MongoDB Cloud Services
Compliance and Privacy

MongoDB Cloud Services have been independently audited and confirmed to meet privacy and compliance standards that test for data safety, privacy, and security. MongoDB, Inc. is committed to the highest levels of trust, transparency, standards conformance, and regulatory compliance. Our suite of cloud services are built from the ground up to address the most rigorous security and privacy demands of our customers.

SOC

MongoDB has completed its SOC 2 Type II report on MongoDB Atlas.

The American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) are an auditing series (Statement on Standards for Attestation Engagements) designed to help measure how well a given service provider secures data.


They primarily are an American standard that mirror the International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, issued by the International Auditing and Assurance Standards Board (IAASB) part of the International Federation of Accountants (IFAC).

A SOC-certified organization has been audited by an independent certified public accountant (CPA) who determined security and privacy safeguards and procedures are adequate.

SOC 2 reports require standard operating procedures for organizational oversight, vendor management, risk management, and regulatory oversight. Its framework uses five key sections called Trust Services Principles (TSP) for a service provider system:

  1. Security
  2. Processing integrity
  3. Availability
  4. Privacy of personal information the service provider collects, retains, uses, discloses and disposes of for user entities Confidentiality of information the service provider’s system processes or maintains for user entities

The SOC 2 report also comes in two formats:

  • Type I: policies and procedures are in operation at a specific moment in time
  • Type II: policies and procedures are operated over a specified time period, given a minimum of six months

At the conclusion of a SOC 2 Type II audit, the service auditor renders an opinion, which describes a service provider system and assesses fairness in description of its controls. It also evaluates the suitability of the design and the operating effectiveness of controls over a period of time.

MongoDB covered cloud services are audited at least annually against the SOC reporting framework by independent third-party CPAs. The audit for MongoDB cloud services covers controls for data security as applicable to in-scope trust principles for each service.

Availability of the SOC 2 report is restricted to customers who have signed nondisclosure agreements with MongoDB.

EU-U.S. Privacy Shield

The EU-U.S. Privacy Shield is a legal mechanism designed by the U.S. Department of Commerce and the European Commission that enables transfers of personal data from the EU to the United States. MongoDB complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.

To learn more about the Privacy Shield program, and to view our certification, click here.

MongoDB’s participation in the Privacy Shield applies to all personal data that is processed as part of MongoDB’s cloud-based services and is received from the European Union and European Economic Area. MongoDB will comply with the Privacy Shield Principles in respect of such personal data.

We encourage you to contact us should you have a Privacy Shield-related (or general privacy-related) question.


MongoDB Cloud Services run on top of Amazon Web Services, Microsoft Azure, and Google Cloud Platform; each cloud provider undergoes its own series of independent third-party audits on a regular basis.