Hi Jon,
As some of you know, we've recently been the victim of a targeted DDoS attack on our servers, putting significant spam traffic on a few dashboards and taking our service offline for brief periods.
While these attacks haven't and wouldn't compromise our security or your personal information, they had a significant effect on our servers and their performance when they occurred.
Up until now, we've never kept access logs. We know it's pretty much industry standard to keep them but we've always fought back against it. However, following these attacks, we've consulted with experts and there's no way for us to protect ourselves without keeping access logs. For those who aren't aware, access logs contain things like IP address, User-Agent, and website address.
To that end, we now have to store access logs for 24 hours, to ensure we can detect, filter out, and then permanently block these attacks. These logs are automatically wiped after 24 hours.
Regarding compliance, under GDPR the lawful basis for keeping these access logs for a day is legitimate interest (i.e. we need to do this to combat malicious attacks that are intended to make Fathom unavailable). This means your compliance with GDPR and Fathom remains unchanged.
We take the security of these logs very seriously and have setup layers of safeguards to protect them. These logs are also not part of your data, so no customer can request them, they are strictly held for spam and DDoS attack mitigation and protections until they are automatically deleted. We will be releasing a new Data Processing Agreement in the next few months which will go into detail about this.
Digital privacy is the foundation on which Fathom has been built and how we will continue to operate. Part of this is being transparent with our customers about what we collect and why. While we'd rather not keep access logs, we do so briefly and only to ensure we can protect what we've built for customers like you.
We've also invested heavily in attack prevention and mitigation and we now have access to a highly specialized, 24x7 DDoS attack response team to help combat these attacks on our software.
In addition, we now have various spam protection filters in place. We've been experimenting with the new filter over the last 24 hours. The first version was too sensitive, so you may see a slight drop in pageviews as it flagged some false positives, but the second version is running along nicely and has been live for a few hours.
We'd like to say thank you to everyone for being so supportive. We really do have the most fantastic customers in the world, and we can assure you that we're doing everything within our power to protect Fathom from future attacks.
If you have any questions, please let us know and one of us will reply.
Thanks,
Jack & Paul Cofounders, Fathom Analytics
|