GDPR

The GDPR is a European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive and is intended to reconcile data protection laws throughout the European Union (EU) by applying a single data protection law enforceable across every member state. The GDPR does the following:

• Regulates how businesses can collect, use, and store personal data
• Builds upon current documentation and reporting requirements to increase accountability
• Authorizes fines on businesses who fail to meet its requirements

The GDPR not only applies to organizations located within the EU, but also to organizations located outside of the EU that offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. The GDPR defines personal data to include any information relating to an identified or identifiable natural person.

MongoDB is working across our organization to ensure that our products and services enable our customers to comply with GDPR. This includes:

• Continuing to build upon the security features in our products and the security posture of our enterprise and infrastructure, described in more detail here
• Ensuring that contracts with our customers enable them to comply with the GDPR rules relating to appointing processors, and ensuring that our contracts with our own processors are compliant as well
• Continuing to support international data transfers by maintaining our Privacy Shield self-certifications, and by executing Standard Contractual Clauses with our customers as needed
• Continuously monitoring the guidance around GDPR compliance, and adjusting our plans accordingly

MongoDB Atlas, the cloud database service for MongoDB, is security hardened by default. Each MongoDB Atlas project is provisioned into its own VPC, thus isolating your data and underlying systems from other MongoDB Atlas users. Network encryption, storage volume encryption and access control are configured by default, and IP whitelists allow you to specify a specific range of IP addresses against which access will be granted. All security-specific updates to the operating system and database of the underlying instances are automatically applied by MongoDB engineers. For deployments running in AWS, VPC Peering can be used to connect your application servers deployed to another AWS VPC directly to your MongoDB Atlas cluster using private IP addresses.

Read the MongoDB Atlas Security Controls white paper for more information.

MongoDB also pursues external testing and certifications regarding security for Atlas. Visit the SOC 2 overview for more information.

MongoDB Atlas infrastructure runs on top of Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Each cloud provider undergoes its own series of independent third-party audits on a regular basis.

• Learn more about cloud compliance on AWS
• Learn more about cloud compliance on Microsoft Azure
• Learn more about cloud compliance on Google Cloud Platform

The GDPR requires data controllers (such as organizations using MongoDB Atlas) to only use data processors (such as MongoDB) that provide sufficient guarantees to meet the requirements of GDPR Article 28. MongoDB’s terms of service applicable to MongoDB Atlas and MongoDB cloud services reflect the Article 28 requirements

The terms of service applicable to MongoDB Atlas and MongoDB cloud services automatically include data processing protections that satisfy the requirements that the GDPR imposes on data controllers with respect to data processors.

If you have questions about how these terms apply, please contact us at privacy@mongodb.com.

MongoDB Inc. is certified under the EU-US Privacy Shield, and MongoDB cloud services (including MongoDB Atlas) are covered under this certification. This helps customers who choose to transfer personal data from the EU to the US to meet their data protection obligations. MongoDB Inc.’s certification can be found on the EU-US Privacy Shield website here.

MongoDB can also enter into EU Model Clauses, also known as Standard Contractual Clauses, to meet data transfer requirements for our customers who operate in the EU. The Standard Contractual Clauses are standard terms that the European Commission has determined offer sufficient safeguards on data protection for the data to be transferred internationally.

Please contact us at privacy@mongodb.com to have a conversation with our Data Protection Officer.