Fathom | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Fathom discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

2 gaps

pending

LOW

They Claim

“No cookies or personal data collected”

Observed Behavior

Awaiting scanner verification to confirm zero cookie deployment and data transmission patterns

pending

LOW

They Claim

“EU data processed in EU”

Observed Behavior

Data residency claim awaiting infrastructure verification

Customer Impact

What This Means For You

Fathom actively reduces compliance risk for organizations that deploy it. By eliminating cookies and personal data collection, Fathom removes the need for cookie consent banners under the ePrivacy Directive and simplifies GDPR compliance posture. Organizations replacing heavier analytics platforms with Fathom can reduce their data processing inventory and potentially simplify their privacy impact assessments. The tradeoff is reduced analytical depth — organizations needing individual-level behavioral analysis, conversion attribution, or cohort segmentation will find Fathom insufficient for those use cases.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Fathom

→- Fathom is a low-risk deployment — no urgent remediation actions required - Verify the Fathom script tag is loading from the expected CDN (cdn.usefathom.com) and not a modified version - Consider Fathom as a replacement for higher-risk analytics vendors if your analytics needs are aggregate-level - Document Fathom in your data processing inventory as a minimal-footprint analytics processor - Review Fathom's DPA if operating in regulated industries to confirm jurisdictional coverage

Negotiation Leverage

→Fathom's pricing is transparent and publicly listed, which limits negotiation leverage on cost. However, the value proposition is compliance simplification rather than feature depth. Key questions for evaluation: (1) What is the data retention period for aggregate analytics? (2) How does the pseudo-anonymization process work technically — is it documented for audit purposes? (3) What happens to data upon account termination? Fathom's independent, bootstrapped status means no venture capital pressure to monetize data in the future, which is a meaningful long-term trust signal.

IOC Manifest

59 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*usefathom.com/assets/js/fathom.js*

Tracking script

TRACK

*usefathom.com/assets/js/bootstrap.bundle.js*

Tracking script

TRACK

*quick-esteemed.usefathom.com/*

Tracking script

TRACK

quick-esteemed.usefathom.com/

Auto-extracted from scan

TRACK

usefathom.com/assets/js/bootstrap.bundle.min.js

Auto-extracted from scan

TRACK

usefathom.com/assets/js/fathom.js

Auto-extracted from scan

Ecosystem

Ecosystem & Supply Chain

Fathom operates as a standalone analytics service with minimal third-party integrations. It does not feed data into advertising platforms, CDPs, or marketing automation tools. Fathom offers a simple API for data export and integrates with common platforms (WordPress, Carrd, etc.) via embed script. There is no self-hosted option — Fathom is cloud-only, hosted on infrastructure managed by Fathom with EU data processing for EU visitors. The ecosystem footprint is intentionally small, which limits both data sharing risk and integration complexity.

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

59 detection signatures across scripts, domains, cookies, and network endpoints