Plausible security and compliance documentation

Plausible is typically straightforward to approve in vendor reviews. Not because of optimized paperwork, but because the product does not collect personal data, does not use cookies and does not send data outside the EU. A simpler product means a simpler review. Organizations like Hugging Face, Harvard and the Scottish and Welsh governments have completed this review and run Plausible at scale.

Why Plausible is low-risk to approve

Plausible does not process personal data or track individual users. This puts it in a different category from most analytics tools in a vendor risk assessment.

Specifically:

• No personal data is collected. No IP addresses, device fingerprints or persistent identifiers of any kind.
• No cookies are set. Nothing to consent to, no cookie banner required on your site.
• All data is processed and stored in the EU on servers owned by European companies. Data never leaves the EEA.
• No data is shared with or sold to third parties.
• A DPA is in place automatically for all customers. You do not need to request one.

An independent review by a data protection lawyer confirms Plausible requires no cookie consent and falls outside the scope of GDPR personal data processing. Read the full legal assessment.

Legal documents

• Data Processing Agreement (DPA): covers GDPR obligations, processor responsibilities, data location, breach notification (48-hour obligation) and subprocessor controls. Applies to all customers automatically.
• Privacy policy: how Plausible handles data related to account holders.
• Terms of service: the contract governing use of Plausible.
• Imprint: legal entity details, company registration and registered address.

Data handling

• Data policy: what Plausible collects from your website visitors, how it is stored, and the technical method used to count unique visitors without cookies or personal data.
• Subprocessors: the third-party services Plausible uses to operate and what data each handles.

Security

• Security overview: technical and organizational security measures including infrastructure, access controls, encryption, backups, monitoring and software update practices.
• Vulnerability disclosure program: how to report security vulnerabilities and how they are handled.
• Open source code: Plausible’s source code is publicly available for independent audit.

Infrastructure and availability

• EU hosting: which infrastructure providers are used, where data is stored and what this means for GDPR compliance.
• Status and uptime: current and historical uptime for all Plausible services.

Enterprise access controls and data portability

Available on Enterprise plans:

• Single Sign-On (SSO): SAML 2.0 support for Google Workspace, Okta and Microsoft Entra ID.
• Scheduled raw data exports: export raw event data to your own data warehouse for deeper analysis or internal compliance requirements.

Security questionnaires

The documents above answer most questions in standard vendor security reviews. If anything is not covered, contact us and we will respond within one business day.