The General Data Protection Regulation (GDPR) is a set of regulations that the European Union (EU) adopted to govern how organizations collect, store, process, share, and protect personal data in the EU.
Under the GDPR, a data processor is an entity that processes personal data on behalf of a data controller. MongoDB Atlas acts as a data processor when data controllers use MongoDB Atlas to store and manage personal data. In this context, you or your end customers are data controllers. A data subject is any individual whose personal data MongoDB processes on your behalf.
We understand that GDPR compliance is a shared responsibility between MongoDB Atlas, you, and your end customers. MongoDB Atlas provides multiple features that can support you with GDPR compliance.
Important
To learn more about MongoDB's privacy and data protection program, including information on our Data Processing Agreement, see:
Data Subject Rights
Under GDPR, data subjects have certain rights over their data. These include the rights to access their data, receive it in a usable format, correct inaccuracies, or request deletion when appropriate.
Right to Erasure
Under GDPR, the right to erasure, also known as the right to be forgotten, allows a data subject to request the deletion of their personal data.
The following MongoDB Atlas features support compliance in this area:
Guidance for Atlas Data Encryption including:
Data interaction including deletion.
Rights of Access, Portability, and Rectification Rights
The following MongoDB Atlas features support compliance in this area:
Ability to create, view, update, and delete documents.
Tools for managing your MongoDB Atlas clusters like the Atlas CLI
atlascommands.Ability to use MongoDB Drivers to find documents.
Data Retention
Under GDPR, personal data should generally be stored only for as long as it is needed to fulfill the purpose it was collected for.
The following MongoDB Atlas features support compliance in this area:
Backup policies including snapshot retention time settings.
Securing Personal Data
Under GDPR, data controllers and processors are expected to implement appropriate technical and organizational security measures to protect personal data. MongoDB Atlas can help you to do this through a range of security features, including the following features.
Encryption
Effective encryption is recognized as one of the most important means of securing personal data.
Data encryption including encryption in transit (TLS), encryption at rest (AES-256, BYOK, CMK, KMS, or TDE), and encryption in use (CSFLE, random encryption, or queryable encryption).
Access Control and Network Security
To help you implement strong access and authentication controls, and robust network security measures, see:
Authentication including UI, database, API, federated, AWS IAM roles, multi-factor, X.508 client certificates, SCRAM passwords, API keys, and secrets management.
Authorization including RBAC, pre-defined roles, federated identity providers, and just-in-time access.
Network Security including TLS, IP access lists, firewall configuration, private endpoints, and network isolation.
Alerting, Auditing, and Monitoring
To help you maintain a variety of audit logs and records of processing activities that track how personal data is accessed, used, modified, or shared, see:
Auditing including database auditing, filters, and events.
Incident Response
To help you maintain an incident response framework that enables you to identify, assess, and mitigate risks to personal data, see:
Third-Party Integrations including Datadog, Microsoft Teams, PagerDuty, Prometheus, and others.
High Availability and Resilience
To help you design systems with high availability and resilience to ensure that personal data remains accessible and recoverable, see:
High Availability including database replication and automatic failover.
Disaster Recovery including recovery point objectives (RPO) and recovery time objectives (RTO).