Security is one of our biggest priorities here at Mixpanel. On this page we have provided information about the security of your data, our general security practices, and how you can reach a member of the security team if you have questions that haven’t been answered below.
The Mixpanel platform safeguards customer data using a variety of controls:
- Mixpanel application data is secured in transit using TLS, and encrypted at rest in Mixpanel’s proprietary analytics database format.
- The Mixpanel application logically separates user data, and access to your data is protected by strong authentication and authorization controls.
- Mixpanel audits changes to the application throughout the development lifecycle: architecture reviews are performed as well as stringent automated and manual code review processes.
- Mixpanel monitors application servers, infrastructure, and the Mixpanel network environment to detect potential abuse.
- Mixpanel uses Google Cloud Platform (“GCP”) to persistently store customer data and does not host customer data on its premises or store customer data with any other third party services. GCP is a leading cloud provider, and holds industry best security certifications, such as SOC2 and ISO 27001, and provides encryption in transit and at rest. Customer data sent to Mixpanel and ingested around the world is sent to GCP data centers located in the United States. When a customer requests a Mixpanel report at www.mixpanel.com, customer data is processed in a data center within the United States and the result is sent back to customer via Mixpanel’s website. For more information about our system architecture, including additional security features provided, please review our Mixpanel Architecture and Security Overview.
European Union’s General Data Protection Regulation (GDPR)
Mixpanel is committed to complying with GDPR so that our customer’s and their end user’s rights and obligations are met under GDPR, which took effect on May 25, 2018.
As explained in our GDPR article, we created many tools and implemented new processes to ensure we can assist our customers with their compliance with GDPR requirements. Our customers can programmatically delete end-user data, or submit deletion or export requests via the privacy portal in their account settings. We also help our customers support data subject rights by providing options for data retention periods.
For more information on our tools and processes, see our GDPR page.
Vulnerability Disclosure Area
We sincerely appreciate feedback from the security community and strive to quickly address security issues involving our products and services.
If you need to report a security issue, please email firstname.lastname@example.org and include the phrase “Security Vulnerability” in the subject line. Your reports should include a detailed description of your discovery with clear, concise, reproducible steps, or a working proof-of-concept (POC).
For detailed scope information please see bug bounty page at https://hackerone.com/mixpanel.
General Security Questions
If you have general security questions or concerns please email us at email@example.com.