Piwik PRO is the only privacy-first analytics vendor in this directory with a signed HIPAA BAA, SOC 2 Type II across all five trust principles, and ISO 27001 in production. That trio matters when you're a hospital, a bank, or a public-sector department where the security questionnaire alone is a 200-row spreadsheet.
GDPR posture, sub-processors under DPA, per-jurisdiction stance, and encryption — everything a procurement team checks.
?GDPR✓ CompliantEU General Data Protection Regulation
EU's omnibus privacy law requiring a lawful basis for processing personal data (consent, legitimate interest, etc.). Applies to anyone handling EU-resident data. Piwik PRO's posture: Consent or legitimate interest. ?CCPA✓ CompliantCalifornia Consumer Privacy Act
California Consumer Privacy Act — rights for California residents (access, deletion, opt-out of sales). Triggered at $25M revenue or 50k+ CA-consumer records. ?UK PECR✓ CompliantUK Privacy and Electronic Communications Regulations
UK Privacy and Electronic Communications Regulations sit on top of GDPR specifically for cookies and electronic marketing. PECR Reg 6 governs analytics-cookie consent. ?SOC 2 · II✓ CompliantSOC 2 Type II
SOC 2 Type II — independent audit verifying security/availability controls operate effectively over 6+ months. Standard B2B procurement requirement. ?ISO 27001✓ CompliantISO/IEC 27001 information-security
ISO/IEC 27001 — international information-security management standard, certified by accredited bodies on a 3-year renewal cycle. ?HIPAA✓ CompliantUS HIPAA (with BAA)
US health-data law requiring a Business Associate Agreement (BAA) for any tool touching protected health information. Without BAA the tool cannot legally process PHI.
Per-jurisdiction posture
🇫🇷
FranceCNILBanner recommended
Default mode uses cookies + session fingerprints; consent typically required. Anonymous Mode is configurable for banner-free posture.
?France · CNIL
Default mode uses cookies + session fingerprints; consent typically required. Anonymous Mode is configurable for banner-free posture. 🇬🇧
United KingdomUK ICO / PECRBanner recommended
Default cookies trigger PECR Reg 6 consent. Anonymous Mode bypasses.
?United Kingdom · UK ICO / PECR
Default cookies trigger PECR Reg 6 consent. Anonymous Mode bypasses. 🇩🇪
· On-premises Analytics Suite (Docker / Kubernetes, commercial agreement)
Used by
Companies and projects that publicly trust Piwik PRO.
Boston Children's Hospital
Boston Medical Center
Rochester Regional Health
Children's Hospital & Medical Center, Nebraska
Shepherd Center
Editor review
Independently reviewed by Mark Sutton, cross-checked against vendor documentation. Click any panel to expand.
+What it does well▾
Piwik PRO is the only privacy-first analytics vendor in this directory with a signed HIPAA BAA, SOC 2 Type II across all five trust principles, and ISO 27001 in production. That trio matters when you're a hospital, a bank, or a public-sector department where the security questionnaire alone is a 200-row spreadsheet.
Official MCP server published on GitHub + PyPI (PiwikPRO/mcp) — controls Analytics, CDP, and Tag Manager via Claude or Cursor with natural-language queries. Plus a dedicated "AI-ready data" export pipeline (piwik.pro/ai-ready-data) that ships structured, timestamped, session-scoped data formatted for AI consumption. Plus opt-in beta anomaly detection inside Settings. Three AI/MCP capabilities — most in the directory.
Integrated suite (Analytics + Tag Manager + Consent Manager + Customer Data Platform) means one vendor, one DPA, one invoice. Most rivals make you stitch together three.
Multi-region data residency is real and customer-selectable: Sweden, Germany, Netherlands, France for the EU; US Azure for HIPAA; Hong Kong for APAC. You pin where the data lives at provisioning, not after a support ticket.
The GA4-shaped UX trims migration cost — analysts who used GA4 last week can run reports on day one.
−Weaknesses & gotchas▾
Piwik PRO is closed-source and priced for enterprise. The freemium Core plan was discontinued in 2025, so the floor is €35/mo Business or €366/mo for SOC 2 / multi-region, with three of four tiers gated behind sales calls. If you're an indie blog or a 50k-pageview SaaS, this is not your tool.
The tracking script is heavy — ~86 KB gzipped, ~40-80× the size of Plausible (~1KB) or Fathom (~2KB) — which dents Core Web Vitals on slow connections.
The default mode still uses cookies and session fingerprints, so unlike Plausible or Fathom you typically still need a consent banner. (The Anonymous Mode exists, but it's a deliberate downgrade.)
The DNT browser signal is not addressed publicly by the vendor — verify behaviour during procurement.
