Auth0 Features Aiding GDPR Compliance

The following Auth0 features (listed based on the end-goal action of the user or functionality offered to you as the customer) help you comply with GDPR regulations.


You can:

You can:

See signUpTerms for a detailed code sample.

You can:

Alternatively, instead of completing deleting the user, you may choose to flag their profile (using the app_metadata field) as deleted. Then, add a rule that results in authentication failing for any user with this flag. This allows you to keep a record of deleted users, in the event that you need to refer to such information in the future.

Right to Access Data

You can use either the Management Dashboard (which is a manual process) or the Management API (which is a programmatic process) to retrieve information about a specific user, correct their profile, or delete their profile. The Get a User endpoint enables you to provide an end user their information in a standardized, machine readable (JSON) format.

Auth0 will assist in pointing you toward the correct API endpoints to use, as well as how to obtain the data you need.

Please review our documentation for additional information on Auth0 user profiles (including metadata) and what can/cannot be updated.

Auth0 cannot be used to update user profile information in remote providers.

Right to be Forgotten

You can decide how to handle customer requests to be forgotten. With Auth0, you can use the Management API to delete the user from Auth0 and halt further processing of that user's data.

When you delete a user from Auth0, you remove the user's profile, as well as any metadata possessed by Auth0 for that user.

Right to Restrict Processing

It is your responsibility to define what "restriction of processing" means. You can use rules to alter privileges or other attributes in the user profile that might help with this obligation.

Choice of Providers

You can choose which identity providers to use for user authentication.

Using external providers means that your end users' credentials are not stored in Auth0 (or onsite).

If you use LDAP connections, turn off caching to prevent end user credentials from being stored in Auth0/onsite.

Data Minimization

You can limit the amount of personal information contained in the Auth0 user profile as follows:

  • Avoid storing end user information in the metadata section of the user profile

  • Configure enterprise identity providers to control what data is returned to Auth0

  • Configure social connections in Auth0 to control how much information Auth0 retrieves from the social provider

  • Use blacklisting to prevent persistence of information

  • Encrypt information prior to storing it in the user profile. You can use any encryption mechanism you'd like prior to storing data in the metadata fields, or you can use the built-in rules template Encrypt Sensitive Data in the User Profile to implement this functionality.

  • Minimize information contained in URLs that might be captured by Auth0 log files (for example, consider using health-site or similar as your domain name instead of cancer-treatments)


The ability to export Auth0 logs to external log services can help you with data retention requirements, as well as log analysis requirements.

You can send your logs from Auth0 to external log services to:

  • Store them for a longer period of time than that offered by your Auth0 service level
  • Perform detailed analytics on the data

You can also use the Management API to retrieve log data for maximum control over the data retrieval process. You can control the fields returned using the fields and include_fields parameters.

Go back

Was this article helpful?