Plausible security and compliance documentation

Plausible is typically straightforward to approve in vendor reviews. Not because of optimized paperwork, but because the product does not collect personal data, does not use cookies and does not send data outside the EU. A simpler product means a simpler review. Organizations like Hugging Face, MongoDB, Basecamp and Harvard have completed this review and run Plausible at scale.

This page is for security, legal and procurement teams evaluating Plausible as a vendor. Everything you need is here or linked from here.

Why Plausible is low-risk to approve

Plausible does not process personal data or track individual users. This puts it in a different category from most analytics tools in a vendor risk assessment.

Specifically:

• No personal data is collected. No IP addresses, device fingerprints or persistent identifiers of any kind.
• No cookies are set. Nothing to consent to, no cookie banner required on your site.
• All data is processed and stored in the EU on servers owned by European companies. Data never leaves the EEA.
• No data is shared with or sold to third parties.
• A DPA is in place automatically for all customers. You do not need to request one.

This assessment is supported by an independent GDPR compliance review conducted by a data protection lawyer.

Legal documents

• Data Processing Agreement (DPA): covers GDPR obligations, processor responsibilities, data location, breach notification (48-hour obligation) and subprocessor controls. Applies to all customers automatically.
• Privacy policy: how Plausible handles data related to account holders.
• Terms of service: the contract governing use of Plausible.
• Imprint: legal entity details, company registration and registered address.

Data handling

• Data policy: what Plausible collects from your website visitors, how it is stored, and the technical method used to count unique visitors without cookies or personal data.
• Subprocessors: the third-party services Plausible uses to operate and what data each handles.

Security

• Security overview: technical and organizational security measures including infrastructure, access controls, encryption, backups, monitoring and software update practices.
• Vulnerability disclosure program: how to report security vulnerabilities and how they are handled.
• Open source code: Plausible’s source code is publicly available for independent audit.

Infrastructure and availability

• EU hosting: which infrastructure providers are used, where data is stored and what this means for GDPR compliance.
• Status and uptime: current and historical uptime for all Plausible services.

Enterprise access controls and data portability

Available on Enterprise plans:

• Single Sign-On (SSO): SAML 2.0 support for Google Workspace, Okta and Microsoft Entra ID.
• Scheduled raw data exports: export raw event data to your own data warehouse for deeper analysis or internal compliance requirements.

Security questionnaires

The documents above cover most questions in standard vendor security reviews. We recommend going through them before submitting a questionnaire, as most topics are already addressed.

If there are specific questions not covered, contact us with those questions. We respond within one business day.