Auth0 General Data Protection Regulation Compliance
On 27 April 2016, the European Parliament and the European Council adopted legislation known as General Data Protection Regulation (GDPR), which became enforceable on 25 May 2018. This legislation replaces the European Privacy Directive 95/46/EC.
The GDPR aims to unify and strengthen the data protection rights of individuals located in the European Union (EU). It also extends the applicability of EU data protection legislation to non-EU companies that store or process personal data of individuals located in the EU and increases the fines that may be levied against companies that violate GDPR requirements.
Definitions
Here are the definitions used for Auth0’s GDPR documentation:| Term | Definition |
|---|---|
| Data Subject | An individual/natural person |
| Data Controller | The entity that collects and processes personal data of data subjects (read GDPR for exact definition) |
| Data Processor | The entity that collects and processes personal data on behalf of a data controller (read GDPR for exact definition) |
| Personal Data | Data that can be used to identify (directly or indirectly) a subject, particularly via reference to an identifier (such as a name, identification number, location data, or online identifier), or to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person |
| Sensitive Personal Data | Personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership; genetic data or biometric data |
| Auth0 Sub-processors | Third party systems to which Auth0 shared Personal Data (contained within Customer Data), as defined in the MSA for the provision of the Service. |
GDPR summary
Applicability
The GDPR has a broad scope of application. It applies to a wide range of companies, including non-EU-based services/companies that process personal data of individuals located in the European Union, or to companies that monitor the behavior of individuals located in the European Union.Notifications and consent
Before you collect personal data from your end-users, you must have a legal basis to process personal data. For example, you can rely on consent to do so. When requesting consent, your notification must:- Be clear and easy to understand
- State the purpose of the processing of personal data and how it will be processed
- Explicitly request consent for certain processing activities
- Have a mechanism that makes it as easy for your end-user to revoke their consent as it is to grant consent
Rights of individuals
Your end users, as individuals, have the right to:- Access the personal data the company has about them
- Know how their personal data will be processed or used
- Delete their personal data or “ to be forgotten” (the individual may ask the controller of their data to erase the personal data in question, cease disseminating the data, or halt further data processing)
- Portability (the individual can ask for their personal data to be retrieved in a standard, machine-readable format and can transmit their data to another data controller)
- Not be subject to automatic decision-making (a process typically called profiling)
Privacy by design and privacy by default
Privacy by design means that each new implementation that uses personal data must take the protection of such personal data into consideration. Privacy by default means that the strictest privacy settings automatically apply once the end-user acquires a new product or service (that is, without any manual change required on the part of the user).Requirements for data processors and controllers
As the data controller, you must:- Do due diligence to ensure that your data processors provide adequate protection of provided personal data
- Comply with instructions provided by data controllers
- Implement adequate security
Enforcement
- The GDPR mandates that data controllers release notifications regarding data breaches without undue delay and in any case within 72 hours of becoming aware the incident if certain conditions are met
- Fines for non-compliance are much higher
- Supervisory authorities in the European Union have greater investigative powers
- Data controllers and data processors must appoint a Data Protection Officer if they meet certain requirements under the GDPR.
Roles and responsibilities under GDPR
Generally speaking**,** Auth0 (Okta) customers are data controllers, and Auth0 (Okta) is a data processor.Personal data handled by Auth0
Auth0 handles end-user data present in user profiles, including metadata.Data controller (customer) responsibilities
More specifically, the customer is responsible for:- End-user notification and consent and withdrawal of consent (where required)
- Deciding what Personal Data they expose to Auth0
- Deciding what connections (where end-user data and passwords reside) to use
- Signing up and, if necessary, creating new users
- Ensuring their users meet the age requirements and obtaining the appropriate consent if necessary (such as parental consent for children)
- Implementing the mechanisms necessary for their end-users to retrieve, review, correct, or remove personal data
- Responding to their end-users’ data subject rights requests (DSARs)
- Responding to communications from Supervisory Authorities
- Sending Data breach notifications to Supervisory Authorities and end users when certain thresholds are met (Auth0 will assist the customer and provide the necessary information if necessary)
Data processor (Auth0) responsibilities
Auth0 is responsible for:- Following the data controller’s instructions as determined in the Subscription Agreement (SA) and Data Processing Addendum (DPA) (for enterprise customers) or Terms of Service (for self-service customers)
- Assisting the customer if it receives requests from the customer’s end users exercising their GDPR rights. Notifying the customer if it receives requests from Supervisory Authorities related to the processing of Personal Data (unless prohibited by law)
- Notifying the customer if it becomes aware of a confirmed data breach that compromises Customer Data
- Notifying the customer if any of its Sub-processors notify Auth0 about a confirmed data breach that impacts Auth0’s Customer Data (unless prohibited by law)
- Providing the means to enable customers to retrieve, review, correct, or delete customer data via the and the Auth0
- Providing a mechanism for customers to display consent terms and a consent agreement checkbox on the Lock widget. Customers can also design custom signup and login forms if more elaborate consent schemes are needed
Auth0 data processing
Data Auth0 possesses
All of the data Auth0 has about an end-user is located in the Auth0 user profile. The specific attributes contained in the user profile vary based on customer configuration and implementation and are based on a number of factors, such as connection type, user consent during the authentication flow, and whether you’ve augmented the user profiles with additional information.When Auth0 data is stored
The Auth0 user profile information is stored in Auth0 when you use a database connection. If a user logs in using any other type of connection (including custom database connections), Auth0 stores information provided by the external for future queries.How Auth0 uses the data it stores
The Personal Data stored in Auth0 is used only for the purposes of providing its services, namely authenticating users.What happens to data when an end user’s account is deleted
When an end user’s account is deleted, their user profile, included metadata, is removed.Auth0 features aiding GDPR compliance
Here is a list of GDPR regulations and how Auth0 can help you comply with them.Conditions for consent
According to Article 7 of GDPR, you must:- Ask users to consent on the processing of their personal data in a clear and easily accessible form
- Be able to show that the user has consented, and
- Provide an easy way to withdraw consent at any time
Right to access, correct, and erase data
According to Articles 15, 16, 17, and 19 of GDPR, users have the right to:- Get a copy of their personal data you are processing
- Ask for rectifications if they are inaccurate, and
- Ask you to delete their personal data
Data minimization
According to Article 5 of GDPR:- The personal data you collect must be limited to what is necessary for processing
- Must be kept only as long as needed, and
- Appropriate security must be ensured during data processing, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage
Data portability
According to Article 20 of GDPR, users have the right to receive the personal data concerning them in a structured, commonly used and machine-readable format. You can export user data, stored in the Auth0 user store, either manually or programmatically. Raw data from Auth0 can be exported in JSON format (which is machine-readable). To learn more, read GDPR: Data Portability.Protect and secure user data
According to Article 32 of GDPR, you must implement appropriate measures to ensure a level of security, including (but not limited to):- data encryption
- ongoing confidentiality
- data integrity, and
- availability and resilience of processing systems and services
Security advice
Auth0 recommends the following practices to help ensure the security of your end users data and minimize the probability of a data breach:- Protect and keys
- Protect Management Dashboard credentials, and require for access to the Dashboard
- Review the list of administrators for the Dashboard on a regular basis and remove outdated entries
- Review the list of connections and applications associated with your Auth0 tenants and remove outdated entries
- Ensure that Dashboard administrators use corporate credentials that can be easily revoked if necessary, not personal credentials such as a personal email account
- Remove accounts for terminated employees promptly
- Ensure that administrators use devices with mandatory screen locking
- Provide regular training to all Dashboard administrators and developers on security and privacy best practices