Compliance & Permissions

When you add Fibr to your website, you're trusting us with your visitor data and site performance. We take that seriously. This page explains how Fibr handles security, privacy, and access controls so you can evaluate us with confidence.

Security Overview

How Fibr protects your data:

• Encryption in transit: All data transferred between your website, our servers, and your dashboard uses TLS 1.2+ encryption.

• Encryption at rest: Stored data is encrypted using AES-256 encryption.

• Infrastructure: Fibr runs on enterprise-grade cloud infrastructure with SOC 2 Type II certified providers.

• Access controls: Internal access to customer data is restricted to authorized personnel only, with audit logging enabled.

• Regular security testing: We conduct periodic penetration testing and vulnerability assessments.

What Fibr does NOT access:

• Payment or credit card information

• Passwords or authentication credentials

• Personally identifiable information (PII) unless explicitly configured for personalization

• Your website's backend systems or databases

Data Privacy

What data does Fibr collect?

Fibr collects visitor interaction data to power experiments and personalization. This typically includes:

• Page URLs visited

• Device and browser information

• Geographic location (country/region level)

• Referral source and UTM parameters

• Interaction events you configure (clicks, form submissions, etc.)

• Experiment and variant assignments

What Fibr does NOT collect by default:

• Names, email addresses, or contact information

• Form field contents (unless you explicitly configure event tracking)

• Keystrokes or session recordings

• Cross-site browsing behavior

Cookie usage:

Fibr uses first-party cookies to identify returning visitors and maintain consistent experiment assignments. These cookies:

• Are scoped to your domain only

• Do not track users across other websites

• Can be configured to respect user consent preferences

GDPR Compliance

Fibr is designed to support GDPR compliance for businesses operating in or serving the European Union.

How Fibr helps you stay compliant:

• Data minimization: We collect only the data necessary for experiments and personalization.

• Consent integration: Fibr can be configured to wait for user consent before activating, integrating with your existing consent management platform (CMP).

• Right to erasure: You can request deletion of visitor data associated with your account.

• Data processing agreement: Enterprise customers can request a DPA that outlines our obligations as a data processor.

Your responsibilities:

• Update your privacy policy to disclose use of personalization and experimentation tools

• Implement appropriate consent mechanisms for visitors in regulated regions

• Configure Fibr to respect consent signals if required

Need a Data Processing Agreement(DPA)? Contact us at [email protected].

Data Residency

Where is data stored?

By default, Fibr processes and stores data in secure cloud infrastructure located in the United States, Europe and India.

Need data residency in a specific region?

Enterprise customers can request data residency options for EU or other regions. Contact our team at [email protected] to discuss your requirements.

Role-Based Access Controls

Fibr provides two permission levels to help you manage team access:

Best practices for access management:

• Limit Admin access to team leads or managers who need full control

• Use Member roles for day-to-day users who run experiments

• Review team access quarterly and remove inactive users

• When someone leaves your team, remove their access promptly from Settings → Team

Coming soon: More granular permission controls, including view-only access and workspace-level permissions for enterprise teams.

Single Sign-On (SSO)

Available on Enterprise plans

Fibr supports SSO integration with major identity providers:

• Okta

• Azure Active Directory

• Ping Identity

• Google Workspace

• Any SAML 2.0 compliant provider

Benefits of SSO:

• Centralized access control through your identity provider

• Automatic provisioning and deprovisioning

• Enforce your organization's password policies and MFA requirements

• Simplified onboarding for new team members

Setting up SSO:

SSO configuration is handled by our team during enterprise onboarding. Contact [email protected] to get started.

Audit Logs

Available on Enterprise plans

Enterprise accounts have access to audit logs that track:

• User logins and logouts

• Experiment and campaign creation, modification, and deletion

• Team member additions and removals

• Integration connections and disconnections

• Settings changes

Audit logs can be exported for compliance reporting or security reviews.

Content Security Policy (CSP)

If your website uses a Content Security Policy, you'll need to whitelist Fibr's domains for the script to function correctly.

Add these domains to your CSP:

For detailed CSP configuration instructions, see Whitelist Fibr in Your Content Security Policy.

Uptime and Reliability

Fibr is designed for high availability:

• Target uptime: 99.9%

• Redundant infrastructure: Multiple availability zones to prevent single points of failure

• Graceful degradation: If Fibr is ever unreachable, your website continues to function normally with the original content. Visitors are never blocked or shown errors.

Status page:

Check real-time system status at status.fibr.ai (update this URL if you have a status page).

Compliance Certifications

Current:

• SOC 2 Type II compliant infrastructure

• GDPR ready

In progress or available on request:

• HIPAA (contact us for healthcare use cases)

• Custom security questionnaires

• Vendor risk assessments

Need documentation for your security review? Contact [email protected] and we'll provide what you need.

Frequently Asked Questions

• Does Fibr slow down my website? Fibr is designed for minimal performance impact. In our testing, the Fibr Script adds less than 10% overhead compared to 15-20% for competitors. See our performance benchmarks.

• Can I run Fibr on a staging or local environment? Fibr requires a publicly accessible URL to validate the script. It cannot run on localhost or private staging environments without special configuration. Learn more.

• What happens if Fibr goes down? Your website continues to work normally. Visitors see your original content without any errors. Fibr is designed to fail silently so your site is never affected by our availability.

• How long do you retain data? By default, visitor and experiment data is retained for 12 months. Enterprise customers can request custom retention policies.

• Can I delete my data? Yes. You can request full deletion of your account and associated data by contacting [email protected]. We process deletion requests within 30 days.

• Do you sell or share data with third parties? No. Your data is never sold, shared, or used for advertising. We use it only to provide Fibr's services to you.

Need more information? For security questionnaires, compliance documentation, or custom enterprise requirements, email [email protected]

For enterprise inquiries: Request a call with our team to discuss your specific compliance needs.