We’re committed to partnering with our customers and users to help them prepare for the General Data Protection Regulation (GDPR). The GDPR will go into effect on May 25, 2018.
Here is what we are doing to achieve GDPR compliance, and how customers can think about their own GDPR compliance when using our services.
Preparing for the GDPR
MongoDB is working across our organization to ensure that our products and services enable our customers to prepare themselves for GDPR. This includes:
- Continuing to build upon the security features in our product and the security posture of our enterprise and infrastructure
- Ensuring our contracts with our customers enable them to comply with the GDPR rules relating to appointing processors, and ensuring that our contracts with our own processors are compliant as well
- Continuing to support international data transfers by maintaining our Privacy Shield self-certifications, and by executing Standard Contractual Clauses with our customers as needed
- Extensive product features that enable security, resilience, data portability and data management, described in more detail here
- We will continue to monitor the guidance around GDPR compliance, and will adjust our plans accordingly if it changes
Security in the Cloud
MongoDB Atlas, the cloud database service for MongoDB, is security hardened by default.
Each MongoDB Atlas project is provisioned into its own VPC, thus isolating your data and underlying systems from other MongoDB Atlas users. Network encryption, storage volume encryption and access control are configured by default, and IP whitelists allow you to specify a specific range of IP addresses against which access will be granted. All security-specific updates to the operating system and database of the underlying instances are automatically applied by MongoDB engineers.
For deployments running in AWS, VPC Peering can be used to connect your application servers deployed to another AWS VPC directly to your MongoDB Atlas cluster using private IP addresses.
Read the MongoDB Atlas Security Controls white paper for more information about MongoDB Atlas security and data security.
MongoDB also pursues external testing and certifications regarding security. Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how the MongoDB Atlas service achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the controls established to support operations and compliance. A SOC 2 Type 1 Report: Security was completed on May 31st, 2017.
MongoDB Atlas infrastructure runs on top of Amazon Web Services, Microsoft Azure, and Google Cloud Platform; each cloud provider undergoes its own series of independent third-party audits on a regular basis.
- Learn more about cloud compliance on AWS
- Learn more about cloud compliance on Microsoft Azure
- Learn more about cloud compliance on Google Cloud Platform
Data Processing Terms
The terms of service applicable to our Cloud services automatically include data processing protections that satisfy the requirements that the GDPR imposes on data controllers’ relationships to data processors.
If you have questions about how these terms apply, please contact us at firstname.lastname@example.org.
International Data Transfers: Privacy Shield and Contractual Terms
To comply with E.U. data protection laws around international data transfer mechanisms, we are certified under the EU-U.S. Privacy Shield. You can view the certification here. These frameworks were developed to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. We can also enter into European Union Model Clauses, also known as Standard Contractual Clauses, to meet data transfer requirements for our customers who operate in the E.U.
We are committed to privacy and security. We will remain up to date on changes to relevant privacy laws and make changes to this page accordingly.
Please contact us at email@example.com to have a conversation with our Data Protection Officer.