Auth0 Data Privacy and Compliance

Auth0 maintains and meets the requirements for multiple compliance frameworks and certifications. To download or request Auth0 compliance documentation, visit the Support Center. Auth0 will document additional compliance frameworks and certifications on this page when available.

Auth0 supports technical requirements for FAPI, a set of advanced security profiles specified by the OpenID Foundation. FAPI introduces stricter security standards for industries and scenarios that require more security on top of normal OAuth 2.0 and OpenID Connect (OIDC) implementations. 

Auth0 is a certified FAPI OpenID Provider for the following two profiles:

• FAPI 1 Advanced OP with mTLS, PAR

• FAPI 1 Advanced OP with Private Key JWT, PAR

For more information, see FAPI OpenID Providers (OP) & Profiles.

To understand how we incorporated FAPI capabilities into Auth0, see Highly Regulated Identity.

Auth0 is GDPR ready. Auth0 provides information to its customers to help them understand how features and functionality of the Auth0 platform may affect their GDPR compliance obligations.

Auth0 is considered as a Business Associate as defined by the US HIPAA and HITECH legislation. For Auth0 customers who qualify as a Covered Entity under US HIPAA legislation and related legislation and regulations and who provide ePHI (electronic Protected Health Information) to Auth0 as part of the Auth0 user profile, Auth0 may qualify as a business associate. Auth0 can provide its Business Associate Agreement to you upon request. To learn more about HIPAA, read Health Information Privacy on hhs.gov. To learn more about HITECH, read HITECH Act Enforcement Final Rules on hhs.gov. HIPAA compliance is not available on Azure deployments.

Auth0 is CSA STAR certified. You can review the CSA Consensus Assessments Initiative Questionnaire (CAIQ) and can view our CAIQ and STAR Certificates in the CSA STAR Registry.

Auth0 undergoes an ISO 27001/27017/27018 audit by an independent auditor annually. To request access to our ISO 27001/27017/27018 certificate, log in to Auth0 Support Center and select the Compliance option. We can also share our Statement of Applicability (SOA) upon request with a non-disclosure agreement (NDA) signed by a corporate officer authorized to represent the company. To request the SOA, please contact your assigned Technical Account Manager or Account Executive.

Auth0 offers PCI compliant environment deployment models. Our Attestation of Compliance (AOC) and/or Self Assessment Questionnaire (SAQ-D) is available upon request. For a copy of these documents, log in to Auth0 Support Center and select the Compliance option.

We provide the capabilities for customers to build an end-to-end user journey that includes Strong Customer Authentication(SCA) and Dynamic Linking, which dynamically shows transaction details for explicit end-user approval. For more information, read Highly Regulated Identity.

Auth0 undergoes a SOC 2 Type 2 audit by an independent auditor annually. The audit covers all 5 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality and Privacy). For a copy of the SOC 2 report, log in to Auth0 Support Center and select the Compliance option.

For information on compliance with technical specifications for authentication, please see our Protocols documentation.

• Auth0 General Data Protection Regulation Compliance
• Auth0 Data Processing