Auth0 Features Aiding General Data Protection Regulation (GDPR) Compliance
The following Auth0 features (listed based on the end-goal action of the user or functionality offered to you as the customer) help you comply with GDPR regulations.
- Use Lock to allow new user signups when using database connections
- Enable or disable signup mode in Lock
- Implement a custom signup process
- Implement progressive profiling to gather only the data you need
- Implement end-user multifactor authentication to secure access
Notification and Consent
- Provide a User Must Accept Terms checkbox that is displayed next to the terms and conditions the user must agree to prior to signing up with the verbiage displayed controllable using the language dictionary
- Use rules to add the date of user consent/agreement in Lock to the ID token or the user's metadata
Withdrawal of Consent
- Delete the end user from Auth0 using the Management API. To confirm that the user was successfully deleted, you can attempt to retrieve the user using its ID. If the endpoint returns an error, then your call to delete the user was successful
- Use rules to add the date of user consent withdrawal to the user's metadata during the authorization process
Alternatively, instead of completing deleting the user, you may choose to flag their profile (using the
app_metadata field) as
deleted. Then, add a rule that results in authentication failing for any user with this flag. This allows you to keep a record of deleted users, in the event that you need to refer to such information in the future.
Right to Access Data
You can use either the Management Dashboard (which is a manual process) or the Management API (which is a programmatic process) to retrieve information about a specific user, correct their profile, or delete their profile. The Get a User endpoint enable you to provide an end user with their information in a standardized format (JSON).
Auth0 will assist in pointing you toward the correct API endpoints to use, as well as how to obtain the data you need.
- The Auth0 Management API
- How to Get an Access Token for the Management API
- How to Search for Users Using Lucene Query Syntax
- Management API Endpoint to Search for a User
- Management API Endpoint to Locate a User by ID
- Management API Endpoint to Update a User by ID
- Management API Endpoint to Delete a User
Right to be Forgotten
You can decide how to handle customer requests to be forgotten. With Auth0, you can use the Management API to delete the user from Auth0 and halt further processing of that user's data.
When you delete a user from Auth0, you remove the user's profile, as well as any metadata possessed by Auth0 for that user.
Right to Restrict Processing
It is your responsibility to define what "restriction of processing" means. You can use rules to alter privileges or other attributes in the user profile that might help with this obligation.
Choice of Providers
You can choose which identity providers to use for user authentication.
Using external providers means that your end users' credentials are not stored in Auth0 (or onsite).
You can limit the amount of personal information contained in the Auth0 user profile as follows:
Avoid storing end user information in the metadata section of the user profile
Configure enterprise identity providers to control what data is returned to Auth0
Configure social connections in Auth0 to control how much information Auth0 retrieves from the social provider
Use blacklisting to prevent persistence of information
Encrypt information prior to storing it in the user profile. You can use any encryption mechanism you'd like prior to storing data in the metadata fields, or you can use the built-in rules template Encrypt Sensitive Data in the User Profile to implement this functionality.
Minimize information contained in URLs that might be captured by Auth0 log files (for example, consider using
health-siteor similar as your domain name instead of
The ability to export Auth0 logs to external log services can help you with data retention requirements, as well as log analysis requirements.
- Store them for a longer period of time than that offered by your Auth0 service level
- Perform detailed analytics on the data
You can also use the Management API to retrieve log data for maximum control over the data retrieval process. You can control the fields returned using the