How Fibbler keeps your data safe
A practical guide to our security, privacy, and data handling practices. Whether you're evaluating Fibbler or already a customer, this page gives you clear answers to the most common security, privacy, and compliance questions we get — no jargon, no fluff.
The short version
- Data is hosted in the EU (Amsterdam) on Fly.io
- Fly.io is SOC 2 certified and uses ISO 27001-certified data centers
- We don't process personal data, except your account email
- We don't store synced CRM or ad platform data — we fetch it in real time via API
- We're not SOC 2 or ISO certified, but we completed a third-party audit by Aikido Security
- You control what gets connected, and nothing happens without your authorization
- Integrations can be paused or revoked at any time
Frequently asked questions
Where is data stored?
All data is hosted in the EU, specifically in Fly.io's Amsterdam region. No data is processed outside the EU unless explicitly requested. Fly.io is SOC 2 certified, and their hardware runs in ISO 27001-certified data centers.
Do you process personal data?
No. Fibbler does not process any personal data (PII) on behalf of our customers. The only personal data we handle is your email address, which is used to create and manage your Fibbler account. That's it.
We do not process:
- CRM contacts
- Personal identifiers
- LinkedIn messages
- Sensitive information of any kind
What do you access in HubSpot, Salesforce, or LinkedIn — and why?
We only access company-level and deal/opportunity data required to power the analytics, attribution, and reporting features you explicitly enable.
Salesforce & HubSpot
We fetch data from the following object types using read-only access:
| Object | Fields accessed | Why it's used |
|---|---|---|
| Company/Account | name, domain, ID | To match CRM records to campaigns |
| Opportunity/Deal | name, amount, status, created/close dates, ID | For revenue attribution and funnel reporting |
| Campaign | name, ID | To group and track marketing campaign data |
| Custom Fields | field names only (not values) | To allow mapping of ad data into the CRM |
Do you store any of that data?
No. We do not persist CRM or ad platform data in our database. All data is pulled in real time using API calls only when you actively filter for it in the app.
Do you push anything back into my CRM?
Only if you explicitly enable it. Some features allow syncing ads back into HubSpot or Salesforce (like updating a custom field), but this is:
- Off by default
- Fully user-controlled
- Limited to the exact fields and actions you've configured
We never write anything back unless you turn it on.
Do you sell or enrich customer data?
No. Never. We don't monetize, resell, enrich, or profile your data — and we never will.
Do you have a security certification?
We are not yet SOC 2 or ISO 27001 certified. However, we have completed an external security audit by Aikido Security and run real-time monitoring and alerts across all infrastructure and code. Security Audit
Do you run penetration tests?
We perform internal security reviews and depend on Aikido's automated scanning and alerting to monitor our infrastructure, containers, and codebase. Manual third-party penetration testing is on our roadmap as we scale.
Do you have an incident response or recovery plan?
Yes. We maintain internal policies for:
- Business continuity
- Incident response
- Daily backups of stateful systems (like user accounts and settings)
If something breaks, we can restore customer-critical infrastructure within 24 hours. In the event of a personal data breach, we'll notify affected customers without undue delay and within 48 hours.
Sub-processors
Fibbler uses a small number of EU-based sub-processors to deliver our services. These include:
- Fly.io (infrastructure)
- Amazon Lambda (serverless functions)
- Redis & Clever Cloud (caching + data layer)
- Stripe (billing)
- HubSpot (support comms)
- Sentry (error monitoring)
- LinkedIn Insights (analytics)
All subprocessors are subject to strict security terms.
Our Security Measures (summary)
We apply technical and organizational measures to protect your account and integrations, including:
- Encrypted data transfer (TLS)
- Real-time monitoring and alerting
- Access controls and internal audit logging
- Dependency scanning and vulnerability alerts
- Annual third-party security audits (Aikido)
Important documents
- Privacy Policy – confirms no personal data is processed
- Terms of Service
- Security Audit
Still have questions?
Just email support@fibbler.co - we'll respond quickly and are happy to help your legal or security team get what they need.