Auth0 General Data Protection Regulation Compliance
On 27 April 2016, the European Parliament and the European Council adopted legislation known as General Data Protection Regulation (GDPR), which became enforceable 25 May 2018. This legislation replaces European Privacy Directive 95/46/EC.
GDPR is intended to unify and strengthen data privacy for individuals located in the European Union (EU). GDPR also extends the applicability of EU data privacy legislation to non-EU companies who store or process data on EU residents and increases the fines that may be levied against companies who are responsible for preventing breaches of personal data or who violate GDPR requirements.
The contents of these documents are not intended to be legal advice, nor should they be considered a substitute for legal assistance. The final responsibility for understanding and complying with GDPR resides with you, though Auth0 will assist you in meeting GDPR requirements where possible.
To learn more about GDPR, read the Complete Guide to GDPR Compliance on gdpr.eu.
Definitions
Here are the definitions used for Auth0's GDPR documentation:
| Term | Definition |
|---|---|
| Subject | An individual/natural person |
| Data Controller | The entity that collects and processes data on subjects (read GDPR for exact definition) |
| Data Processor | The entity that processes data on behalf of a data controller (read GDPR for exact definition) |
| Personal Data | Data that can be used to identify (directly or indirectly) a subject, particularly via reference to an identifier (such as a name, identification number, location data, or online identifier), or to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person |
| Sensitive Personal Data | Personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic data or biometric data |
| Auth0 Subprocessors | Third party systems to which Auth0 provides personal data |
GDPR summary
Applicability
GDPR applies to a wide scope of territory including non-EU based services/companies that possess data on EU residents.
Notifications and consent
Before you collect personal data from your end users, you must obtain their consent to do so. When requesting consent, your notifications must:
Be clear and easy to understand
State the purpose of the data involved and how it will be processed
You must also:
Explicitly request consent
Make it as easy for your end-user to revoke their consent as it is to grant consent
Rights of individuals
Your end users, as individuals, have the right to:
See the data the company has about them
Know how their data will be processed or used
Be forgotten (the individual may ask the controller of their data to erase the data in question, cease disseminating the data, or halt further data processing)
Portability (the individual can ask for their data in a standard, machine-readable format and can transmit their data to another data controller)
Not be subjected to automatic decision making (a process typically called profiling)
Privacy by design and privacy by default
As the data controller, you must design your app to abide by both privacy by design and privacy by default principles.
Privacy by design means that each new implementation that uses personal data must take the protection of such data into consideration.
Privacy by default means that the strictest privacy settings automatically apply once the end user acquires a new product or service (that is, without any manual change required on the part of the user).
Requirements for data processors and controllers
As the data controller, you must:
Do due diligence to ensure that your data processors provide adequate protection of provided data
Auth0, as the data processor, must:
Comply with instructions provided by data controllers
Maintain adequate documentation
Implement adequate security
Conduct data protection impact assessments
Appoint a data protection officer or establish a privacy office
Comply with rules on international data transfers
Agree to and sign a written data processing agreement that meets GDPR requirements
Enforcement
GDPR mandates that data controllers release notifications regarding data breaches within 72 hours of the incident
Fines for non-compliance are much higher and are determined using a tiered system
Supervisory authorities in the European Union have greater investigative powers
Organizations controlling data must appoint a Data Protection Officer, while organizations processing data should have a Data Privacy Office
Roles and responsibilities under GDPR
Auth0 customers are data controllers. Auth0 is a data processor.
Personal data handled by Auth0
Auth0 handles end-user data present in user profiles, including metadata.
Data controller (customer) responsibilities
Ultimately, you, as the data controller, are responsible for GDPR compliance, which mostly consists of operational procedures and documentation.
More specifically, the customer is responsible for:
End-user notification, consent, and withdrawal of consent
Deciding what data they expose to Auth0
Deciding what connections (where end user data and passwords reside) to use
Signing up and, if necessary, creating new users
Ensuring their users meet the age requirements and obtaining the appropriate consent if necessary (such as parental consent for children)
Implementing the mechanisms necessary for their end users to retrieve, review, correct, or remove personal data
Deleting user data after receiving right-to-be-forgotten requests
Providing data in standardized formats
Responding to their end users' privacy-related requests (DSAR)
Responding to communications from the European Union Data Privacy Authorities
Data breach notifications sent to supervisory authorities and end users (Auth0 will assist the customer and provide the necessary information if we are involved)
Selecting an EU tenant when setting up their Auth0 tenants
The customer is the party that's responsible for the security of their data. Auth0 has no knowledge of how the customer processes data, configures their applications, and so on.
