Technical And Organizational Security Measures

For the Technical and Organizational Security Measures that apply to MongoDB Atlas, please click here.

These Technical and Organizational Security Measures (“Embedding Security Measures”) are incorporated into and form part of your applicable Agreement (the “Agreement”) with MongoDB with respect to your use of the embedding and reranking model services included in the Cloud Services. Any capitalized terms that are not defined in these Embedding Security Measures have the meaning provided in the Agreement.

1. Infrastructure Security Controls

Access management and authentication. Only authorized personnel may access encryption keys, databases, operating systems, firewalls, and the production network. Unique credentials or authorized Secure Socket Shell (SSH) keys are required to access systems, applications, and the production network, and such access is permitted only for business purposes.
Provisioning and revocation. Personnel access is added, modified, and removed through defined procedures that require approval based on job role and function. Termination checklists are completed to ensure access is revoked within defined time frames.
Network security and remote access. Remote access to production systems is limited to authorized personnel via an approved encrypted connection. Network segmentation is maintained to prevent unauthorized access to customer data. Firewalls are implemented and configured to block unauthorized access, firewall rulesets are reviewed at least annually with required changes tracked to completion, and network and system hardening standards are documented, and reviewed at least annually based on industry best practices.
Logging and monitoring. A log management tool is used to identify events that could impact security objectives, and an infrastructure monitoring tool tracks systems, infrastructure, and performance and generates alerts when predefined thresholds are met.

2. Organizational Security Controls

Workforce security and confidentiality. Contractors and employees sign confidentiality agreements. Background checks are performed for new employees, and employees complete security awareness training within thirty days of hire and at least annually thereafter.
Access governance and physical security. Passwords for in-scope system components are configured according to policy. A formal inventory of production system assets is maintained, portable media are encrypted when used, and anti-malware technology is deployed, updated routinely, logged, and installed on relevant systems. Visitors sign in, wear a visitor badge, and are escorted by authorized personnel in offices or other secure areas.
Service providers. Physical and environmental security protections for production servers hosted by third-party cloud providers are the responsibility of those providers. MongoDB monitors and reviews relevant attestation reports and risk analyses at least annually to ensure alignment with these Embedding Security Measures and industry best practices.

3. Product Security

Data protection. Datastores housing customer data are encrypted at rest. Secure transmission protocols are used to encrypt customer data when transmitted over public networks.
Testing and assurance. Requirements for vulnerability management and system monitoring are defined in formal policies. Control self-assessments are performed at least annually with corrective actions tracked, including any service-level commitments, and penetration testing is conducted at least annually with remediation implemented in accordance with defined timelines.

4. Internal Security Procedures

Change and configuration management. A configuration management procedure ensures consistent deployment of system configurations. Changes to software and infrastructure components are authorized, documented, tested, reviewed, and approved prior to production, and access to migrate changes to production is restricted to authorized personnel. A formal systems development life cycle (SDLC) governs development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.
Governance and accountability. Responsibility for managing controls is recorded, and executive management is briefed at least annually on cybersecurity and privacy risk to provide feedback and direction. A risk management program identifies threats, assesses significance, and defines mitigation strategies.
Incident and physical access management. Security and privacy incident response policies and procedures are documented and communicated to authorized personnel. The incident response plan is reviewed at least annually, and incidents are logged, tracked, resolved, and communicated to relevant parties in accordance with policy. We maintain processes for granting, changing, and terminating physical access to physical premises and secure areas based on appropriate authorization.

Changes to MongoDB Cloud Terms of Service

Updated: June 24, 2021.

We updated the Cloud Terms of Service to clarify the terms and conditions that govern use of MongoDB’s Beta Offerings and to clarify each party’s responsibilities with respect to the security of the Cloud Services.

Updated: January 27, 2021.

We updated the Cloud Terms of Service to add Section 7(d) related to confidentiality of MongoDB Information.

Updated: December 22, 2020.

We moved the data processing terms from Section 4(b) of the Terms of Service into a separate MongoDB Data Processing Agreement, which is incorporated into the Terms of Service and is available at https://www.mongodb.com/legal/dpa.

Updated: November 4, 2020.

We updated the Terms of Service to provide customers the ability to purchase MongoDB Consulting Services under these Terms of Service.

Updated: July 20, 2020.

Use of the Cloud Services may involve transfers of Customer Personal Data outside of the European Union. We have appropriate safeguards in place for the processing of Customer Personal Data outside of the European Union, including the use of standard contractual clauses. If you elect to transfer Customer Personal Data to a Subprocessor outside of the European Union, you authorize us to apply standard contractual clauses with that Subprocessor.

Updated: June 1, 2020.

We updated the Terms of Service to: (1) clarify your and our respective obligations regarding the features and products offered as part of MongoDB Cloud Services; (2) consolidate the hyperlinks to our service level agreements for MongoDB Cloud Services; and (3) clarify your and our respective obligations regarding information that may be subject to subpoena or other legal process.

Updated: December 3, 2019.

We updated the Terms of Service to: (1) remove the language related to metadata collection and analysis, which is addressed in our Privacy Policy; (2) confirm that we are a service provider that does not retain, use, or disclose Customer Personal Data for any purpose other than providing the Cloud Services; (3) clarify our liability for our Subprocessors’ acts and omissions; (4) clarify your usage restrictions and our corresponding termination and suspension rights; and (5) clarify the scope of your reimbursement obligation for our responses to third party subpoenas.

Updated: September 10, 2019.

We updated Section 3 to include Payment Card Industry Data Security Standard terms.

Updated: June 6, 2019.

We updated the Terms of Service to: (1) reference the MongoDB Stitch SLA; (2) include terms specific to our Beta Offerings; (3) include terms for our new MongoDB Atlas self-serve support; (4) update and clarify the data processing terms included in Section 3; and (5) clarify the termination and suspension rights.

Updated: April 24, 2018.

Revised Section 3 to include GDPR-required data processing terms.

Updated: January 25, 2016.

We updated the Terms of Service to (1) make clear in paragraph 3 that we may use usage metadata to market products to our customers, and (2) make clear in paragraph 7(b) that customers cannot use Cloud Manager to manage a fork or derivative work of the MongoDB database.