Updated April 22, 2024

This Data Processing Agreement (this “Agreement”) contains the terms and conditions that govern personal data transfers, hosting, and other related services provided by Piwik PRO (the “Services”). This Agreement shall be read together with the Master Services Agreement. The term “you”, “your” includes any of your subsidiaries, affiliates and employees. 



  1. The Customer ordered the Piwik PRO’s Service, either by Purchase Order or by accepting the Master Services Agreement (both hereinafter referred to as “Main Agreement”). 
  2. The Contractor shall collect, process and use personal data on behalf of the Customer in the circumstances defined in the scope of the Agreement.
  3. The Parties to the Agreement wish to accommodate their mutual obligations in terms of legal data protection in accordance with the prerequisites of article 28 of the General Data Protection Regulation (“GDPR”).
  4. The Customer acts as a controller within the meaning of Article 4 no. 7 of the GDPR.
  5. The Contractor acts as a processor within the meaning of Article 4 no. 8 of the GDPR.

1. Definitions

The following concepts have the meanings set forth below:

Piwik PRO or Contractor means Piwik PRO SA, ul. Św. Antoniego 2/4, 50073 Wrocław, Poland, its subsidiaries and affiliated companies.

Collecting has the meaning defined in article 4 no. 2 GDPR.

Personal Data means any type of Customer data which are of a personal nature and which the Contractor collects, processes or uses within the context of the agreement. “Personal data” has the meaning as defined in article 4 no. 1 GDPR which covers any information relating to an identified or identifiable natural person (hereinafter referred to as “Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Instruction means any written direction the Customer gives to the Contractor through which the Customer requests the execution of a certain action with reference to Personal Data.

Processing of personal data has the meaning regulated in article 4 no. 2 GDPR.

Usage/use of personal data has the meaning regulated in article 4 no. 2 GDPR. 

Service refers to the access to Piwik PRO Analytics Suite service provided by the Contractor free of charge or as part of the paid subscription.

2. General

2.1. Subject of the Agreement. This Data Processing Agreement is applicable to all activities connected to the contractual relationship of the Parties, as part of which the employees or workers (employed on basis of a civil-law contract, freelancer) and/or as far as permissible under this Agreement subcontractors of the Contractor collect, process or use the Customer’s personal data.

2.2. Description of the processing. The Parties acknowledge that the Contractor may process Personal Data on behalf of the Customer during the term of this Agreement. A description of the Personal Data and the processing activities undertaken by the Contractor, that should be interpreted as the Customer Instructions, is set out below:

a. Purpose of the processing. Collecting behavioral data about how users interact with website(s) and/or application(s) and providing reporting interface to analyze the collected data. During the use of service, personal data is processed for the sole purpose of providing web traffic statistics to the Customer.

b. Nature of the processing. The Piwik PRO Analytics Suite provides several modules that are internally connected and able to process information between each other. The service is used to analyze the use of websites by the Customer’s visitors, manage other marketing tools, personalize content viewed by the visitor, onboard any other data of the Customer and create audiences. Considering the above, Personal Data shall be collected by Piwik PRO Analytics Suite based on profiles, events or comparable actions, regarding technical properties or activities of visitors to the Customer’s web pages or mobile applications. These Personal Data shall be evaluated by Piwik PRO to produce reports at different time intervals which may, amongst others, include statements on the geographical origin, length of stay, interaction with the website or origin. The Contractor shall collect, process and use personal data he collects, processes or uses in the context of this Agreement on behalf of the Customer exclusively for fulfilling the purposes set out above. The platform allows integration of tags of third party tools as well as creating an export of data to different third parties away from the scope of this contract and the area of responsibility of the Contractor. Moreover, the platform allows to import any other data that integrates with the data mentioned above. Therefore, it is within Customer’s responsibility to fulfil country specific legal and data privacy regulations for each such use.

c. Data Subjects. Visitors of the Customer’s webpages, web applications, native mobile applications, intranet portals (together hereinafter referred to as the “Customer’s Services”) and physical persons whose data was imported by the Customer in to the platform such as system users, end customers, employees, citizens or patients.

d. Categories of the Personal data. Piwik PRO Analytics Suite collects data in the form of technical characteristics of the browser of the Customer’s Services’ visitor, activities on the Customer’s Services, length of stay on the Customer’s Services. The IP address of visitors of the Customer’s Services is also collected. It is possible that any kind of data imported by the Customer can be processed on demand of the Customer. The Customer will immediately inform the Contractor if the imported data fulfills the requirements of article 9 GDPR (special categories of personal data). The Customer must make sure that data is collected on a lawful basis and are not processed without a need and a legal ground by the Contractor.

