Mixpanel & the GDPR
On May 25, 2018, the General Data Protection Regulation (“GDPR”) will take effect. As the most significant data protection regulation in twenty years, the GDPR replaces the EU Data Protection Directive and seeks to strengthen individual rights while harmonizing the patchwork of data protection laws throughout Europe. The GDPR regulates the “processing” of personal data, which is defined very broadly, of any EU resident, regardless of where the processing takes place. Failure to comply with the GDPR could result in heavy fines: up to €20 million or 4% of worldwide revenue.
In December, we outlined the steps Mixpanel was taking to ensure it was ready for GDPR, and the changes we were implementing that would allow our customers to use Mixpanel and comply with GDPR. Below we’ve provided the details on the changes we’ve made and links to our product updates and GDPR resources.
Assisting Customers With Data Subject Access Requests
The GDPR grants broad rights to individuals with regard to their personal information and who has access to it. The GDPR, therefore, provides individuals (known as “data subjects”) with the “right to be forgotten.” In practice, this means organizations must now comply with a data subject’s request for access to his/her personal information in order to correct, delete, or retrieve such information. As a data processor for our customers, we have built tools that will allow us to assist our customers in complying with these data subject requests.
First, our client side SDKs have been updated to provide more robust opt-out methods that will opt users out of tracking on both the API and cookie level. While customers are still responsible for ensuring they have a lawful basis for processing (i.e. consent, legitimate interest) from their end users, our SDKs will now provide enhanced flags to help with that opt-in process. Customers will also be able to set a default opt-in/out state for their client-side implementations. You can read more about the SDKs here.
Second, we have developed deletion and export tools for end user data. When we began this journey, we knew we wanted to provide our customers with the tools they needed to respond to not only general deletion or access requests, but also to more specific requests for deletion of specific pieces of personal data from their end users; it was important to us to build retrieval and deletion tools that were sophisticated enough to provide an accurate response for our customers rather than providing a generic one-size-fits-all tool. Our engineering team has built a tool capable of exporting or deleting event data for distinct_ids or deleting specific properties – it can handle either type of request. This is not an all-or-nothing tool that you might have seen from other analytics providers – Mixpanel will be able to retrieve or delete a specific property for a unique user or all of the data for a distinct_id. When GDPR takes effect, event deletion and export requests will be handled by our Support team via a webform in the customer’s Account Settings. We will be providing instructions to our customers on how to submit the data subject deletion or export request prior to the GDPR effectiveness date. We will also have our external deletion API ready for customer use by the end of May. In the meantime, we have created GDPR documents to help customers with Mixpanel and GDPR related implementation questions, which you can find here.
Third, we’ve updated our customer data retention period to a default period of five years for event data. Among other obligations, GDPR limits the time period in which an organization may retain data to “no longer than is necessary for the purposes for which the personal data are processed.” Mixpanel has historically allowed customers to retain data indefinitely. In developing this new policy, we were mindful of our customers’ needs for historical data while also trying to balance the rigorous data storage limitations in the GDPR which is why our default retention period will be five years. You can find more information on the details on our retention policy, and the options available to customers, in our Help Center. If you have any questions you can always reach out to firstname.lastname@example.org.
Finally, as we discuss in more detail below, we wanted to make sure we tightened up controls around who in Mixpanel has access to the data our customers send into Mixpanel. To do that, we audited our systems and access permissions to ensure that only those we designated as a “need to know” are able to access the data sent into Mixpanel. We enhanced our data logging system to be sure we can track who is accessing customer data both internally and externally by customers, when it was accessed, and what they did, if anything, with the data. Customers can be sure that our logs will accurately reflect the details of access to their data.
Data Processing Addendum
- Assistance with Data Subject Requests – to the extent our customers cannot delete or retrieve data processed by Mixpanel on their own, we will assist customers with the data subject requests they receive.
