Privacy Hub

Our Commitment to Privacy

MongoDB is committed to protecting the privacy of our customers as well as anyone who interacts with us through our website or our events. This page provides data protection documentation and answers to frequently asked questions about how we comply with the GDPR and other privacy laws.

Privacy Documentation and Helpful Resources

Frequently Asked Questions

1. General Privacy Questions

1.1. How does MongoDB Atlas help customers comply with the GDPR, the CCPA, and other data protection laws?

Several MongoDB Atlas features support compliance with global data protection laws, including, for example:

Robust technical and organizational measures to protect personal data, which are enabled by default and regularly subject to external testing and validation;
The ability to readily retrieve, or delete data uploaded to Atlas if necessary to respond to a data subject request (DSR), without relying on assistance from MongoDB; and
Control over which cloud provider (AWS, Microsoft Azure, or Google Cloud) will host sensitive data stored in Atlas and the ability to select the cloud provider’s deployment region.

MongoDB has a Data Protection Officer (DPO), Chief Information Security Officer (CISO), and dedicated privacy and security teams to oversee MongoDB’s compliance with the GDPR and other applicable privacy laws when processing personal data on behalf of customers.

For additional information on our dedication to securing and protecting your data with strong technical controls, regulatory compliance, organizational standards, and processes, visit the MongoDB Trust Center.

1.2. To whom should I submit privacy-related questions?

If you have a privacy-related question related to the GDPR or other privacy laws that is not addressed in these FAQs, please submit your question to privacy@mongodb.com.

2. MongoDB’s Data Processing Agreement (DPA) for Customers

2.1. How can I request a signed copy of MongoDB’s DPA?

If you are a user of MongoDB cloud services (such as MongoDB Atlas), you already have a legally binding DPA with us. Our standard DPA is incorporated into our Cloud Terms of Service for self-serve customers. If you have signed an order form with MongoDB on our standard terms, our DPA is incorporated into your corresponding Cloud Subscription Agreement. Our DPA addresses a number of applicable privacy regulations, including the GDPR and CCPA.

2.2. What personal data does MongoDB’s DPA cover?

Our DPA covers any customer personal data for which we act as a “data processor”, as that term is defined under the GDPR. We act as a data processor for any personal data that customers upload to our cloud services (such as personal data stored in a MongoDB Atlas database). By default, MongoDB does not have visibility into the nature or categories of personal data that customers upload to our cloud services. For this reason, our DPA includes a broad description of the details of the processing in order to cover any customer use case.

MongoDB’s DPA does not cover personal data for which we act as a data controller. Under the GDPR, we act as data controller for personal data we receive from customers in connection with: (i) creating and administering accounts (e.g., customer usernames, contact information, or billing information); and (ii) providing any other customer service functions or support. MongoDB’s Privacy Policy covers any customer personal data for which we act as a data controller.

2.3. Does MongoDB’s DPA include Standard Contractual Clauses (SCCs)?

Schedule 1 of our DPA incorporates the 2021 EU SCCs, the 2022 United Kingdom international data transfer addendum, and certain modifications to the EU SCCs for purposes of the Swiss Federal Act on Data Protection.

3. Data Subject Requests (DSRs)

3.1. How does MongoDB help customers comply with data subject requests (DSRs) under the GDPR and other privacy laws?

Customers may retrieve, correct, or delete any personal data that they upload to MongoDB cloud services (such as MongoDB Atlas). MongoDB’s assistance is not required to comply with DSRs unless the customer requires technical support.

Please see Section 5 of the MongoDB Data Processing Agreement for additional information about how we help customers comply with DSRs.

3.2. How can I submit a DSR on my own behalf to MongoDB?

If you would like MongoDB to delete any personal data we hold about you, please submit your request here.

To exercise any other rights you may have as a data subject, please submit your request to privacy@mongodb.com.