e. Data storage. The collection and storage of said personal data by the Contractor takes place exclusively within a processing region. Piwik PRO offers the following data storage locations:

  • EU West Netherlands & Ireland or
  • DE Central Germany or
  • US East United States or
  • Southeast Asia Hong Kong or
  • Any other as indicated by Piwik PRO in Purchase Order or Main Agreement

Piwik PRO ensures that the storage is located in one of the regions of choice. As part of the Services Piwik PRO may, from time to time, provide the Customer with support services which may in ordinary course of business constitute data processing (e.g. during a screen sharing session with Customer). Any such processing will take place in the European Economic Area. Any data collected during such support Service shall be immediately destroyed.

For backup storage, Microsoft Azure also provides protection against regional or large geographic disasters with disaster recovery using another secondary region that uses cross-region replication. Both the primary and secondary regions together form a region pair. For more information: https://learn.microsoft.com/en-us/azure/reliability/cross-region-replication-azure#azure-paired-regions

f. Duration of the processing. Piwik PRO shall not retain Personal Data longer than the duration of the Agreement.

2.3. Term and Termination

2.3.1 As for the term and termination rights of this Agreement the provisions applicable of the Main Agreement shall apply. Termination of the Main Agreement automatically leads to a termination of this Agreement. 

2.3.2 Upon termination of this Agreement, regardless of reason or manner, the Contractor shall – at the choice of the Customer – return in a readable format or destroy all Personal Data available to it. If the Customer chooses for a return of the Personal Data, the Contractor may request certain additional information, such as the public IP address through which the Personal Data will be downloaded. If the Customer does not make the choice within two weeks after the Contractor sends the request or does not provide the requested information necessary for the return, the Personal Data will be destroyed. The Contractor is entitled to keep any documentation it needs to prove that processing of the data has taken place in accordance with the order and regulations, in accordance with applicable laws, in particular legal storage times, after the termination of the Agreement.

3. Rights and obligations of the Parties

3.1. To the extent that the Contractor processes Personal Data on behalf of the Customer in connection with this Agreement, the Contractor shall: 

3.1.1. comply with the applicable data processing legislation, in particular the GDPR;

3.1.2. solely process the Personal Data for the purposes of fulfilling its obligations under this Agreement, Main Agreement and for all purposes compatible therewith, or as determined jointly, as well as in compliance with the Customer’s written Instructions as set out in this Agreement and as may be specified from time to time in writing by the Customer;

3.1.3. notify the Customer immediately if any instructions of the Customer relating to the processing of Personal Data are unlawful. The Contractor is entitled to suspend the corresponding Instruction until it is confirmed or changed by the Customer;

3.2. To the extent that the Contractor processes Personal Data on behalf of the Customer in connection with this Agreement, the Customer shall:

3.2.1. comply with all applicable data processing legislation, in particular the GDPR;

3.2.2. be solely responsible for establishing the admissibility and lawfulness of the data processing, collection and use as well as observing the rights of the Data Subjects. This includes, in particular, gathering and processing consents from Data Subjects. The Customer represents and warrants that the content, the legal basis, usage and Instructions to process the Personal Data are lawful and do not violate any right of any third party. The Customer shall indemnify and hold harmless the Contractor for all faults and claims that may arise from a violation of this representation and warranties;

3.2.3. inform the Contractor of any processing purposes to the extent not already mentioned in this Agreement;

3.2.4. be solely responsible for the accountability of the processing of Personal Data and any measures taken in that respect. It will further take care of the portability of Personal Data.

4. Confidentiality

4.1. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement  confidential (“Confidential Information”). All Personal Data that the Contractor receives from the Customer and/or collects itself is subject to strict obligations of confidentiality.

4.2. The Contractor shall ensure that any persons used by the Contractor to process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data and shall ensure that only such persons used by it to provide the Services have undergone training in data Protection and in the care and handling of personal data.

4.3. Each Party must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

  • disclosure is required by the applicable law;
  • the relevant information is already in the public domain.

5. Security Measures

5.1. The Contractor shall take appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of or damage to Personal Data taking into account the harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with Article 32 of the GDPR. The Customer does not warrant that the security measures it has taken are effective under all circumstances.

