Fibbler white logo

Features

Pricing

RESOURCES

LOGin

Start today

How Fibbler keeps your data safe

A practical guide to our security, privacy, and data handling practices. Whether you're evaluating Fibbler or already a customer, this page gives you clear answers to the most common security, privacy, and compliance questions we get — no jargon, no fluff.

The short version

  • Data is hosted in the EU on Google Cloud and Fly.io (European regions)
  • Immutable infrastructure and security by design
  • We don't process personal data, except your account email
  • We store LinkedIn ads data in our database for performance and analytics. For customers using CRM sync, we also store HubSpot company ID/domain data, all with strict access controls and IP whitelisting
  • We're not SOC 2 or ISO certified, but we completed a third-party audit by Aikido Security
  • You control what gets connected, and nothing happens without your authorization
  • Integrations can be paused or revoked at any time

Frequently asked questions

Where is data stored?

All data is hosted in the EU on Google Cloud's infrastructure, which operates in European regions. Our application services run on both Google Cloud and Fly.io, ensuring high availability and performance. No data is processed outside the EU. Google Cloud provides immutable infrastructure and security by design, ensuring your data remains secure and compliant.

Do you process personal data?

No. Fibbler does not process any personal data (PII) on behalf of our customers. The only personal data we handle is your email address, which is used to create and manage your Fibbler account. That's it.

We do not process:

  • CRM contacts
  • Personal identifiers
  • LinkedIn messages
  • Sensitive information of any kind

What do you access in HubSpot, Salesforce, or LinkedIn — and why?

We only access company-level and deal/opportunity data required to power the analytics, attribution, and reporting features you explicitly enable.

Salesforce & HubSpot

We fetch data from the following object types using read-only access:

ObjectFields accessedWhy it's used
Company/Accountname, domain, IDTo match CRM records to campaigns
Opportunity/Dealname, amount, status, created/close dates, IDFor revenue attribution and funnel reporting
Campaignname, IDTo group and track marketing campaign data
Custom Fieldsfield names only (not values)To allow mapping of ad data into the CRM

Do you store any of that data?

We store LinkedIn ads data in our database to improve performance and enable advanced analytics features. This includes campaign performance metrics, audience insights, and attribution data.

For customers using HubSpot CRM sync features, we also store company ID and domain information to improve performance and enable faster data matching. Other CRM data is still fetched in real time via API calls when you actively filter for it in the app.

For user-shared content that has been explicitly designated for sharing with others, we store this data in our database for a period of 7 days. All stored data is encrypted at rest using AES-256 encryption before being stored in the database, ensuring that even if the database is compromised, the data remains secure.

Do you push anything back into my CRM?

Only if you explicitly enable it. Some features allow syncing ads back into HubSpot or Salesforce (like updating a custom field), but this is:

  • Off by default
  • Fully user-controlled
  • Limited to the exact fields and actions you've configured

We never write anything back unless you turn it on.

Do you sell or enrich customer data?

No. Never. We don't monetize, resell, enrich, or profile your data — and we never will.

Do you have a security certification?

We are not yet SOC 2 or ISO 27001 certified. However, we have completed an external security audit by Aikido Security and run real-time monitoring and alerts across all infrastructure and code. Security Audit

Do you run penetration tests?

We perform internal security reviews and depend on Aikido's automated scanning and alerting to monitor our infrastructure, containers, and codebase. Manual third-party penetration testing is on our roadmap as we scale.

Do you have an incident response or recovery plan?

Yes. We maintain internal policies for:

  • Business continuity
  • Incident response
  • Daily backups of stateful systems (like user accounts and settings)

If something breaks, we can restore customer-critical infrastructure within 24 hours. In the event of a personal data breach, we'll notify affected customers without undue delay and within 48 hours.

Infrastructure & Data Centers

We use a multi-cloud approach with Google Cloud and Fly.io to ensure high availability and security:

Google Cloud Platform (Primary Infrastructure)

  • European regions for EU data residency
  • SOC 2 Type II certified
  • ISO 27001-certified data centers
  • GDPR compliant infrastructure
  • Immutable infrastructure and security by design

Fly.io (Supporting Services)

  • European regions for EU data residency
  • SOC 2 Type 2 certified
  • Hardware runs on ISO 27001-certified data centers

Sub-processors

Fibbler uses a small number of EU-based sub-processors to deliver our services. These include:

  • Google Cloud (primary infrastructure and data storage - SOC 2 Type II certified, ISO 27001 data centers)
  • Fly.io (supporting services - SOC 2 Type 2 certified, ISO 27001 data centers)
  • Redis (caching layer)
  • Stripe (billing)
  • HubSpot (support communications)
  • Sentry (error monitoring)
  • LinkedIn Insights (analytics)

All subprocessors are subject to strict security terms.

Database Security & Access Controls

Our database infrastructure is protected by multiple layers of security:

  • Database access is restricted to whitelisted IP addresses only
  • All database connections are encrypted using TLS
  • Database accounts have minimal required permissions
  • Regular security updates and patches are applied
  • Database access is logged and monitored in real-time
  • Backup data is encrypted and stored separately

Only authorized personnel with specific business needs can access the database, and all access is logged and audited regularly.

Our Security Measures (summary)

We apply technical and organizational measures to protect your account and integrations, including:

  • Encrypted data transfer (TLS)
  • Database access restricted to whitelisted IP addresses only
  • Real-time monitoring and alerting
  • Access controls and internal audit logging
  • Dependency scanning and vulnerability alerts
  • Annual third-party security audits (Aikido)

Need a DPA or NDA?

Most companies don't need extra paperwork to use Fibbler. But we understand that larger organizations may have vendor vetting, legal, or procurement requirements.

We now offer:

  • A standard Data Processing Agreement (DPA) aligned with GDPR
  • A Mutual Non-Disclosure Agreement (NDA) for vendor evaluation

These documents are available upon request. Just email support@fibbler.co and we'll be happy to help.

Important documents

Still have questions?

Just email support@fibbler.co - we'll respond quickly and are happy to help your legal or security team get what they need.