How Fibbler keeps your data safe
A practical guide to our security, privacy, and data handling practices. Whether you're evaluating Fibbler or already a customer, this page gives you clear answers to the most common security, privacy, and compliance questions we get - no jargon, no fluff.
Last updated: June 2026
The short version
- All customer and application data is hosted in the EU on Google Cloud (European regions)
- Immutable infrastructure and security by design
- We don't process personal data as part of our core product, except your account email
- We store LinkedIn ads data, Google Ads campaign data, and CRM data (company records and deals) in our database for attribution, analytics, and MCP features, all with strict access controls and IP whitelisting. If you disconnect or cancel, stored CRM data is deleted within 30 days
- ISO 27001 and SOC 2 audits are in progress (started January 2026, auditor Sensiba) and are expected to complete around the end of summer 2026. An external third-party audit was completed by Aikido Security in February 2026. Our infrastructure provider Google Cloud is already SOC 2 Type II and ISO 27001 certified
- You control what gets connected, and nothing happens without your authorization
- Integrations can be paused or revoked at any time
- MCP (connect your data to LLMs like Claude, ChatGPT, and Cursor) is available on the Unlimited and Agency plans and requires a connected CRM
- Website visitor company identification is powered by our partner Dealfront (Leadfeeder), used both on fibbler.co and as part of the Google Ads attribution add-on. Dealfront is ISO 27001 and ISO 27701 certified with all data hosted in the EU. We have a Data Processing Agreement in place with Dealfront
Frequently asked questions
Where is data stored?
All customer and application data is hosted in the EU on Google Cloud. No customer data is processed outside the EU. See the Infrastructure section below for details.
Do you process personal data?
The only personal data we handle is your email address for account management. We do not process individual contact records from your CRM, personal identifiers, LinkedIn messages, or sensitive information of any kind.
We do store company-level and deal/opportunity data from your CRM (company names, domains, deal amounts, deal stages) to power attribution and analytics features. This is business data, not personal data.
What do you access in LinkedIn, Google Ads, HubSpot, Salesforce, Attio, and Pipedrive - and why?
We only access company-level and deal/opportunity data required to power the analytics, attribution, and reporting features you explicitly enable.
LinkedIn Ads
We access your LinkedIn Ads account via the LinkedIn Marketing API:
| Data | Access | Fields | Why it's used |
|---|---|---|---|
| Campaigns | Read | name, ID, status, objective | To display and attribute campaign performance |
| Performance Metrics | Read | impressions, clicks, spend, engagements | For attribution and ROI reporting |
| Company Engagement | Read | company name, domain, engagement data | To match ad engagement to CRM accounts |
| Campaign Targeting | Write | targeting exclusions (job titles, companies) | For Audience Exclusions and Impression Caps features (only when enabled by you) |
HubSpot, Salesforce, Attio & Pipedrive
We access the following data from your CRM:
| Object | Access | Fields | Why it's used |
|---|---|---|---|
| Company/Account | Read | name, domain, ID | To match CRM records to campaigns |
| Opportunity/Deal | Read | name, amount, status, created/close dates, ID | For revenue attribution and funnel reporting |
| Campaign | Read | name, ID | To group and track marketing campaign data |
| Custom Fields | Read | field names only (not values) | To allow mapping of ad data into the CRM |
| Custom Fields | Write | Fibbler-created fields on Company/Account (HubSpot, Salesforce, Attio & Pipedrive) | For CRM Sync: creates fields to store LinkedIn ad engagement data (only when enabled by you) |
CRM Sync write access is limited to Fibbler-created fields on your Company/Account records and applies to all supported CRMs (HubSpot, Salesforce, Attio, and Pipedrive), and only when you explicitly enable it. All other CRM access is read-only.
Google Ads (optional add-on)
We access campaign and performance data via the Google Ads API. All access is read-only.
| Data | Access | Fields | Why it's used |
|---|---|---|---|
| Campaigns | Read | name, ID, status, type, budget | To display campaign performance and attribution |
| Ad Groups / Keywords | Read | name, ID, text, match type, metrics | To group performance and connect search terms to pipeline |
| Performance Metrics | Read | clicks, impressions, spend, conversions | For attribution and ROI reporting |
| Website Visitor Data (via Dealfront) | Read | company name, industry, visit behavior | To match website visits to Google Ads campaigns and CRM deals |
Do you store any of that data?
We store LinkedIn ads data, Google Ads campaign data, and CRM data in our database to power attribution, analytics, and MCP features. This includes campaign performance metrics, audience exclusions, attribution data, CRM company records (name, domain), and deal/opportunity records (amount, stage, dates).
CRM data is synchronized on a regular schedule and kept up to date while your integration remains connected. If you disconnect or cancel, stored CRM data is deleted within 30 days. If you prefer not to have CRM data stored, you can opt out by contacting support@fibbler.co.
All stored data is encrypted at rest using AES-256 encryption.
Do you push anything back into my CRM?
