The contents of these documents are not intended to be legal advice, nor should they be considered a substitute for legal assistance. The final responsibility for understanding and complying with GDPR resides with you, though Auth0 will assist you in meeting GDPR requirements where possible.
Restrict user profile information
To limit the amount of personal information in the Auth0 user profile, you can:- Minimize (or avoid) saving personal information in the metadata section of the user profile
- If you use enterprise directories, configure them to return only the minimum information needed
- If you use social providers, configure them to return only the minimum information needed
- Denylist the user attributes that you do not want to persist in the Auth0 databases
Encrypt user profile information
You can encrypt user information before you save it in the user profile. You can use any encryption mechanism you like prior to storing data in the metadata fields. When a user sets sensitive information, call the Update a User endpoint.Use account linking
Every time a user uses a connection to log in to your application, a user profile is created if it doesn’t already exist. Note that this is per connection. To better understand this, consider the following scenario. Your application offers three different options for signup:- sign up with email/password
- login with Google
- login with Facebook
- User-initiated account linking: your app must provide the UI so an authenticated user can link their accounts manually.
- Suggested account linking: in this case you still configure a rule that will link accounts with the same verified email address. However, instead of completing the link automatically, your app will first prompt the user to link their identities.
Export logs
You can export Auth0 logs and either store them yourself or automatically push them to an external log service in Auth0 Marketplace. This functionality can help you with data retention requirements, as well as log analysis requirements.Export logs with the API
You can use the to export logs and store them yourself. There are the two available endpoints, each providing slightly different information.Search all logs
The Search Log Events endpoint retrieves log entries that match the search criteria you provided. If you do not provide any search criteria, you will get a list of all available entries. You can provide search criteria using the q parameter and retrieve specific fields using the fields parameter. To access the API, you need a Management APIv2 token. This sample request retrieves all logs for successful logins (the event acronym for successful login iss). The list of fields we will retrieve per log entry is: date, description, client_id, and log_id.
Get a single log entry
The Get a Log Event by ID endpoint retrieves the log entry associated with the provided ID. This sample request retrieves a single log entry with the ID90020180129170850881585554625888895190928456277777449010.
Export to an external service
You can install and configure one of our log streaming solutions in Auth0 Marketplace to export logs automatically to another provider, like Sumo Logic or Loggly. For a list of available providers and detailed steps to configure each, see Export Auth0 logs to an external service.Keep sensitive information from logs
You should minimize any sensitive information contained in URLs that might be captured by Auth0 log files. For example, consider usinghealth-site or similar as your domain name instead of cancer-treatments.
You also need to ensure that you do the following:
- Analyze what you are collecting in sign up and through social media and whether that is necessary for the purpose of your service.
- Configure enterprise to control what data is returned to Auth0.
- Specify what data you want to collect from the social provider and negotiate any particular terms around social login with the social provider around use of the data they will get around your users’ login.