Data processor (Auth0) responsibilities
Auth0 is responsible for:
Following the data processor's instructions as explicated in the Subscription Agreement (SA) and Data Processing Addendum (DPA) (for enterprise customers) or Terms of Service (for self-service customers)
Notifying the customer if it receives requests from the customer's end users exercising their GDPR rights as subjects for data access, erasure, and so on
Notifying the customer if it receives requests from EU Data Privacy Authorities (unless prohibited by law enforcement)
Notifying the customer if it becomes aware of a confirmed security breach
Notifying the customer if any of its sub-processors notify Auth0 about a confirmed data breach that impacts Auth0 customer data (unless prohibited by law enforcement)
Providing a privacy policy, terms of service, security statement, data protection agreement, and so on, to provide info on its policies and practices
Providing information about its data processing, so that customer has info it needs to process data lawfully
Defining its services and features, how data is processed, and the rights and obligations of customers
Providing the means to enable customers to retrieve, review, correct, or delete customer data via the Auth0 Dashboard and the Auth0 Management API
Providing a mechanism for customers to display consent terms and a consent agreement checkbox on the Lock widget. Customers can also design custom signup and login forms if more elaborate consent schemes are needed
Auth0 data processing
Data Auth0 possesses
All of the data Auth0 has about an end user is located in the Auth0 user profile. The specific attributes contained in the user profile vary based on customer implementation and are based on a number of factors, such as connection type, user consent during the authentication flow, and whether you've augmented the user profiles with additional information.
When Auth0 data is stored
The Auth0 user profile information is stored in Auth0 when you use a database connection. If a user logs in using any other type of connection (including custom database connections), Auth0 stores information provided by the external identity provider for future queries.
How Auth0 uses the data it stores
The personal data stored in Auth0 is used only for the purposes of providing its services, namely authenticating users
What happens to data when an end user's account is deleted
When an end user's account is deleted, their user profile, included metadata, is removed.
Auth0 features aiding GDPR compliance
Here is a list of GDPR regulations and how Auth0 can help you comply with them.
Conditions for consent
According to Article 7 of GDPR, you must:
Ask users to consent on the processing of their personal data in a clear and easily accessible form
Be able to show that the user has consented, and
Provide an easy way to withdraw consent at any time
You can use Auth0 to ask your users for consent upon signup (using either Lock or a custom form) and save this information at the user profile. You can later update this information using the Management API. To learn more, read GDPR: Conditions for Consent.
Right to access, correct, and erase data
According to Articles 15, 16, 17, and 19 of GDPR, users have the right to:
Get a copy of their personal data you are processing
Ask for rectifications if they are inaccurate, and
Ask you to delete their personal data
With Auth0, you can access, edit, and delete user information, either manually or using our API. To learn more, read GDPR: Right to Access, Correct, and Erase Data.
Data minimization
According to Article 5 of GDPR:
The personal data you collect must be limited to what is necessary for processing
Must be kept only as long as needed, and
Appropriate security must be ensured during data processing, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage
There are several Auth0 features than can help you achieve these goals, like account linking, user profile encryption, and more. To learn more, read GDPR: Data Minimization.
Data portability
According to Article 20 of GDPR, users have the right to receive the personal data concerning them in a structured, commonly used and machine-readable format.
You can export user data, stored in the Auth0 user store, either manually or programmatically. Raw data from Auth0 can be exported in JSON format (which is machine-readable). To learn more, read GDPR: Data Portability.
Protect and secure user data
According to Article 32 of GDPR, you must implement appropriate measures to ensure a level of security, including (but not limited to):
data encryption
ongoing confidentiality
data integrity, and
availability and resilience of processing systems and services
There are several Auth0 features than can help you meet this requirement, like user profile encryption, brute-force protection, breached password detection, step-up authentication, and more. To learn more, read GDPR: Protect and Secure User Data.
Security advice
Auth0 recommends the following practices to help ensure the security of your end users data and minimize the probability of a data breach:
Protect client secrets and keys
Protect Management Dashboard credentials, and require multi-factor authentication for access to the Dashboard
Review the list of administrators for the Dashboard on a regular basis and remove outdated entries
Review the list of connections and applications associated with your Auth0 tenants and remove outdated entries
Ensure that Dashboard administrators use corporate credentials that can be easily revoked if necessary, not personal credentials such as a personal email account
Remove accounts for terminated employees promptly
Ensure that administrators use devices with mandatory screen locking
Provide regular training to all Dashboard administrators and developers on security and privacy best practices
Make sure that you monitor any log streaming solution you use to send log data to logging tools with reporting capability.