actions you've configured
We never write anything back unless you turn it on.
Do you sell or enrich customer data?
No. Never. We don't monetize, resell, enrich, or profile your data - and we never will.
Do you have a security certification?
We are not yet SOC 2 or ISO 27001 certified. We started the certification process in January 2026 and expect to receive both certifications within a few months. We have completed an external third-party security audit by Aikido Security in February 2026. Security Audit
Do you run penetration tests?
We perform internal security reviews and depend on Aikido's automated scanning and alerting to monitor our infrastructure, containers, and codebase. Manual third-party penetration testing is planned as part of our SOC 2 audit.
Do you have an incident response or recovery plan?
Yes. We maintain internal policies for:
- Business continuity
- Incident response
- Daily backups of stateful systems (like user accounts and settings)
If something breaks, we can restore customer-critical infrastructure within 24 hours. In the event of a personal data breach, we'll notify affected customers without undue delay and within 48 hours.
Infrastructure & Data Centers
We use a multi-cloud approach with Google Cloud and Fly.io to ensure high availability and security:
Google Cloud Platform (Primary Infrastructure)
- European regions for EU data residency
- SOC 2 Type II certified
- ISO 27001-certified data centers
- GDPR compliant infrastructure
- Immutable infrastructure and security by design
Fibbler uses Google Cloud Platform as its cloud provider; for more information about how Google manages security, read here.
Fly.io (Supporting Services)
- European regions for EU data residency
- SOC 2 Type 2 certified
- Hardware runs on ISO 27001-certified data centers
We have conducted a Transfer Impact Assessment (TIA) as required by GDPR Article 46. All customer and application data hosting is located within the EEA. Website analytics data may be processed outside the EEA under appropriate safeguards (Standard Contractual Clauses or EU-US Data Privacy Framework).
Sub-processors
Fibbler uses the following sub-processors to deliver our services. Customer and application data is processed exclusively within the European Economic Area (EEA), unless otherwise stated below.
| Sub-processor | Location | Purpose | Data Processed |
|---|---|---|---|
| Google Cloud (Cloud Run, Cloud SQL) | Belgium region (EU) (GDPR DPA, SOC 2, ISO 27001) | Primary infrastructure and database hosting | Application data, LinkedIn ads data, Google Ads data, CRM data |
| Fly.io | EU region (DPF-certified) | Application hosting and server infrastructure | Processes application requests and scheduled jobs |
| Redis | EU-hosted | Caching layer | Temporary session and cache data |
| Sentry | EU-hosted | Error monitoring and logging | Error logs and performance metrics (no customer PII) |
| Resend | EU-hosted | Transactional email delivery | Email addresses for account notifications only |
| Loops | US-based (EU-US Data Privacy Framework certified) | Marketing emails, announcements, updates | Email address and subscription status (active, trial, former customer) for email communications |
| Stripe | EU operations | Payment processing | Billing metadata only; no customer PII or data shared |
| Dealfront (Dealfront Finland Oy / Leadfeeder) | EU (Finland/Germany) (ISO 27001, ISO 27701) | Website visitor company identification (used on fibbler.co and for Google Ads attribution customers) | IP addresses, visitor behavior, session data, first-party cookies (if enabled) |
| Google (Google Ads API) | EU operations | Google Ads campaign data retrieval | Campaign metrics, clicks, impressions, keywords, spend data (aggregated, no PII) |
| Datafa.st | International (non-EU/EEA) – Data processor | Website analytics and revenue attribution | Cookies, IP addresses, and pseudonymous website usage data |
All sub-processors are bound by GDPR-compliant data processing agreements. Leadfeeder and Datafa.st are used only on fibbler.co (not the app) and do not process customer data. Our marketing website also uses LinkedIn Insights Tag and Google Ads Tag (gtag.js) for advertising measurement, which are covered by cookie consent and only activate after explicit user approval.
Security Measures & Access Controls
We apply technical and organizational measures to protect your data, account, and integrations:
- All data transfer and database connections encrypted using TLS
- Database access restricted to whitelisted IP addresses only
- Database accounts have minimal required permissions
- All access is logged and audited regularly
- Real-time monitoring and alerting
- Regular security updates and patches
- Dependency scanning and vulnerability alerts
- Backup data encrypted and stored separately
- Annual third-party security audits (Aikido)
Only authorized personnel with specific business needs can access the database or production infrastructure.
Documents and DPA/NDA
We also offer a standard DPA (aligned with GDPR) and Mutual NDA for vendor evaluation. Email support@fibbler.co to request these or if you have any other security questions.