5.2. A description of the technical and organizational measures necessary for the implementation of this Agreement is included in Appendix 1.

5.3. Upon written request the Contractor shall inform the Customer about any measures taken to comply with its obligations under this Agreement.

5.4. The Contractor shall provide reasonable assistance to the Customer in the context of any data protection impact assessments to be made by the Customer.

5.5. The Contractor has appointed a Data Protection Officer who will conduct its activities in accordance with Article 37 of the GDPR. The contact email address of the Data Protection Officer is as follows: gdpr@piwik.pro

6. Data Breaches

6.1. The Customer is responsible for notification of any personal data breaches as described in Article 4 no. 12 of the GDPR, to the competent supervisory authority and affected Data Subjects.

6.2. To enable the Customer to comply with its legal requirements, the Contractor shall notify the Customer within 48 hours after becoming aware of an actual or threatened security or personal data breach. Such notification shall include the fact that a breach has occurred and, additionally:

  • describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • describe the likely consequences of the personal data breach;
  • include the name and contact details of the Data Protection Officer or a contact person regarding privacy subjects;
  • describe the measures taken or proposed to be taken by the Customer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

7. Sub-Processors

7.1. The Contractor may use sub-processors in the processing of Personal Data on behalf of the Customer under this Agreement, provided such parties are reported in advance to the Customer. The Customer shall have the right to object to a specific sub-processor if its involvement would be reasonably unacceptable.

7.2 A list of sub-processors approved by the Customer is included in Appendix 2.

7.3 The Contractor shall ensure that any sub-processors are bound to at least the equivalent obligations as agreed between the Parties under this Agreement. 

8. Data Subject Rights

8.1. The Contractor may only rectify, erase or block the data collected, processed and used on behalf of the Customer according to instruction of the Customer. If the Data Subject applies directly to the Contractor for this purpose, the latter must immediately forward this request to the Customer.

8.2. The Customer shall check the request and inform the Contractor in writing whether it was justifiable or not and instruct the Contractor to proceed to rectify, erase or block.

8.3. The Contractor shall promptly notify the Customer if it receives any data access request from a Data Subject under any data protection legislation in respect of Personal Data and ensure that it does not respond to that request except on the documented Instructions of the Customer Taking into account the nature of the data processing activities undertaken by the Contractor, it shall provide all possible and reasonably requested assistance and co-operation to enable the Customer to fulfil its obligations to respond to requests from individuals exercising their rights under the applicable data protection laws.

9. Audits

9.1. Upon written request, the Contractor shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this Agreement. The provision of such information requires a separate non-disclosure agreement between the Parties.

9.2. The Contractor shall allow for and contribute to audits, including inspections, conducted by or on behalf of the Controller or by the Information Commissioners Office (ICO) pursuant to Article 58(1) of the GDPR. The audit will be carried out with prior notice to the Contractor, during normal working hours, in a way that does not disrupt the normal operation of the Contractor. The audit may be conducted no more often than once a year, unless the need for it arises from a reasonable suspicion of a Personal Data breach.  Provided the Contractor correctly implements the agreed data protection obligations as envisaged under this Agreement, any checks should be based on sampling.  In the notification, the Customer shall indicate the details of the entity that will be the auditor. If the Contractor considers this entity to be its competitor, it has the right to submit a reasoned objection, in which case the Customer will indicate another auditor. 

9.3. The auditor shall be obliged to keep the audited data and information confidential. Accordingly, before any audit is conducted, the Customer and/or the auditor designated by the Customer shall enter into a separate non-disclosure agreement with the Contractor.

9.4. The costs of the audit shall be borne entirely by the Customer.

10. Liability

10.1. In no event and under no circumstances shall the Contractor, its directors, members, employees, agents or other contractors be liable to the Customer for any direct, indirect or consequential loss or damages, or any other damages of any kind, including but not limited to loss of use, loss of profits or loss of data, whether in an action in contract, tort (including but not limited to negligence) or otherwise. To the extent permitted by applicable law, all Contractor’s liability is excluded.

10.2. The Contractor shall not be held responsible nor bear any liability for any error, malfunction, non-compliance, non-performance, suspension or termination of any third-party services such as internet service providers, hosting providers, server hardware or network providers.

