Auth0 Data Privacy and Compliance
Auth0 maintains and meets the requirements for multiple compliance frameworks and certifications. To download or request Auth0 compliance documentation, visit the Support Center. Auth0 will document additional compliance frameworks and certifications on this page when available.
|General Data Protection Regulation Compliance
|What the General Data Protection Regulation (GDPR) is and Auth0's compliance with its requirements.
|What data Auth0 stores and how it's used.
Compliance & Certifications
Auth0 supports technical requirements for FAPI, a set of advanced security profiles specified by the OpenID Foundation. FAPI introduces stricter security standards for industries and scenarios that require more security on top of normal OAuth 2.0 and OpenID Connect (OIDC) implementations.
Auth0 is a certified FAPI OpenID Provider for the following two profiles:
FAPI 1 Advanced OP with mTLS, PAR
FAPI 1 Advanced OP with Private Key JWT, PAR
For more information, see FAPI OpenID Providers (OP) & Profiles.
To understand how we incorporated FAPI capabilities into Auth0, see Highly Regulated Identity.
Auth0 is GDPR ready. Auth0 provides information to its customers to help them understand how features and functionality of the Auth0 platform may affect their GDPR compliance obligations.
HIPAA and HITECH
Auth0 is considered as a Business Associate as defined by the US HIPAA and HITECH legislation. For Auth0 customers who qualify as a Covered Entity under US HIPAA legislation and related legislation and regulations and who provide ePHI (electronic Protected Health Information) to Auth0 as part of the Auth0 user profile, Auth0 may qualify as a business associate. Auth0 can provide its Business Associate Agreement to you upon request. To learn more about HIPAA, read Health Information Privacy on hhs.gov. To learn more about HITECH, read HITECH Act Enforcement Final Rules on hhs.gov. HIPAA compliance is not available on Azure deployments.
Auth0 undergoes an ISO 27001/27018 audit by an independent auditor annually. You can see our ISO 27001/27018 certificate in our Support Center. We can also share our Statement of Applicability (SOA) upon request with a non-disclosure agreement (NDA) signed by a corporate officer authorized to represent the company. To request the SOA, please contact your assigned Technical Account Manager or Account Executive.
Auth0 offers PCI compliant environment deployment models. Our Attestation of Compliance (AOC) and/or Self Assessment Questionnaire (SAQ-D) is available upon request. For a copy of these documents, log in to Auth0 Support Center and select the Compliance option.
Payment Services Directive 2 (PSD2)
We provide the capabilities for customers to build an end-to-end user journey that includes Strong Customer Authentication(SCA) and Dynamic Linking, which dynamically shows transaction details for explicit end-user approval. For more information, read Highly Regulated Identity.
Auth0 undergoes a SOC 2 Type 2 audit by an independent auditor annually. The audit covers all 5 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality and Privacy). Log in to Auth0 Support Center and select the Compliance option for a copy of the SOC 2 report.
For information on compliance with technical specifications for authentication, please see our protocols documentation.