Only if you explicitly enable it. CRM Sync allows pushing LinkedIn ad engagement data into HubSpot, Salesforce, Attio, or Pipedrive by creating custom fields on your Company/Account records. This is:
- Off by default
- Fully user-controlled
- Limited to the exact fields and actions you've configured
We never write anything back unless you turn it on.
Do you sell or enrich customer data?
No. Never. We don't monetize, resell, enrich, or profile your data - and we never will.
Do you have a security certification?
We are not yet SOC 2 or ISO 27001 certified. Our SOC 2 and ISO 27001 audits are in progress (started January 2026, conducted by our auditor Sensiba) and are expected to complete around the end of summer 2026. Our hosting and infrastructure provider, Google Cloud, is already SOC 2 Type II and ISO 27001 certified. We have completed an external third-party security audit by Aikido Security in February 2026. Security Audit
Do you run penetration tests?
We perform internal security reviews and depend on Aikido's automated scanning and alerting to monitor our infrastructure, containers, and codebase. Manual third-party penetration testing is planned as part of our SOC 2 audit.
Do you have an incident response or recovery plan?
Yes. We maintain internal policies for:
- Business continuity
- Incident response
- Daily backups of stateful systems (like user accounts and settings)
If something breaks, we can restore customer-critical infrastructure within 24 hours. In the event of a personal data breach, we'll notify affected customers without undue delay and within 48 hours.
Infrastructure & Data Centers
We use Google Cloud to ensure high availability and security:
Google Cloud Platform (Primary Infrastructure)
- European regions for EU data residency
- SOC 2 Type II certified
- ISO 27001-certified data centers
- GDPR compliant infrastructure
- Immutable infrastructure and security by design
Fibbler uses Google Cloud Platform as its cloud provider; for more information about how Google manages security, read here.
We have conducted a Transfer Impact Assessment (TIA) as required by GDPR Article 46. All customer and application data hosting is located within the EEA. Website analytics data may be processed outside the EEA under appropriate safeguards (Standard Contractual Clauses or EU-US Data Privacy Framework).
Sub-processors
Fibbler uses the following sub-processors to deliver our services. Customer and application data is processed exclusively within the European Economic Area (EEA), unless otherwise stated below.
| Sub-processor | Location | Purpose | Data Processed |
|---|---|---|---|
| Google Cloud (Cloud Run, Cloud SQL) | Belgium region (EU) (GDPR DPA, SOC 2, ISO 27001) | Primary infrastructure and database hosting | Application data, LinkedIn ads data, Google Ads data, CRM data |
| Redis | EU-hosted | Caching layer | Temporary session and cache data |
| Sentry | EU-hosted | Error monitoring and logging | Error logs and performance metrics (no customer PII) |
| PostHog (trust center) | EU Cloud | Product analytics for the Fibbler app (pageviews, signup/login, payment, integration connections, activation) and website analytics for fibbler.co (pageviews and attribution). No session recordings, heatmaps, or autocapture | Pseudonymous product events and user identification (ID, email, name) |
| Resend | EU-hosted | Transactional email delivery | Email addresses for account notifications only |
| Loops | US-based (EU-US Data Privacy Framework certified) | Marketing emails, announcements, updates | Email address and subscription status (active, trial, former customer) for email communications |
| Stripe | EU operations | Payment processing | Billing metadata only; no customer PII or data shared |
| Dealfront (Dealfront Finland Oy / Leadfeeder) | EU (Finland/Germany) (ISO 27001, ISO 27701) | Website visitor company identification (used on fibbler.co and for Google Ads attribution customers) | IP addresses, visitor behavior, session data, first-party cookies (if enabled) |
| Google (Google Ads API) | EU operations | Google Ads campaign data retrieval | Campaign metrics, clicks, impressions, keywords, spend data (aggregated, no PII) |
All sub-processors are bound by GDPR-compliant data processing agreements. Leadfeeder is used only on fibbler.co (not the app) and does not process customer data. PostHog is hosted on EU Cloud and is used both in the Fibbler app and on fibbler.co; on fibbler.co it operates in cookieless mode until you give consent, after which cookies and persistent identifiers are used. Our marketing website also uses LinkedIn Insights Tag and Google Ads Tag (gtag.js) for advertising measurement, which are covered by cookie consent and only activate after explicit user approval.
Technical & Organizational Measures (TOMs)
We apply the following technical and organizational measures (TOMs) to protect your data, account, and integrations. The measures below, together with the sub-processor list and infrastructure details on this page, are the reference for vendor and security reviews:
- All data transfer and database connections encrypted using TLS
- Database access restricted to whitelisted IP addresses only
- Database accounts have minimal required permissions
- All access is logged and audited regularly
- Real-time monitoring and alerting
- Regular security updates and patches
- Dependency scanning and vulnerability alerts
- Backup data encrypted and stored separately
- Annual third-party security audits (Aikido)
Only authorized personnel with specific business needs can access the database or production infrastructure.
Documents and DPA/NDA
Our Technical and Organizational Measures (TOMs) and full sub-processor list are documented in the sections above. We also offer a standard DPA (aligned with GDPR) and a Mutual NDA for vendor evaluation. Email support@fibbler.co to request these or if you have any other security questions.