10.3. The Contractor shall not be liable for failing or delaying performance of its obligations resulting from any condition beyond its reasonable control, including but not limited to fire, floods, earthquake, governmental action, acts of God, terrorist attacks, labor strikes, power failures and Internet disturbances.

11. Miscellaneous 

11.1. Any changes to this Agreement shall require the written consent of both Parties. This also applies to waivers of this formal requirement.

11.2. In the event of any inconsistency, the provisions of this Agreement shall prevail over the provisions of the Main Agreement. If any part of this of the Agreement shall prove to be invalid or ineffective, the effectiveness or validity of the remaining provisions of the Agreement shall remain unaffected.

Annex 1

Technical and organizational measures

Customer Data means any personal data that can identify individuals, which is subject to special protection under applicable law. The definition of personal data may vary depending on applicable laws and regulations.

The Contractor establishes the following technical and organizational measures and shall maintain them continuously:

1. Confidentiality (Art. 32 par. 1 lit b GDPR)

1.1 Data Center

Operator shall mean a Data Center operator which is a Subcontractor by the definition of this Agreement that specializes in the infrastructure delivery services.

Domain Practices
Organization of Information Security Security Ownership. Operator has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures.
Security Roles and Responsibilities. Operator personnel with access to Customer Data are subject to confidentiality obligations.
Risk Management Program. Operator performed a risk assessment before processing the Customer Data or launching an Online Service.
Operator retains its security documents pursuant to its retention requirements after they are no longer in effect.
Asset Management Asset Inventory. Operator maintains an inventory of all media on which Customer Data is stored. Access to the inventories of such media is restricted to Operator personnel authorized in writing to have such access.
Asset Handling.
– Operator classifies Customer Data to help identify it and to allow for access to it to be appropriately restricted.
– Operator imposes restrictions on printing Customer Data and has procedures for disposing of printed materials that contain Customer Data.
–  Operator personnel must obtain Operator authorization prior to storing Customer Data on portable devices, remotely accessing Customer Data, or processing Customer Data outside Operator’s facilities.
Human Resources Security Security Training. Operator informs its personnel about relevant security procedures and their respective roles. Operator also informs its personnel of possible consequences of breaching the security rules and procedures. Operator will only use anonymous data in training.
Physical and Environmental Security Physical Access to Facilities. Operator limits access to facilities where information systems that process Customer Data are located to identified authorized individuals.
Physical Access to Components. Operator maintains records of the incoming and outgoing media containing Customer Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of Customer Data they contain.
Protection from Disruptions. Operator uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.
Component Disposal. Operator uses industry standard processes to delete Customer Data when it is no longer needed.
Communications and Operations Management Operational Policy. Operator maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.
Data Recovery Procedures.
– On an ongoing basis, but in no case less frequently than once a week (unless no Customer Data has been updated during that period), Operator maintains multiple copies of Customer Data from which Customer Data can be recovered.
– Operator stores copies of Customer Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data is located.
– Operator has specific procedures in place governing access to copies of Customer Data.
– Operator reviews data recovery procedures at least every twelve months
– Operator logs data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.
Malicious Software. Operator has anti-malware controls to help avoid malicious software gaining unauthorized access to Customer Data, including malicious software originating from public networks.
Data Beyond Boundaries.
– Operator encrypts, or enables Customer to encrypt, Customer Data that is transmitted over public networks.
– Operator restricts access to Customer Data in media leaving its facilities.
Event Logging. Operator logs, or enables Customer to log, access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.
Access Control Access Policy. Operator maintains a record of security privileges of individuals having access to Customer Data.
Access Authorization.
– Operator maintains and updates a record of personnel authorized to access Operator systems that contain Customer Data.
– Operator deactivates authentication credentials that have not been used for a period of time not to exceed six months.
– Operator identifies those personnel who may grant, alter or cancel authorized access to data and resources.
– Operator ensures that where more than one individual has access to systems containing Customer Data, the individuals have separate identifiers/log-ins.
Least Privilege.
– Technical support personnel are only permitted to have access to Customer Data when needed.
– Operator restricts access to Customer Data to only those individuals who require such access to perform their job function.
Integrity and Confidentiality.
– Operator instructs Operator personnel to disable administrative sessions when leaving premises Operator controls or when computers are otherwise left unattended.
– Operator stores passwords in a way that makes them unintelligible while they are in force.
– Operator uses industry standard practices to identify and authenticate users who attempt to access information systems.
– Where authentication mechanisms are based on passwords, Operator requires that the passwords are renewed regularly.
– Where authentication mechanisms are based on passwords, Operator requires the password to be at least eight characters long.
– Operator ensures that de-activated or expired identifiers are not granted to other individuals.
– Operator monitors, or enables Customer to monitor, repeated attempts to gain access to the information system using an invalid password.
– Operator maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
– Operator uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
Network Design. Operator has controls to avoid individuals assuming access rights they have not been assigned to gain access to Customer Data they are not authorized to access.
Information Security Incident Management Incident Response Process.
– Operator maintains a record of security breaches with a description of the breach, the period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.
Service Monitoring. Operator security personnel verify logs at least every six months to propose remediation efforts if necessary.
Business Continuity Management – Operator maintains emergency and contingency plans for the facilities in which Operator information systems that process Customer Data are located.
– Operator’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original or last-replicated state from before the time it was lost or destroyed.

