Frequently Asked Questions

Fantomo is designed to deploy via native enterprise group policy controls or Mobile Device Management (MDM) platforms like Microsoft Intune, Jamf Pro, Kandji, Mosyle, and Fleet. By pushing a standard registry key (on Windows) or a property list (`.plist` or `.mobileconfig` on macOS), you instruct Chrome and Edge to download the extension silently from the official web stores and apply your tenant configuration policies instantly.

No. When deployed via MDM using `force_installed` or standard browser policy rules, Chromium-based browsers block users from accessing the toggle switches or uninstall buttons on the Extensions manager page. The extension remains active and cannot be tampered with.

We support Google Chrome and Microsoft Edge on macOS, Windows, and Linux. Since they are built on the Chromium open-source project, both browsers share identical Manifest V3 extension settings and enterprise policy injection schemas.

Unlike legacy web filter agents or secure gateways that route your company's network traffic through a third-party cloud, Fantomo evaluates policies entirely locally. Raw URL strings are not sent to our cloud. Instead, domain packs and policies are compiled into local Bloom Filters and FNV-1a hash maps. The extension performs checks locally and only reports telemetry when an active rule fires (e.g., triggering a warning or block page).

All customer logs, device mappings, and configurations are stored in PostgreSQL instances protected by strict Row-Level Security (RLS) rules. Every database session requires tenant-level verification, preventing any cross-tenant data leakage. We encrypt all data in transit (TLS 1.3) and at rest (AES-256).

Yes. By executing rule checks locally and allowing you to set customizable log retention durations (from 30 days to 4 years), Fantomo makes it simple to align with GDPR's data minimization principles. We maintain secure, auditable access records to fulfill SOC 2 Type II requirements.

No. By using Manifest V3's non-blocking `declarativeNetRequest` matching rules, Chromium processes domain matches natively at the network layers without waking the extension's Javascript execution scripts. Local rule evaluation runs in less than 50 milliseconds, adding zero perceptible latency.

The extension service worker operates entirely on-demand, running in the background only when rules sync or telemetry updates are queued. When active, it consumes less than 50MB of RAM, compared to hundreds of megabytes required by legacy endpoint security software.

We define an active user as any browser profile that successfully checks in and syncs policy settings with Fantomo servers at least once during a calendar month. If an employee is on vacation and does not open their browser during the month, they are not counted as active and you are not charged for them.

Your first 15 active user seats are free forever. Billing only triggers when your team has 16 or more active users in a given month. Volume discounts are automatically calculated in your monthly statements.

Fantomo integrates directly with your Google Workspace or Microsoft 365 environments using secure OAuth 2.0 API connections. Once connected via the integrations panel, Fantomo automatically synchronizes your organization's directory structure, including nested Organizational Units (OUs) and security groups (such as Google Groups and Microsoft 365 Groups) daily to keep scoping options automatically updated.

Fantomo supports multi-level nested Organizational Units (up to 5 levels deep). When you filter reports by a parent OU path (e.g., /Engineering), Fantomo automatically matches and aggregates data for users in all nested child OUs (e.g., /Engineering/QA and /Engineering/Frontend). You can also search and filter by specific sub-OUs directly using our searchable autocomplete picker.

Yes. Built-in scoped reporting allows administrators to filter every dashboard module—including browsing history, shadow IT discovery, telemetry map, active OAuth grants, security alerts, and offboarding workflows—by any synchronized Google Group or Microsoft 365 Group, making it easy to audit specific departments or teams.

Yes. When creating or editing Browser Alert Rules, you can target specific Google Workspace or Microsoft 365 Groups and OUs. Additionally, you can specify exceptions (exclusions) using the same scoping options. For example, you can enforce a block on generative AI tools for the entire organization but create an exception for members of an AI pilot group or the /Research OU path.