Mixpanel Security Questionnaire
Mixpanel’s Global Security Program, or the GSP, was built to safeguard our customers’ data. Information security plays a role in every aspect of Mixpanel’s services, and the Team has prepared this overview of our security practices to provide additional assurances and insights into how Mixpanel’s protects our customers’ data.
Global Security Program
Dedicated Security Team
Led by the Head of Global Privacy and Security, Mixpanel’s Global Security Program is staffed with full-time, subject matter experts in both the United States and the European Union. The Program includes alumni from the Department of Defense, the Federal Reserve System, and Microsoft.
Data Security and Governance
How does Mixpanel segment and separate data?
All customer data is tagged with a project-specific token, and a customer must have access to the corresponding API key and secret in order to retrieve that data via API (access to the web UI is controlled via username and password). This provides logical separation between data belonging to multiple clients. Mixpanel is the sole tenant on our infrastructure. A customer’s data may reside on database systems which house data belonging to other customers, but our logical controls (token, key and secret) separates one client from another client’s data.
Does Mixpanel support single sign-on and multifactor authentication?
Our product supports single sign-on and provides authentication options through these providers. We also support multifactor authentication outside of single sign-on. Details on how to enable single sign-on are located at: https://help.mixpanel.com/hc/en-us/articles/360036428871.
Encryption and Password Management
Does Mixpanel encrypt customer data?
When a user visits a website or application with Mixpanel instrumented, the details of their interactions are captured and sent to Mixpanel through API calls secured over HTTPS/HTTP, based on how Mixpanel is configured by the customer. All of our other APIs and websites use HTTPS exclusively. All data transferred over HTTPS is encrypted. Mixpanel uses NIST Suite B compliant cipher suites to secure data in transit and at rest.
The Google Cloud Platform encrypts customer data stored at rest by default. Data in the Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored separately from but physically near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). For more information, please see https://cloud.google.com/security/#dataencryption.
What are Mixpanel’s key management procedures?
Our policies require unique keys be used for each use case, and that keys not be reused for unrelated purposes.
Keys for encryption of customer data at rest are managed by our cloud provider, Google. You can find additional information about Google’s key management procedures here: https://cloud.google.com/kms/. We use public/private keys to secure access to code repositories. Keys used by staff are generated by Mixpanel employees on an individual basis and stored on local machines (full-disk encryption is enforced). Access to the repositories can be provisioned or revoked by senior engineering staff.
Are customer passwords encrypted?
Customer passwords are hashed using the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST.
Data Center Features
Where are Mixpanel’s data centers?
Mixpanel persistently stores customer data in one of its two data centers. For customers not participating in EU residency, data is stored in the United States on the Google Cloud Platform in the US-Central 1 region (Iowa, United States). For customers participating in the EU residency program, data is stored in the Google Cloud Platform’s Europe-West 4 data center (Eemshaven, Netherlands).
Data Retention and Deletion
How is customer data backed up?
All client data is fully backed up on a daily basis to secondary data centers.
Mixpanel utilizes the Google Cloud Platform for all services supporting the Mixpanel application, ensuring that:
- Data is written to multiple GCP zones and is available for restoration from the secondary zone in the event that data is corrupted or deleted in one zone.
- Persistent disk backups occur daily.
- Backups are stored for a two-week period and can be used to restore data
- Backups occur on a rolling schedule across all disks in the project.
- The Business Continuity Plan is reviewed and disaster recovery drills are conducted annually.
Can Mixpanel delete customer data?
Mixpanel supports account holders’ ability to request the deletion or export of end user data.
Requests can be submitted through either a form found in a Mixpanel project or through a personal data export and deletion API.
Additional information can be found here: https://help.mixpanel.com/hc/en-us/articles/360000881023
Does Mixpanel have the ability to sanitize computing resources of client data if a customer leaves Mixpanel?
Mixpanel’s data destruction procedure involves three phases:
- Phase 1: Deletion Request. Mixpanel’s support or engineering team submits a deletion request command.
- Phase 2: Soft Deletion. The data marked for deletion is identified and logically deleted from the production environment, is rendered generally inaccessible but remains in a recoverable state. It remains in this state for 30 days.
- Phase 3: Hard Deletion. 30 days after the deletion request, the data identified is encrypted, the encryption key is deleted, and the data overwriting process begins. The overwriting process involves the logical and physical overwriting of data in Mixpanel’s active and backup environments. The overwriting process takes 90 days.
The procedures set out above comply with the United States National Institute of Standards and Technology’s Special Publication 800-88 (“Guidelines for Media Sanitization”).
Does Mixpanel keep customer information after termination?
No. If a customer ends its relationship with Mixpanel, their data is purged from Mixpanel’s systems. Customers can use Mixpanel’s data export and data transfers tools to remove their data prior to its deletion.
Does Mixpanel subcontract any of its services?
Mixpanel uses third-party vendors to provide the services, principally the Google Cloud Platform. Mixpanel uses other vendors to monitor the performance of the Application Services after they have been vetted and signed the appropriate contractual protections to handle customer data.
How does Mixpanel select its subcontractors?
Mixpanel has a vendor assessment policy that includes security team review of the vendor use case, their security posture, and their ability to access personal information. The legal team additionally requires privacy and security provisions in the contract where necessary to protect customer information.
Does Mixpanel have security certifications?
Mixpanel maintains a native and active SOC 2 type II attestation and is Cloud Star Alliance (CSA) Star Level 1 certified.
Additionally, our Cloud Service Provider Google regularly undergoes independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP and many others. Additional details are available at: https://cloud.google.com/security/compliance/offerings.
Does Mixpanel conduct regular internal and external audits?
We undergo an annual third-party security audit, annual penetration testing, and a source code audit of our production services. Additionally, we maintain a bug bounty program through HackerOne where security researchers are invited to submit vulnerabilities to Mixpanel throughout the year. We complement these assessments by performing regular, automated, vulnerability scans on our external and internal networks. Finally, security review is an integral part of our development lifecycle, incorporated into our design, implementation, and test processes.
How are vulnerabilities submitted to Mixpanel?
Mixpanel maintains a private bug bounty program through HackerOne and also accepts public vulnerability disclosures directly at firstname.lastname@example.org.
Incident Response and Security Monitoring
What is Mixpanel’s Incident Response Process?
We treat all suspected security incidents seriously and with the utmost attention. Suspected incidents are investigated by our Information Security team and adhere to the following steps of the SANS Incident Response Framework:
- Lessons Learned
When and how will I be notified of a suspected breach?
In keeping with GDPR requirements, Mixpanel will notify customers within 72 hours of a suspected breach via e-mail.
How does Mixpanel monitor for security incidents?
System audit logs from across the enterprise are forwarded to our internal Security Information and Event Management (SIEM) platform. From here, events are evaluated, triaged and investigated as appropriate by our Information Security Team. If a security incident is detected, we follow the above steps to remediate and recover.