1.2 Physical access control to Piwik PRO premises

The Contractor regulates access to the Piwik PRO premises by means of an access control system:

  • The entrance doors are locked at all times and are unlocked by means of an electronic door lock
  • An electronic card reader on a physical barrier at the entrance to the company premises.
  • All persons must identify themselves additionally by means of a digital key 2nd authentication factor) to acquire access to the premises after business hours.
  • Security and porters are available in the building 24/7. As well as the 24/7 video surveillance of the building.
  • Loss of electronic cards must be reported immediately. If the electronic card is lost it is immediately blocked and will not enable access to the premises.

1.3 Piwik PRO Analytics Suite infrastructure security model

Piwik PRO applies various techniques and concepts to ensure application and infrastructure security.

The main elements of infrastructure security are as follows:

  • Service requires the user to authenticate himself using a unique login and password. Piwik PRO permits remote access to production systems by authorized contractors only with multi- factor authentication (MFA), using certificates. 
  • The duties are segregated between development, administration teams and non-tech staff
  • Permissions for development teams are limited, according to the least privilege policy
  • Permission elevation for developer’s teams requires valid justification, has a maximum time period assigned and is automatically revoked
  • Permission management is based on security group membership
  • Infrastructure is hidden behind industry-standard solutions, including access from Piwik PRO’s VPN
  • Immutable audit logs are in place
  • Alerting for breach by unauthorized personnel
  • Each operating system is hardened to provide only the necessary ports, protocols and services to meet business needs using technical controls as part of their baseline build standard.

1.4 Piwik PRO Analytics Suite application security model

Piwik PRO Analytics Suite requires a combination of credentials: an email login and a password. The password’s minimal criteria are as follows:

  • 12-128 characters.
  • Minimum one capital letter.
  • Minimum one lowercase letter.
  • Minimum one digit.
    • 2FA we offer is based on the app and has to be in TOTP standard
    • Paying clients may issue requests to activate SSO.
  • SSO is a third-party authorization, on which we do not force our rules

Application security measures are as follows:

  • Secure transmission between the server and the client is accomplished with an encrypted connection (HTTPS protocol).
  • Automated application and operating system scans are performed to look for known security vulnerabilities.
  • Penetration testing (pen testing) is performed once a year to uncover any systemic vulnerabilities and security deficiencies in Piwik PRO Analytics Suite and then find ways to fix all such weaknesses.
  • Bug bounty program to encourage security researchers to find unknown bugs. The bug bounty program utilizes separate infrastructure to ensure no client data breach occurs in case a security researcher recognizes an unknown vulnerability.

2. Integrity Art. 32 par. 1 lit b GDPR

2.1 Transport and transfer checks, data carrier and user controls

The Contractor has established the following transport, transfer, data carrier and user controls, which ensure that personal data cannot be read, copied, altered or removed by unauthorized parties in the course of electronic transmission or during transportation or recording on data carriers, and that it is possible to examine and establish to which bodies personal data are to be transferred using data transmission equipment:

  • Secure transmission between the server and the client is accomplished with a forced encrypted connection (HTTPS protocol). 
  • Responses from the application (e.g. API responses, HTTP responses) are stripped of any information identifying the technology and versions of software used.
  • Piwik PRO domain (*.piwik.pro) has DNSSEC and CSP.
  • Isolated internal communication (separate virtual network)
  • Database connections limited to internal network or network segment
  • Firewalls configured to deny incoming connections by default
  • Detection of suspicious/malicious activity
  • Encryption-at-rest using 256-bit AES encryption

Access to the Piwik PRO Analytics Suite is subject to effective access controls which are described in more detail in Section 1.4 of this Annex 1. Transfer is only permitted upon access by a secure SSL “Secure Socket Layer”) connection.

