Siteimprove Analytics: Data Flows and Compliance
By Mads Sørensen
How does Siteimprove Analytics work?
Siteimprove is a market-leading website analytics SaaS provider based and founded in Denmark. We have developed our Analytics solution purely to help our customers gain technical and commercial insights/statistics into how their visitors use and engage with their web environment, so they can improve the experience for everyone visiting their website.
Siteimprove enables website owners to monitor visitor behavior if the visitor has accepted that a cookie may be placed on the visitor’s terminal equipment.
Using Siteimprove Analytics requires that we set cookies on your site. On a general note, these cookies are technically necessary and do not collect personal data. Read more about the Siteimprove Analytics cookies.
Once the cookie is set, a script is loaded and Siteimprove will start collecting data on how the visitor uses the given website. This data is collected on behalf of the website owner as Data Controller and is the property of the website owner. The data will flow from the visitor to Siteimprove’s data centers in EU. This is described further later in this article and illustrated in Figure 1 - Map of dataflow.
Figure 1 - Map of dataflow
Use of third-party providers for Siteimprove Analytics
Like most companies and authorities in the world, Siteimprove does not rely on local servers. We have our services infrastructure built in what we believe to be the world’s best and safest cloud environments to ensure a secure, scalable, and highly available solution for customers everywhere.
All data processed by Siteimprove belongs to our customers and the customers have full discretion as to which web statistics they want to track and measure.
To deliver or process the Siteimprove Analytics service, Siteimprove uses the following third parties:
Technical delivery of script:
Siteimprove utilizes Cloudflare as CDN (Content Delivery Network) to host our Analytics Script to ensure fast hosting and loading when our Analytics is requested by our customer’s visitors. Siteimprove Analytics will not be collected if the script is not loaded before a visitor leaves the page or continues to a new page.
Data sent to our data centers:
Once the script is loaded and Siteimprove Analytics have captured the relevant and requested web analytics data, the data is sent through our data pipeline to:
- AWS Datacenter (Frankfurt, Germany) – Data transit.
- InterXion Datacenter (Ballerup, Denmark) – Data storage.
The web analytics data collected by Siteimprove is sent to the closest Siteimprove Analytics endpoint in AWS by the Load Balancer (as illustrated in Figure 1) to where the visitor is located. This ensures that Analytics customers can view and utilize their web analytics in the platform as fast as possible. Siteimprove does not send data to be stored in any third country. Data collected from visitors from outside the EU will likewise also be sent to InterXion in Ballerup, Denmark, and Amazon AWS EMEA in Frankfurt, Germany.
How are IP addresses processed in Siteimprove Analytics?
Siteimprove Analytics includes the processing of IP addresses from your website visitors.
IP addresses are collected through the Analytics Script once the Analytics is running in the visitor’s browser. IP addresses are used to provide information about the individual visitor’s location by region, country, and city, as well as an Organization / Internet Service Provider if possible.
Siteimprove Analytics offers an IP Anonymization feature through which you can choose to limit the processing of IP addresses to what is necessary to still achieve the minimum viable Analytics service while avoiding further storage of IP addresses.” Learn more about IP Anonymization.
How Siteimprove Analytics and included data flows are GDPR compliant
In Europe, IP addresses are considered personal data which can be processed if you as a data controller can document a legal basis for such processing. There is typically also a cookie involved which requires consent to be set, but on a general note, processing website statistical data concerning website visitor, e.g. to analyze the efficiency of the website, the most visited sites, how the website is used, where traffic comes from, etc. is widely regarded as pursuing a legitimate interest of the business, organization, authority, etc.
Due to recent developments in the privacy landscape, more specifically the Schrems II ruling from the EU Court of Justice, it has however become more difficult to legally use tools that transfer personal data to third countries and especially the US.
Siteimprove Analytics does not include transferring IP addresses to any third country. Siteimprove uses two cloud-providers for offsite back-up: InterXion (located in Denmark) and Amazon AWS EMEA SARL (“AWS”) (located in Germany).
Siteimprove furthermore considers the use of AWS in Frankfurt compliant with any privacy regulation due to several factors:
- Siteimprove services are run from AWS Frankfurt in Germany. Siteimprove does not instruct or allow AWS to transfer data to third countries and AWS does not inherently transfer data outside the chosen region. Using AWS services does not require any AWS support engineers to access any data at any time. As such, using AWS is not a third country-transfer situation.
- AWS is still recognized as a legal hosting provider to EU companies and various European national IT systems. No Court of law or Data Protection Authority has stated otherwise and Siteimprove does not believe that this legal position will change. On the contrary, we are confident that once the dust has settled following the ongoing Schrems II privacy debates and the current negotiations between the EU and the US on cross-Atlantic data sharing and transfers, AWS’ European data centers will continue to be regarded as one of the most compliant and safe data center providers for European companies and public authorities.
- AWS provides advanced encryption services and tools that customers can use to protect their customer data, including the ability for customers to manage their own encryption keys. AWS Key Management Service (AWS KMS) is designed so that no one, including AWS employees, can retrieve your plaintext keys from the service. These advanced encryption services together with Amazon’s public commitment to challenge access requests were recently considered to provide a sufficient level of protection by the French Administrative Supreme Court in a case where health data was stored in AWS Frankfurt.
- Siteimprove conducts at least annual audits of AWS and no past audits have resulted in findings or a need for adoption of further measures.
Considering the above factors, it remains Siteimprove’s opinion that the use of AWS’ datacenter in Frankfurt is indeed possible under European privacy laws.
Addressing tests performed on Siteimprove Analytics showing data transfers to the US
Siteimprove is aware that some customers are advised to use certain third-party tools to test their websites, including scripts, for GDPR compliance. We have also witnessed that this sometimes results in the Siteimprove Analytics script being flagged as including a US transfer. This result is mainly due to our use of script load through Siteimproveanalytics.com and is a misleading false positive because we use Cloudflare for delivery of the script (as explained earlier in this article and illustrated in Figure 1). Some testing tools simply look up where a certain domain URL is registered, and these type of testing tools do not have any knowledge or insights into the software infrastructure that transport or store the relevant data.