{New}  See what’s new with MongoDB 6.0 — and why you’ll want to upgrade today >>

MongoDB Vendor Data Processing Agreement

Data Processing Agreement


"Contractor" or "you"


"MongoDB" or "Customer"


Agreement means the master service agreement (or other applicable agreement) and any order form between Contractor and Customer.

Customer Data means any personal data that Contractor processes on behalf of Customer in the course of providing the Services.

Data Protection Legislation means the General Data Protection Regulation ((EU) 2016/679) (the GDPR) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the European Union, Switzerland and/or the United Kingdom and, to the extent applicable, the data protection or privacy laws of any other country.

Services means the services specified in the Agreement provided by Contractor.

The terms “data subject”, "personal data", "controller", "processor" and "processing" shall have the meaning given to them in the Data Protection Legislation.


1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 1.1 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.

1.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Contractor is the data processor to MongoDB, who may act as a data controller or processor. Schedule 1 sets out the subject matter, duration, nature and purpose of processing by Contractor.

1.3 Customer discloses Customer Data to Contractor solely for Contractor to provide the Services. Contractor will not sell Customer Data and will not retain, use, or disclose Customer Data (a) for any purpose other than providing the Services, or (b) outside of the direct business relationship between the parties. Contractor understands the restrictions in this paragraph and will comply with them.

1.4 Without prejudice to the generality of clause 1.1, Customer will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of Customer Data to Contractor for the duration and purposes of this Data Processing Agreement (DPA) and the Agreement.

1.5 Without prejudice to the generality of clause 1.1, Contractor shall, in relation to any Customer Data processed in connection with the performance by Contractor of its obligations under this DPA:

(a)   process that Customer Data only for the purposes described in this DPA and in accordance with the written instructions of Customer, except where otherwise required by the laws of any member state of the European Union or by the laws of the European Union, Switzerland, the United Kingdom or any other state or territory having jurisdiction over Contractor (Applicable Law). Where Contractor is relying on Applicable Law as the basis for processing Customer Data, Contractor shall promptly notify Customer of this before performing the processing required by Applicable Law unless such Applicable Law prohibits Contractor from so notifying Customer. The parties agree that the Agreement and this DPA sets out Customer’s complete instructions to Contractor in relation to the processing of Customer Data unless Customer provides further instructions in writing after the effective date of this DPA;

(b)   ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, and having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Customer Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Customer Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

(c)   ensure that all personnel who have access to and/or process Customer Data are obliged to keep all such Customer Data confidential; and

(d)   not transfer any Customer Data outside of the European Economic Area or the United Kingdom unless the prior written consent of Customer has been obtained and the following conditions are fulfilled:

(i) Customer or Contractor has provided appropriate safeguards in relation to the transfer;

(ii) all affected data subjects have enforceable rights and effective legal remedies;

(iii) Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Customer Data that is transferred;

(iv) Contractor complies with reasonable instructions notified to it in advance by Customer with respect to the processing of Customer Data; and

(v) in any case, whenever Contractor is a processor and MongoDB is a controller of Customer Data, Contractor shall process Customer Data in compliance with Standard Contractual Clauses (SCCs) under Article 46 of the GDPR, including such accompanying exhibits or annexes as MongoDB may reasonably require. Contractor hereby agrees to execute SCCs upon entering into this DPA, and such SCCs shall be incorporated by reference into this DPA. MongoDB is the "data exporter" and Contractor is the "data importer" under the SCCs.

(e) assist Customer in responding to any request from a data subject and in ensuring compliance with its obligations under Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(f) notify Customer without undue delay on, and in no event more than 72 hours after, becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data;

(g) at the written direction of Customer, delete or return Customer Data and all copies thereof to Customer promptly following the termination of this DPA, unless Contractor is required by Applicable Law to continue to store Customer Data; and

(h) maintain complete and accurate records and information sufficient to demonstrate its compliance with this DPA and allow for audits by Customer or Customer’s designated auditor. Customer will promptly notify Contractor with information regarding any non-compliance discovered during the course of an audit, and Contractor will use commercially reasonable efforts to address any confirmed non-compliance.

(i) if Contractor receives a request or demand to disclose Customer Data to any third party, including law enforcement or a government authority (each a Third-Party Demand), attempt to redirect such Third-Party Demand to Customer. If Contractor cannot redirect the Third-Party Demand, to the extent legally permitted, Contractor will promptly notify Customer of the Third-Party Demand to allow Customer to seek a protective order or other appropriate remedy.

1.6 Customer consents to Contractor appointing third-party processors (each a Subprocessor) of Customer Data under this DPA solely to enable Contractor to provide the Services. Contractor confirms that it has entered with any Subprocessor into a written agreement incorporating terms which are substantially the same as those set out in this DPA. As between Customer and Contractor, Contractor shall remain fully liable for all acts or omissions of any Subprocessor appointed by it pursuant to this clause. Contractor shall give Customer no fewer than 30 days’ prior written notice of the appointment of any new Subprocessor, including full details of the processing to be undertaken by such Subprocessor. If, within seven calendar days of receipt of that notice, Customer notifies Contractor in writing of any objections (on reasonable grounds) to the proposed appointment, Contractor will not appoint such Subprocessor to process Customer Data.




The subject matter of the data processing under this DPA is Customer Data.


Contractor will process Customer Data to provide the Services, solely for the following purposes: (i) processing to perform the Services in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Services; and (ii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.


The duration of the processing under this DPA, and the term of this DPA, is until the expiration or termination of the Agreement in accordance with its terms.


Customer Data includes any personal data that Customer provides to Contractor via its use of the Services or otherwise.