2.2 Input control

The transmission of the personal data takes place by means of implementation of the corresponding tracking code by the Customer. Every tracking code has an unambiguous allocation for a profile / a website which was previously created by a person with authorized access.

Access or alteration of the collected data is subject to effective access mechanisms and are logged correspondingly.

3. Availability and capacity Art. 32 par. 1 lit b GDPR

3.1 Availability control

The availability of our application is upheld through a strategic combination of load balancers and replication between separate data centers within the same region. This redundancy approach ensures a heightened level of resilience and availability. Load balancers distribute incoming traffic efficiently, mitigating potential overloads and enhancing overall system stability. Simultaneously, our deployment across distinct data centers facilitates a robust failover mechanism.

The entire infrastructure and each of its key components is configured to run in high availability mode. In the event of a major outage, we can redirect all traffic to a backup storage so that later collected data can be automatically replayed to the infrastructure once operations are restored. We also include this kind of scenario in our regularly tested Disaster Recovery procedures.

3.2 Backup policy

Redundant storage and its procedures for recovering data are designed to attempt to reconstruct Personal Customer Data in its original or last-replicated state from before the time it was lost or destroyed.

Our Backup Strategy contains necessary parameters, defined according to the best industry practices as well as ISO-27001 and SOC-2 security standards requirements. It includes the following items: 

  • Assets / Systems 
  • Medium of backup
  • Retention policy (enforce by DP and/or GDPR)
  • Impact of Disruption
  • Responsibility.

3.3 Data integrity

Our comprehensive security framework encompasses a range of measures to safeguard the integrity and confidentiality of our systems and data. These include:

Network Segmentation and Encryption:

  • We implement separate virtual networks to isolate and secure different components of our infrastructure.
  • Encryption at rest is enforced, utilizing our proprietary encryption keys for added protection.

 Automated Security Scans:

  • Regular automated scans are conducted for both applications and operating systems to identify known security vulnerabilities.
  • These scans occur prior to deployment in production, testing, or staging environments.

 Real-time Suspicious Activity Detection:

  • Our Piwik PRO and bundled third-party components are continuously monitored for real-time detection of suspicious activities.
  • Any detected violations prompt immediate action, involving our Piwik PRO on-duty team, ticket creation, and thorough investigation.

 Penetration Testing and Vulnerability Mitigation:

  • An annual penetration testing (pen testing) exercise is conducted to identify systemic vulnerabilities and security deficiencies within the Piwik PRO Analytics Suite.
  • Weaknesses are identified diligently addressed to fortify our security posture.

 Bug Bounty Program:

  • Our bug bounty program encourages security researchers to uncover and report unknown vulnerabilities.
  • A segregated infrastructure is employed to ensure client data remains uncompromised in the event of vulnerability discovery.

 Ongoing Audit Log Review:

  • Regular audits of system audit logs are performed using automated tools to detect security events and anomalies.

 Our commitment to security excellence is reflected in these measures, underscoring our dedication to maintaining the highest standards of data protection and system integrity.

3.4 Data separation control

There is a separation of the development, test, stage, security bug bounty and production environments. The segregation of duties within the teams and change management processes restricts the ability to promote code from the developer, test, or stage to the production environment to the designated IT team only. Developers have access to production only during maintenance work. Depending on the chosen infrastructure model, the Piwik PRO’s client may share resources (like hardware, software or network devices) in the Public Cloud or the Private Cloud model, where all resources are dedicated exclusively to the customer.

4. Procedures for periodic review, assessment and evaluation Art. 32 par. 1 lit d GDPR

Periodic review, assessment and evaluation of Technical and Organizational measures are being performed according to the audit schedule required for information security certification ISO/IEC 27001:2017 and SOC-2 type 2.

Annex 2


For the processing of data on behalf of the Customer, the Contractor employs services of third parties who process data on its behalf (“Sub-processors”).

The following company/companies are Sub-processors:

  1. Microsoft Ireland Operations Limited, South County Business Park, Leopardstown, Dublin 18, Ireland. (“Operator” according to Annex 1) – data center provider