★Best for▾
Best for: regulated enterprises that need a signed BAA or SOC 2 evidence in a vendor questionnaire. Healthcare systems (Boston Children's, Rochester Regional, Children's Nebraska are public references), banks under DORA/EBA, insurers, government departments, EU-only B2B with strict Schrems II posture.
Real value at the Trusted Insights tier (~€800-2k+/mo). That's where you unlock HIPAA BAA, SOC 2 evidence, multi-region pinning, and the CDP. Below that you're paying for Tag Manager + Analytics that other privacy vendors give you cheaper.
Not for indie sites, side projects, blogs, or anything under ~€20k ARR. The €35/mo Business floor is technically reachable, but you'd see better value in Plausible or Umami. The Piwik PRO sales cycle, security questionnaire, and onboarding workflow are designed for procurement, not solo founders.
⚡Setup walkthrough▾
Piwik PRO ships as a single Tag Manager container snippet that you paste once; everything else (Analytics, Consent Manager, custom events) is configured inside the Tag Manager UI. Expect ~86 KB gzipped on first paint — async, but worth measuring on mobile LCP.
WordPress: official plugin handles the snippet, opt-out, and Consent Manager hand-off. GTM users: Piwik PRO publishes a GTM template so you can fire it as a tag inside an existing Google Tag Manager container — useful during migration.
Server-side / first-party proxy: Enterprise tiers include a server-side container (CNAME + custom domain) so the tracker loads from yourdomain.com — bypasses ad blockers and improves data accuracy.
Mobile: native SDKs for iOS, Android, Flutter, React Native are published on github.com/PiwikPRO. HIPAA setup: sign BAA first → vendor provisions Azure US workspace → activate before any patient data is collected.
↔Migrating from GA4▾
From GA4: the data model maps almost 1:1 (events, parameters, user properties, custom dimensions). Piwik PRO publishes a migration guide; in practice, ship Piwik PRO in parallel for 30-60 days, reconcile core KPIs, then sunset GA4. Many teams keep GA4 running for Google Ads attribution while Piwik PRO becomes the source of truth — Piwik PRO's BigQuery export covers the analytics warehouse half.
From Matomo Cloud or Matomo On-Prem: the harder migration despite the shared lineage — Piwik PRO's data model diverged after the 2016 fork and event schemas don't translate cleanly. Expect to redefine goals, custom variables, and segment definitions. The win is the compliance package (HIPAA BAA, SOC 2) you can't get from Matomo. If you're moving because Matomo Cloud's pricing scaled poorly above 5-10M actions or because you need a BAA, the migration cost is justified at Trusted Insights tier and above.
Help & FAQ
Where to get help with Piwik PRO and the questions buyers email us about.
Will Piwik PRO sign a Business Associate Agreement for HIPAA workloads?▾
Yes, on the Trusted Insights and Secure Intelligence Enterprise tiers. The BAA is customised and signed before any patient data is collected; HIPAA workloads run on Microsoft Azure US with AES-256 encryption. Business and Data Fundamentals tiers do NOT support BAAs.
Can we keep all customer data inside the EU?▾
Yes. Choose Sweden (Elastx), Netherlands (Azure), Germany (Azure), or France (Orange Flexible Engine) at provisioning. Business tier is EU-only Sweden by default. Some support tooling (Intercom) is US-hosted under SCCs.
What certifications can we verify in our vendor risk review?▾
ISO 27001 (August 2024), SOC 2 Type II (September 2022, all five trust principles, 107-page report on 129 controls), and HIPAA self-attestation with BAA. SOC 2 report available under NDA from your account executive.
Is Piwik PRO related to Matomo / Piwik open source?▾
No, separately operated. Piwik PRO is a Polish company founded 2013 that started as consulting around the open-source Piwik project. In 2016 it forked off and built its own proprietary suite. Piwik PRO is closed-source enterprise SaaS; Matomo (InnoCraft NZ) is the GPL-3.0 open-source line.
Can we deploy on-premises on our own Kubernetes cluster?▾
Yes. The Piwik PRO Analytics Suite is offered as an on-premises deployment (Docker / Kubernetes). Separate DPA applies, pricing is per-quote, includes dedicated technical contact.
What happens to our data on contract termination?▾
Per the standard DPA, customer data is exported in JSON/CSV/XML on request and deleted from production systems within the contractual window. Default analytics retention is configurable (14, 25, or 60 months); Business tier retains 25 months.
Does Piwik PRO honour the Do Not Track browser signal?▾
Not disclosed by vendor. Neither the privacy policy nor privacy-security page explicitly addresses DNT. Anonymous Tracking Mode and the in-house Consent Manager are the recommended privacy controls; verify DNT behaviour via account executive.
🇩🇪 