4. Customer Data Transfers and Government Access Requests

4.1. Where does MongoDB store personal data it processes on behalf of cloud customers?

When acting as a data processor, MongoDB does not choose the physical geographic location where customer personal data is stored. Rather, customers who use MongoDB cloud services (such as MongoDB Atlas) must choose their preferred data hosting region, as well as their preferred cloud provider (Amazon Web Services, Microsoft Azure, or Google Cloud). The MongoDB Atlas documentation has more information on Cloud Providers and Regions.

For more information when MongoDB acts as a data processor, please see Question 2.2 above.

4.2. Does MongoDB transfer personal data it processes on behalf of cloud customers?

As explained above in Question 4.1, customers choose the geographic hosting location for any personal data they upload to MongoDB cloud services. Customers similarly control any data transfers that occur if they change their designated hosting locations.

The use of certain optional features of the cloud services may result in snippets of personal data captured in a customer’s query logs to transit outside of the customer’s designated hosting location. For example, the engagement of MongoDB’s 24-hour “follow the sun” support team could result in the data being transferred to a MongoDB affiliate in one or more of the following locations: United States, Ireland, Canada, Australia, Israel, France, India, Italy, Spain, or Argentina. Other optional tools in MongoDB Atlas require customer query log data to transit through our US-based servers. As our cloud services and features are constantly evolving, customers should contact their MongoDB sales representative for the most current information on when data transfers occur.

4.3. What supplemental measures does MongoDB offer to mitigate risks associated with data transfers subject to the GDPR?

MongoDB Atlas customers rely on the following supplemental measures in accordance with the European Data Protection Board’s Recommendations 01/2020 (adopted on June 18, 2021):

Technical measures, which enable a customer to:
- Prevent all MongoDB personnel, including privileged users, from accessing the customer's Atlas clusters (see Section 4.2.2 of our Technical & Organizational Security Measures for more information);
- Encrypt sensitive data in their Atlas clusters using Queryable Encryption or Client-Side Field Level Encryption, which ensures that no MongoDB employee (or third party) has access to those data fields outside the application environment in unencrypted form (see Section 3.2.3 of our Technical & Organizational Security Measures for more information).
Contractual measures, which obligate MongoDB to notify a customer if MongoDB receives a government request for the customer's personal data, unless the customer notification is prohibited (see Section 6 of our Data Processing Agreement for more information); and
Organizational measures, including, for example: (i) the involvement of MongoDB’s Data Protection Officer (DPO) and privacy team on all international data transfer matters, including any governmental access requests for customer personal data; (ii) the configuration of our internal systems according to the principle of least access on a strict need-to-know basis; and (iii) adherence to state-of-the-art data security policies as required by our SOC 2 Type II, ISO 27001, PCI-DSS, and HIPAA certifications (a complete list of our certifications and assessments is available here).

4.4. Does MongoDB issue transparency reports?

MongoDB does not currently issue transparency reports because we have never received a request under FISA or Executive Order 12333 for data that a customer has uploaded to our cloud services. If we do receive such a request, we will follow the procedure described in Section 6 of our Data Processing Agreement.

4.5. Can MongoDB provide transfer impact assessments (TIAs) to customers?

MongoDB is not positioned to conduct TIAs for personal data uploaded to our cloud services by our customers (for which data we act as data processor under the GDPR). As noted above in Questions 2.2 and 4.2, by default, we have limited visibility into the nature of the data our customers upload to our cloud services, and we do not control the timing, volume, frequency, or the particular data that is subject to any transfers. For these reasons, we lack most of the information that is essential to conduct a TIA with respect to our customers’ data. Nonetheless, we regularly help our customers conduct their own TIAs for personal data they upload to our cloud services. In particular, we contribute to "supplementary measures" analyses and offer our customers a range of supplemental measures for data transfers (please see Question 4.3 above for more detailed information).

4.6. Is MongoDB certified under the EU-US Data Privacy Framework?

MongoDB is certified to the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework. We will not rely on the UK Extension to the EU-US DPF until the date of entry into force of the UK's adequacy regulations implementing the data bridge for the UK Extension to the EU-US DPF. For additional details regarding the scope of our current certifications, please see our Data Privacy Framework Statement and our listing on the Data Privacy Framework Program website.