Privacy Hub
Frequently Asked Questions
1. General Privacy Questions
Several MongoDB Atlas features support compliance with global data protection laws, including, for example:
- Robust technical and organizational measures to protect personal data, which are enabled by default and regularly subject to external testing and validation;
- The ability to readily retrieve, or delete data uploaded to Atlas if necessary to respond to a data subject request (DSR), without relying on assistance from MongoDB; and
- Control over which cloud provider (AWS, Microsoft Azure, or Google Cloud) will host sensitive data stored in Atlas and the ability to select the cloud provider’s deployment region.
MongoDB has a Data Protection Officer (DPO), Chief Information Security Officer (CISO), and dedicated privacy and security teams to oversee MongoDB’s compliance with the GDPR and other applicable privacy laws when processing personal data on behalf of customers.
For additional information on our dedication to securing and protecting your data with strong technical controls, regulatory compliance, organizational standards, and processes, visit the MongoDB Trust Center.
Customers and prospects may request compliance documentation such as MongoDB’s SOC2 Report, penetration test summary letter and ISO certifications through our Customer Trust Portal.
If you have a privacy-related question related to the GDPR or other privacy laws that is not addressed in these FAQs, please submit your question to privacy@mongodb.com.
2. MongoDB’s Data Processing Agreement (DPA) for Customers
If you are a user of MongoDB cloud services (such as MongoDB Atlas), you already have a legally binding DPA with us. Our standard DPA is incorporated into our Cloud Terms of Service for self-serve customers. If you have signed an order form with MongoDB on our standard terms, our DPA is incorporated into your corresponding Cloud Subscription Agreement. Our DPA addresses a number of applicable privacy regulations, including the GDPR and CCPA.
Our DPA covers any customer personal data for which we act as a “data processor”, as that term is defined under the GDPR. We act as a data processor for any personal data that customers upload to our cloud services (such as personal data stored in a MongoDB Atlas database). By default, MongoDB does not have visibility into the nature or categories of personal data that customers upload to our cloud services. For this reason, our DPA includes a broad description of the details of the processing in order to cover any customer use case.
MongoDB’s DPA does not cover personal data for which we act as a data controller. Under the GDPR, we act as data controller for personal data we receive from customers in connection with: (i) creating and administering accounts (e.g., customer usernames, contact information, or billing information); and (ii) providing any other customer service functions or support. MongoDB’s Privacy Policy covers any customer personal data for which we act as a data controller.
Schedule 1 of our DPA incorporates the 2021 EU SCCs, the 2022 United Kingdom international data transfer addendum, and certain modifications to the EU SCCs for purposes of the Swiss Federal Act on Data Protection.
We do not provide certificates of deletion. However, as explained in Section 3.1 of our Technical and Organizational Security Measures, personal data that you upload to MongoDB Atlas is physically stored by the cloud provider of your choice (AWS, Azure, or GCP). The storage mechanism is an encrypted disk volume. When you terminate a project in Atlas, each cluster node's Volume Encryption Key is securely erased, which satisfies the requirements for secure purging of data under the NIST Cyber Security Framework (see NIST SP 800-88). For more information on the use of encryption keys in Atlas, see the MongoDB Atlas Security Whitepaper.
3. Data Subject Requests (DSRs)
Customers may retrieve, correct, or delete any personal data that they upload to MongoDB cloud services (such as MongoDB Atlas). MongoDB’s assistance is not required to comply with DSRs unless the customer requires technical support.
Please see Section 5 of the MongoDB Data Processing Agreement for additional information about how we help customers comply with DSRs.
If you would like MongoDB to delete any personal data we hold about you, please submit your request here.
To exercise any other rights you may have as a data subject, please submit your request to privacy@mongodb.com.
4. Customer Data Transfers and Government Access Requests
When acting as a data processor, MongoDB does not choose the physical geographic location where customer personal data is stored. Rather, customers who use MongoDB cloud services (such as MongoDB Atlas) must choose their preferred data hosting region, as well as their preferred cloud provider (Amazon Web Services, Microsoft Azure, or Google Cloud). The MongoDB Atlas documentation has more information on Cloud Providers and Regions.
For more information when MongoDB acts as a data processor, please see Question 2.2 above.
As explained above in Question 4.1, customers choose the geographic hosting location for any personal data they upload to MongoDB cloud services. Customers similarly control any data transfers that occur if they change their designated hosting locations.
The use of certain optional features of the cloud services may result in snippets of personal data captured in a customer’s query logs to transit outside of the customer’s designated hosting location. For example, the engagement of MongoDB’s 24-hour “follow the sun” support team could result in the data being transferred to a MongoDB affiliate in one or more of the following locations: United States, Ireland, Canada, Australia, Israel, France, India, Italy, Spain, Poland, Germany, United Kingdom, Singapore, or Brazil. Other optional tools in MongoDB Atlas require customer query log data to transit through our US-based servers. As our cloud services and features are constantly evolving, customers should contact their MongoDB sales representative for the most current information on when data transfers occur.
MongoDB Atlas customers rely on the following supplemental measures in accordance with the European Data Protection Board’s Recommendations 01/2020 (adopted on June 18, 2021):
- Technical measures, which enable a customer to:
- Prevent all MongoDB personnel, including privileged users, from accessing the customer's Atlas clusters (see Section 4.2.2 of our Technical & Organizational Security Measures for more information);
- Encrypt sensitive data in their Atlas clusters using Queryable Encryption or Client-Side Field Level Encryption, which ensures that no MongoDB employee (or third party) has access to those data fields outside the application environment in unencrypted form (see Section 3.2.3 of our Technical & Organizational Security Measures for more information).
- Contractual measures, which obligate MongoDB to notify a customer if MongoDB receives a government request for the customer's personal data, unless the customer notification is prohibited (see Section 6 of our Data Processing Agreement; and
- Organizational measures, including, for example: (i) the involvement of MongoDB’s Data Protection Officer (DPO) and privacy team on all international data transfer matters, including any governmental access requests for customer personal data; (ii) the configuration of our internal systems according to the principle of least access on a strict need-to-know basis; and (iii) adherence to state-of-the-art data security policies as required by our SOC 2 Type II, ISO 27001, PCI-DSS, and HIPAA certifications (a complete list of our certifications and assessments is available here).
MongoDB does not currently issue transparency reports because we have never received a request under FISA or Executive Order 12333 for data that a customer has uploaded to our cloud services. If we do receive such a request, we will follow the procedure described in Section 6 of our Data Processing Agreement.
MongoDB is not positioned to conduct TIAs for personal data uploaded to our cloud services by our customers (for which data we act as data processor under the GDPR). As noted above in Questions 2.2 and 4.2, by default, we have limited visibility into the nature of the data our customers upload to our cloud services, and we do not control the timing, volume, frequency, or the particular data that is subject to any transfers. For these reasons, we lack most of the information that is essential to conduct a TIA with respect to our customers’ data. Nonetheless, we regularly help our customers conduct their own TIAs for personal data they upload to our cloud services. In particular, we contribute to "supplementary measures" analyses and offer our customers a range of supplemental measures for data transfers (please see Question 4.3 above for more detailed information).
MongoDB is certified to the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework. For additional details regarding the scope of our current certifications, please see our Data Privacy Framework Statement and our listing on the Data Privacy Framework Program website.