Matomo currently observe the technical and organisational measures described in our DPA (see the “Appendix 1 – Technical and Organisational Measures”) <- in this link you will find our measures for Access control (Preventing Unauthorised Product Access, Preventing Unauthorised Product Use, Limitations of Privilege & Authorisation Requirements), for Transmission Control, Input Control, and for Availability Control.

The Matomo platform (software) also provides several security mechanisms:

  1. Access controls ensuring only the authorized people can view report and raw user data;
  2. Audit logs provided to you to ensure that all your staff (and your users and customers) activities are recorded and can be accounted for;
  3. Our staff does not access your data unless required to assist you;
  4. All sessions at are encrypted with SSL;
  5. User confidential information (user passwords) is encrypted using best practices encryption algorithm;
  6. Two-factor authentication 2FA available in Matomo and can be enforced;
  7. Software development best practises are in place such as systematic code reviews, automated testing, internal security reviews;

Matomo also has an excellent application security track record over the last 11 years. Our products source code is regularly security-audited by independent security researchers and we have an excellent track record over the past 10 years. We run a very popular Bug Bounty program, and dozens of researchers review most of our codebase every year: as well as running a public program on Hackerone

The Matomo Cloud service is hosted by us on AWS secure infrastructure.

Our Matomo cloud solution is hosted by AWS. AWS is compliant with all major security certifications.

AWS is currently the biggest provider of Cloud infrastructure and aligns well with our data protection and data ownership mission. It is built to meet the requirements of the most security-sensitive and privacy-aware organisations. We are working with a team of very experienced and certified AWS engineers, and the official AWS enterprise support team to ensure all privacy and security best practices are met.

Our infrastructure is hosted within a private network, which ensures none of your data or network traffic can be accessed by third parties.

You can learn more about AWS security practises here.
A more detailed security whitepaper is available here.

Also, on this page they write the following:

AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

Previous FAQ: In which locations does the Matomo Cloud store the data?