- Notification of Data Incidents – Mixpanel will notify customers without undue delay if there are any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data. We will assist our customers in their obligations under Articles 32-36 of the GDPR.
- Confidentiality Commitments of Personnel – All Mixpanel employees are required to sign a confidentiality agreement prior to employment, complete mandatory privacy trainings, and adhere to other internal policies.
The GDPR allows for several ways to facilitate transfers of personal data outside of the EU. One valid mechanism for transfer of personal data outside of the EU is transfer of data under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Mixpanel was among the first analytics providers to self-certify under the Privacy Shield Frameworks in 2016 and has maintained that certification. You can find more information about Mixpanel and the Privacy Shield Framework in our Help Center.
As obligations to protect data transfers from the EU continue to develop, we’re committed to maintaining a valid mechanism to facilitate transfers of personal data outside of the EU.
Vendor Obligations and Subcontractors
As a data processor under the GDPR, we are responsible for the subcontractors we retain to help us provide our services. To support delivery of our services to customers, we engage certain vendors who help us process our customers’ data. Some of these vendors provide our data storage and infrastructure and are an integral part of the services we provide while others provide important account management assistance. We know we have an important responsibility when it comes to scrutinizing these subcontractors which is why our Vendor Risk Assessment program requires each subcontractor to undergo a rigorous review by our legal and security teams to ensure each has the required technical and organizational expertise and measures in place to deliver an appropriate level of security and privacy. In addition, we have entered into a data processing addendum with each subprocessor to make sure we have contractual commitments to ensure the privacy and security obligations with our customers flow through to our subcontractors. We have also developed a comprehensive internal map of all customer data flow in connection with our subcontractor review to ensure GDPR compliance, which include our requirements to assist with data subject access requests.
A list of our subcontractors can be found here and is also linked to in Section 4 of our Data Processing Addendum that is publicly available. As noted in our DPA, if a customer requires prior notification of any updates to the list of subcontractors, that customer can request notifications of those updates by emailing email@example.com.
Enterprise Grade Security
The GDPR requires controllers and processors of personal data to “implement appropriate technical and organisational” measures to ensure a level of security appropriate to the risk. Mixpanel uses Google Cloud Platform (“GCP”) as its third-party cloud storage subcontractor and does not host customer data on its premises. GCP is a leading cloud provider, and holds industry best security certifications, such as SOC2 and ISO27001, and provides encryption in transit and at rest, without any action required from our customers.
Internal Controls – For Mixpanel employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Additionally, all Mixpanel employees must abide by multiple policies about handling customer data securely and protecting customer data.
Audits for Vulnerabilities – At least annually, we invite an independent, third-party auditor to run penetration testing. Additionally we run scans for software vulnerabilities and have a Security Information and Event Management platform, which provides 24x7x365 monitoring and alerting for security incidents in our networks and systems.
Product Security – Mixpanel customers can access product features and configurations to further protect personal data against unauthorized or unlawful processing, including Single Sign On (“SSO”) and 2-Step Verification. You can read more about our security architecture here.
You may find additional information about Mixpanel’s security program at https://mixpanel.com/legal/security-overview/
Global Privacy Program
At the end of the day, GDPR has forced organizations to be more thoughtful in their approach to the collection and processing of personal data, which we welcome and fully embrace. We have appointed a Data Protection Officer (DPO) to guide Mixpanel’s global privacy program and ensure that Mixpanel complies with its obligations under GDPR and other privacy regimes. Our DPO will help the teams at Mixpanel work through the Data Privacy Impact Assessment process (as required by Article 35 of the GDPR) to recognize and minimize data protection risks. When you are entrusted with the data that our customers entrust to us, Privacy by Design should be an integral part of your product engineering process, as it is at Mixpanel. And finally, as part of our global privacy program, all employees have received privacy awareness training and will continue to receive this training annually, in addition to more position specific security training some employees may need. We will not only ensure employees receive the ongoing training, but we have also developed a privacy program audit procedure to ensure the principles and policies are being followed.