Auth0 General Data Protection Regulation Compliance

On 27 April 2016, the European Parliament and the European Council adopted legislation known as General Data Protection Regulation (GDPR), which became enforceable on 25 May 2018. This legislation replaces the European Privacy Directive 95/46/EC.

The GDPR aims to unify and strengthen the data protection rights of individuals located in the European Union (EU). It also extends the applicability of EU data protection legislation to non-EU companies that store or process personal data of individuals located in the EU and increases the fines that may be levied against companies that violate GDPR requirements.

Here are the definitions used for Auth0's GDPR documentation:

The GDPR has a broad scope of application. It applies to a wide range of companies, including non-EU-based services/companies that process personal data of individuals located in the European Union, or to companies that monitor the behavior of individuals located in the European Union.

Before you collect personal data from your end-users, you must have a legal basis to process personal data. For example, you can rely on consent to do so. When requesting consent, your notification must:

• Be clear and easy to understand

• State the purpose of the processing of personal data and how it will be processed

Sometimes, there are additional requirements. For example, you might also need to:

• Explicitly request consent for certain processing activities 

• Have a  mechanism that makes it as easy for your end-user to revoke their consent as it is to grant consent

Your end users, as individuals, have the right to:

• Access the personal data the company has about them

• Know how their personal data will be processed or used

• Delete their personal data or “ to be forgotten” (the individual may ask the controller of their data to erase the personal data in question, cease disseminating the data, or halt further data processing)

• Portability (the individual can ask for their personal data to be retrieved  in a standard, machine-readable format and can transmit their data to another data controller)

• Not be subject to automatic decision-making (a process typically called profiling)

Privacy by design means that each new implementation that uses personal data must take the protection of such personal data into consideration.

Privacy by default means that the strictest privacy settings automatically apply once the end-user acquires a new product or service (that is, without any manual change required on the part of the user).

As the data controller, you must:

• Do due diligence to ensure that your data processors provide adequate protection of provided personal data

Auth0, as the data processor, must:

• Comply with instructions provided by data controllers

• Implement adequate security

• The GDPR mandates that data controllers release notifications regarding data breaches without undue delay and in any case within 72 hours of becoming aware the incident if certain conditions are met

• Fines for non-compliance are much higher

• Supervisory authorities in the European Union have greater investigative powers

• Data controllers and data processors must appoint a Data Protection Officer if they meet certain requirements under the GDPR.

Generally speaking, Auth0 (Okta) customers are data controllers, and Auth0 (Okta) is a data processor.

Auth0 handles end-user data present in user profiles, including metadata.

More specifically, the customer is responsible for:

• End-user notification and consent and withdrawal of consent (where required)

• Deciding what Personal Data they expose to Auth0

• Deciding what connections (where end-user data and passwords reside) to use

• Signing up and, if necessary, creating new users

• Ensuring their users meet the age requirements and obtaining the appropriate consent if necessary (such as parental consent for children)

• Implementing the mechanisms necessary for their end-users to retrieve, review, correct, or remove personal data

• Responding to their end-users' data subject rights requests (DSARs)

• Responding to communications from Supervisory Authorities

• Sending Data breach notifications to Supervisory Authorities and end users when certain thresholds are met (Auth0 will assist the customer and provide the necessary information if necessary)

Auth0 is responsible for:

• Following the data controller's instructions as determined in the Subscription Agreement (SA) and Data Processing Addendum (DPA) (for enterprise customers) or Terms of Service (for self-service customers)

• Assisting the customer if it receives requests from the customer's end users exercising their GDPR rights. Notifying the customer if it receives requests from Supervisory Authorities related to the processing of Personal Data (unless prohibited by law)

• Notifying the customer if it becomes aware of a confirmed data breach that compromises Customer Data

• Notifying the customer if any of its Sub-processors notify Auth0 about a confirmed data breach that impacts Auth0’s Customer Data (unless prohibited by law)

• Providing the means to enable customers to retrieve, review, correct, or delete customer data via the Auth0 Dashboard and the Auth0 Management API

• Providing a mechanism for customers to display consent terms and a consent agreement checkbox on the Lock widget. Customers can also design custom signup and login forms if more elaborate consent schemes are needed

All of the data Auth0 has about an end-user is located in the Auth0 user profile. The specific attributes contained in the user profile vary based on customer configuration and  implementation and are based on a number of factors, such as connection type, user consent during the authentication flow, and whether you've augmented the user profiles with additional information.

The Auth0 user profile information is stored in Auth0 when you use a database connection. If a user logs in using any other type of connection (including custom database connections), Auth0 stores information provided by the external identity provider for future queries.

The Personal Data stored in Auth0 is used only for the purposes of providing its services, namely authenticating users.

When an end user's account is deleted, their user profile, included metadata, is removed.

Here is a list of GDPR regulations and how Auth0 can help you comply with them.

According to Article 7 of GDPR, you must:

• Ask users to consent on the processing of their personal data in a clear and easily accessible form

• Be able to show that the user has consented, and

• Provide an easy way to withdraw consent at any time

You can use Auth0 to ask your users for consent upon signup (using either Lock or a custom form) and save this information at the user profile. You can later update this information using the Management API. To learn more, read GDPR: Conditions for Consent.

According to Articles 15, 16, 17, and 19 of GDPR, users have the right to:

• Get a copy of their personal data you are processing

• Ask for rectifications if they are inaccurate, and

• Ask you to delete their personal data

With Auth0, you can access, edit, and delete user information, either manually or using our API. To learn more, read GDPR: Right to Access, Correct, and Erase Data.

According to Article 5 of GDPR:

• The personal data you collect must be limited to what is necessary for processing

• Must be kept only as long as needed, and

• Appropriate security must be ensured during data processing, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage

There are several Auth0 features than can help you achieve these goals, like account linking, user profile encryption, and more. To learn more, read GDPR: Data Minimization.

According to Article 20 of GDPR, users have the right to receive the personal data concerning them in a structured, commonly used and machine-readable format.

You can export user data, stored in the Auth0 user store, either manually or programmatically. Raw data from Auth0 can be exported in JSON format (which is machine-readable). To learn more, read GDPR: Data Portability.

According to Article 32 of GDPR, you must implement appropriate measures to ensure a level of security, including (but not limited to):

• data encryption

• ongoing confidentiality

• data integrity, and

• availability and resilience of processing systems and services

There are several Auth0 features than can help you meet this requirement, like user profile encryption, brute-force protection, breached password detection, step-up authentication, and more. To learn more, read GDPR: Protect and Secure User Data.

Auth0 recommends the following practices to help ensure the security of your end users data and minimize the probability of a data breach:

• Protect client secrets and keys

• Protect Management Dashboard credentials, and require multi-factor authentication for access to the Dashboard

• Review the list of administrators for the Dashboard on a regular basis and remove outdated entries

• Review the list of connections and applications associated with your Auth0 tenants and remove outdated entries

• Ensure that Dashboard administrators use corporate credentials that can be easily revoked if necessary, not personal credentials such as a personal email account

• Remove accounts for terminated employees promptly

• Ensure that administrators use devices with mandatory screen locking

• Provide regular training to all Dashboard administrators and developers on security and privacy best practices

Make sure that you monitor any log streaming solution you use to send log data to logging tools with reporting capability.

• GDPR: Conditions for Consent
• GDPR: Right to Access, Correct, and Erase Data
• GDPR: Data Minimization
• GDPR: Data Portability
• GDPR: Protect and Secure User Data