Fintech, how do you measure up to the rest of the industry?
Get the benchmark report →

Legal

Technical and Organizational Measures

Measures pseudonymising and/or encrypting personal dataMixpanel maintains Customer Content encrypted in transit with TLS and at rest with AES 256-bit encryption.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and servicesThe infrastructure for the Application Services spans multiple fault-independent availability zones in geographic regions physically separated from one another; a variety of tools and processes are in place to maintain high availability and resiliency.
Measures ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incidentBackups of the Customer Content are performed on a regular schedule and recovery testing is periodically conducted. Customer Content is encrypted in transit with TLS and at rest with AES 256 bit encryption.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processingMixpanel maintains an enterprise-wide security program that includes administrative, organizational, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Customer Content.


Mixpanel conducts periodic reviews of its security program through various internal and independent third-party auditing services.
Measures for user identification and authorisationMixpanel enforces password and multi-factor authentication requirements. Access rights are promptly removed with personnel termination. Mixpanel operates under the principle of least privilege which ensures that only those with a business need to access a system or data are authorized and utilizes role-based access controls (RBAC) to provision and control access.
Measures for the protection of data during transmissionMixpanel maintains Customer Content encrypted in transit with TLS.
Measures for the protection of data during storageMixpanel maintains Customer Content encrypted with AES-256 bit encryption.
Measures for ensuring physical security of locations at which personal data are processedCustomer Content is stored in the Google Cloud. Google Cloud data centers physical security features a layered security model. Google Cloud data centers are monitored twenty-four (24) hours a day, seven (7) days a week via video surveillance and intrusion detection systems. Access to Google Cloud data centers floor is secured by multi-factor access control including security badges and biometrics. Further information on Google Cloud security program can be found on Google Cloud Compliance Center at https://cloud.google.com/security/compliance/.
Measures for ensuring events loggingMixpanel maintains application and infrastructure event logs. Events logs are managed centrally and contextually by the security team.
Measures for ensuring system configuration, including default configurationMixpanel maintains a change management policy with approval processes applicable to pre-production.


Hardened security configuration and vulnerability fixes are used in the production environment. Pre-production and production environments are segregated.

Mixpanel leverage tools to minimize security exposure including essential built-in security features such as minimal read-only root file system, file system integrity check, locked-down firewall, and audit logging.
Measures for internal IT and IT security governance and managementThe security program at Mixpanel includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Customer Content taking into account the nature of the services provided by Mixpanel and data protection laws and regulations applicable to Mixpanel in its performance of its services. Mixpanel maintains information security and privacy policies considering these aspects. These policies are approved by management, regularly reviewed, and made available to all employees.
Measures for certification/assurance of processes and productsMixpanel carries various third-party audits and maintains an active SOC 2 Type II certification and performs annual penetration testing.
Measures for ensuring data minimisationMixpanel customers determine the data sent to the Application Services and control the amount of data processed for minimization purposes. Customers may delete, modify or retrieve their Customer Content directly through the Application Services. More on the tools available to customers is available here: https://developer.mixpanel.com/docs/privacy-security#manage-personal-data.
Measures for ensuring data qualityMixpanel customers determine the data sent to the Application Services. Customers may delete, modify or retrieve their Customer Content directly through the Application Services. More on the tools available to customers is available here: https://developer.mixpanel.com/docs/privacy-security#manage-personal-data.
Measures for ensuring limited data retentionCustomers may delete at any time their Customer Content directly through the Application Services. Additionally, Mixpanel deletes the Customer Content at Customer’s request in accordance with the data processing addendum in place with its customers. More on the tools available to customers is available here: https://developer.mixpanel.com/docs/privacy-security#manage-personal-data.
Measures for ensuring accountabilityMixpanel employs multiple controls to ensure high visibility and enforcement of change management policies to ensure accountability, including comprehensive system logs, code reviews, infrastructure as code, and filtering requests through a centralized ticketing solution.
Measures for allowing data portability and ensuring erasureCustomers may delete at any time their Customer Content directly through the Application Services. Additionally, Mixpanel deletes the Customer Content at Customer’s request in accordance with the data protection addendum in place with its customers.

More on the tools available to customers is available here: https://developer.mixpanel.com/docs/privacy-security#manage-personal-data
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporterMixpanel subprocessors pursuant to the data processing addendum with its customers enter into written agreements with Mixpanel requiring them to abide by terms consistent with the requirements of the data processing addendum with Mixpanel’s customers.