From 537f0312efe8aad19453fc1c887c411e90cb1f70 Mon Sep 17 00:00:00 2001
From: Marko Saric <marko@plausible.io>
Date: Wed, 6 May 2026 10:21:52 +0200
Subject: [PATCH] compliance

---
 docs/compliance.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/compliance.md b/docs/compliance.md
index be3cb11f..f168cbf1 100644
--- a/docs/compliance.md
+++ b/docs/compliance.md
@@ -15,6 +15,14 @@ Plausible publishes its security practices, data policy and legal documents publ
 
 Plausible does not process personal data or track individual users. There are no cookies, no cross-site tracking and no persistent user identifiers. Because of this, Plausible is typically classified as a low-risk service in vendor security assessments and GDPR impact analyses.
 
+The specific reasons it falls into this category:
+
+- No personal data is collected. Plausible does not store IP addresses, device fingerprints or any other persistent identifiers.
+- No cookies are set. There is nothing to consent to and no cookie banner is required.
+- All data is processed and stored in the EU on servers owned and operated by European companies. Data never leaves the EU.
+- No data is shared with or sold to third parties.
+- A DPA is in place automatically for all customers, covering GDPR processor obligations.
+
 ## Security questionnaires
 
 If your organization requires a vendor security review, the documents above are designed to answer the questions typically asked in those reviews. We recommend going through them before sending a questionnaire, as most topics are already covered.