Mixpanel - GDPR Readiness - Mixpanel
Mixpanel – GDPR Readiness
Inside Mixpanel

Mixpanel – GDPR Readiness

Last edited: Aug 9, 2018
Meredith Speece, CIPP, Commercial Counsel

After years of comments and drafts, the European Union’s General Data Protection Regulation (“GDPR”), the most comprehensive privacy regulation of the last twenty years, will take effect on May 25, 2018. Helpful information about the GDPR can be found in our GDPR FAQ. At Mixpanel, we welcome the transparency and will continue to ensure our customers’ data is secure, including compliance with the GDPR. We know the requirements of the GDPR are complex, and that our customers need to know if we will be ready; the answer is, yes. We have already made significant progress and are committed to being fully ready by May 25th.

Leading in Privacy and Security

As the first product analytics company to certify under the Privacy Shield Principles in 2016, we have demonstrated our firm commitment to complying with privacy regulations.  As we prepare for the GDPR, we are confident we will continue to be a market leader in privacy compliance for product analytics platforms. Over the last year, our team of privacy and security experts has been busy evaluating our product, reviewing our vendors, and auditing our privacy and security programs to see what changes needed to be made.

On the security front, before even setting out on an audit of our systems, we knew customer data would be encrypted both in transit and at rest using AES 128 or 256. Our systems were designed to automate scans that regularly check for security vulnerabilities and make us aware of issues that would require additional review by a member of our security team.  As a result, Mixpanel has a firm security foundation, which you can learn about more in our Security White Paper, to continue to improve upon.

In addition to augmenting our security program, here’s what we’ll be doing to support all of our customers in their GDPR compliance efforts ahead of the May 25, 2018 deadline.

Enhanced data deletion and export features

The GDPR empowers “data subjects,” the individuals from whom the data has been collected, to control who has their data.  Today, we already provide rich data export functionality and the ability to delete customer data. However, to further build on these features for GDPR, we will be automating our data deletion and export capabilities, which will better allow us to support any requests our customers may receive from data subjects. These forthcoming product releases to automate the deletion and export process will help keep our customers GDPR compliant by ensuring we are only processing data for identified, appropriate data subjects.

Comprehensive review of vendors

We know we have an important responsibility when it comes to scrutinizing the vendors we use to help us provide our services to our customers. Part of our readiness plan is making sure our contracts adequately address the security, privacy, and confidentiality of our customers’ data under GDPR; you can be confident that our vendors have undergone a thorough privacy and security review by Mixpanel’s legal and security teams. We’ve also ensured your data is stored with an industry leader with a robust security program and appropriate security certifications.

Updated Data Protection Terms

We are committed to the protection of all of our customers’ data and the lawful use and processing of that data.  In addition to our Privacy Shield certification, Mixpanel has historically offered a Data Processing Addendum (“DPA”) to provide additional legal commitments for our customers transferring personal data from Europe to our data centers in the United States.  With the arrival of the GDPR, we have further updated our DPA to ensure compliance with all GDPR-specific requirements and now offer our enhanced DPA to all Mixpanel customers.  The revised DPA supplements our Terms of Use and provides contractual safeguards to our customers for the processing of the personal data sent through Mixpanel, enabling these customers to be compliant with the GDPR.

In addition, we have identified the following areas where we’ll also make improvements:

  • Enhanced privacy and security awareness program: We’re launching a new comprehensive, company-wide privacy and security training portal to augment our current training program. Every Mixpanel employee, regardless of whether they access  customer data, will receive important and up-to-date training on data privacy and security.
  • Data Protection Officer (DPO): We will be appointing a DPO to keep us on track with the latest privacy changes to maintain best practices and protect customer data.
  • New subscribe features: To ensure that our marketing practices follow the GDPR rules, we’re enhancing our subscribe/control feature in our newsletters, blogs, and emails. We want our customers to receive the information they want, when they want.  Now you can make sure you’re getting the latest product and company updates from us, and not getting information you don’t want.
  • Centralized privacy & compliance information: This blog post is just the beginning! More improvements from our legal, security, and compliance teams are coming.  We are excited to announce that we are launching a new webpage early next year that will provide easy, centralized access to relevant compliance and security documents, including updates on our GDPR efforts. This page will have links for customers to review our DPA, or learn more about Mixpanel’s  security program and controls, as well as provide links to our Terms of Use, helpful GDPR FAQs and Privacy Shield FAQs, and information on our Security program.

The privacy landscape is changing fast and we take very seriously the immense responsibility of caring for our customers’ data. Mixpanel has a team of privacy and security professionals dedicated to our compliance and to helping you maintain your compliance when using Mixpanel.

If you would like more information or have follow-up questions please reach out to us at compliance@mixpanel.com.

Get the latest from Mixpanel
This field is required.