๐ฉบ Vitals
- ๐ฆ Version: 5.10.0 (Released 2026-05-03)
- ๐ Velocity: Active (Last commit 2026-05-05)
- ๐ Community: 21.5k Stars ยท 2.8k Forks
- ๐ Backlog: 2554 Open Issues
๐๏ธ Profile
- Official: matomo.org
- Source: github.com/matomo-org/matomo
- License: GPL v3 (Core) | Proprietary (Premium)
- Deployment: Docker | SaaS
- Data Model: MySQL / PHP / Redis
- Jurisdiction: New Zealand ๐ณ๐ฟ (InnoCraft Limited)
- Compliance (SaaS): ISO 27001 | GDPR
- Compliance (Self-Hosted): GDPR Ready | HIPAA Eligible
- Complexity: Medium (3/5) - PHP / MySQL stack
- Maintenance: Low (2/5) - Professional, established company (InnoCraft).
- Enterprise Ready: High (4/5) - GDPR Manager, ISO 27001 (SaaS), and multi-user RBAC
1. The Executive Summary
What is it? Matomo is an enterprise-grade web analytics platform designed to be the "legal antidote" to Google Analytics (GA4). Developed by InnoCraft in New Zealandโa jurisdiction with a formal EU "Adequacy Decision"โit provides 100% data sovereignty and is explicitly engineered to satisfy the strictest GDPR and HIPAA requirements.
The Strategic Verdict:
- ๐ด For Regulated Industries (Health/Finance): Approve for Self-Hosting Only. InnoCraft does not sign BAAs for Matomo Cloud. Deploying the open-source core within your own VPC is the only path to elite compliance.
- ๐ข For General Corporate Marketing: Strong Buy. Matomo Cloud is an excellent, low-risk deployment that immediately resolves the legal liabilities associated with US-based big tech trackers while providing a familiar, powerful analytics experience.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | GA4 (SaaS) | Matomo (Self-Hosted) |
|---|---|---|
| Data Ownership | Google Property (High Risk) | 100% Sovereign (VPC) |
| Privacy Banner | Mandatory (Cookie-Based) | Optional (Cookieless) |
| Support/SLA | Limited (Free Tiers) | In-house / Paid SLA |
3. The "Day 2" Reality Check
๐ Deployment & Operations
- Installation: Primarily deployed via Docker Compose or a standard LAMP/LEMP stack. Its architecture is mature and robust, capable of handling high-traffic enterprise web properties.
- Scalability: Highly scalable through distributed database configurations and the use of Redis for high-frequency tracking queues.
๐ก๏ธ Security & Governance (Risk Assessment)
- Jurisdiction & Geopolitics (New Zealand): InnoCraft Limited is incorporated in New Zealand, which holds a formal EU GDPR adequacy decision under Article 44. This structurally shields the entity from US CLOUD Act exposure and permits data transfers from EU organizations without additional contractual mechanisms โ a meaningful structural advantage over US-headquartered analytics vendors.
- The Compliance Shift: Self-hosting transfers InnoCraft's ISO 27001 ISMS controls entirely to the enterprise. The September 2025 ISO 27001 certification applies to Matomo Cloud only โ not on-premise deployments. The enterprise must independently manage infrastructure security, penetration testing, and database encryption. In exchange, self-hosting grants direct MySQL access to raw analytics data, which simplifies compliance reporting for regulated environments.
- License Risk (Open Core Trap): The core platform is GPLv3 โ safe and copyleft-protected. However, enterprise features including Heatmaps, A/B Testing, SAML/LDAP integration, and Data Warehouse connectors are sold as proprietary Premium Plugins under the InnoCraft EULA. These plugins cannot be freely modified or redistributed. Enterprises must audit which features require proprietary licenses before committing to the self-hosted path.
4. Market Landscape
๐ข Proprietary Incumbents
- Google Analytics (GA4): The industry standard, but faces mounting legal challenges in the EU regarding cross-border data transfers and user privacy.
- Adobe Analytics: An enterprise-grade analytics suite with high TCO and complex implementation cycles; organizations switch to Matomo to reclaim data ownership and eliminate per-hit licensing costs.