Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
MongoDB is a NoSQL document database available as open source self hosted software or as MongoDB Atlas, a fully managed cloud database service. It stores data in flexible JSON like documents and is widely used for web applications, content management, IoT, and real time analytics. When using Atlas, data processing involves MongoDB Inc. (US) as a processor, requiring GDPR compliance measures including a DPA and configurable data region selection.
MongoDB is a NoSQL document database that stores data in flexible, JSON like BSON documents. It is available as open source Community Server for self hosted deployments and as MongoDB Atlas, a fully managed cloud database service running on AWS, Azure, or Google Cloud. MongoDB is widely used for web applications, mobile backends, content management systems, IoT platforms, and real time analytics. Unlike traditional relational databases, MongoDB does not set cookies on end user browsers as it operates at the infrastructure layer. However, the MongoDB Atlas web console and mongodb.com website do set cookies for authentication and analytics.
MongoDB itself is a data storage engine, meaning the personal data it processes depends entirely on what the application developer chooses to store. Common personal data stored in MongoDB collections includes user profiles, email addresses, transaction records, location data, and application logs. MongoDB Atlas collects operational metadata including connection logs, query performance metrics, cluster configuration data, and user account information for the Atlas console. The Atlas web console sets authentication cookies, session management tokens, and analytics cookies from mongodb.com and cloud.mongodb.com domains.
For self hosted MongoDB Community deployments, the organisation is both controller and processor of all data, with no third party data processing involved. GDPR obligations fall entirely on the deploying organisation. For MongoDB Atlas, MongoDB Inc. acts as a data processor and provides a DPA incorporating SCCs. Atlas holds SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, HIPAA, and PCI DSS certifications. MongoDB Atlas supports configurable data regions, allowing organisations to restrict data storage to EU regions on any of the three supported cloud providers. However, Atlas management plane metadata and some operational data may still be processed in the US. Organisations should configure encryption at rest (enabled by default on Atlas), encryption in transit (TLS), and field level encryption for particularly sensitive data.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
MongoDB as a database engine does not directly interact with end users or set browser cookies, so ePrivacy consent requirements do not apply to the database itself. The legal basis for storing personal data in MongoDB depends on the application: typically contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)). The Atlas web console sets analytics cookies that require consent under the ePrivacy Directive. Organisations building applications on MongoDB must implement their own consent mechanisms at the application layer for any personal data collection, and ensure that the database schema supports data subject rights (access, rectification, erasure, portability).
Self hosted MongoDB keeps data wherever the organisation deploys it, with no international transfers unless the organisation configures replication across regions. For Atlas, MongoDB Inc. is US based but offers configurable cluster regions across AWS, Azure, and GCP data centers worldwide, including multiple EU locations (Ireland, Frankfurt, Amsterdam, Paris, Stockholm). Organisations can restrict primary data storage to EU regions. However, Atlas management plane operations, billing data, and support interactions may involve US based systems. Transfers are covered by MongoDB''s DPA with SCCs. Organisations should document their chosen Atlas region configuration in their Records of Processing Activities.
For Atlas deployments: execute MongoDB''s DPA, select an EU cluster region, enable encryption at rest and in transit, configure field level encryption for sensitive fields, implement role based access control (RBAC), enable audit logging, configure network access restrictions (IP allowlists, VPC peering), and review backup data residency settings. For self hosted deployments: enable authentication, configure TLS, enable encryption at rest, implement RBAC, enable audit logging, and secure network access. For all deployments: design your database schema to support GDPR data subject rights (indexing personal data fields for retrieval and deletion), implement data retention policies with TTL indexes or scheduled cleanup processes, conduct a DPIA if storing sensitive personal data at scale, and include MongoDB in your Records of Processing Activities.
Websites using MongoDB must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for MongoDB deployments storing personal data at scale. Key areas to assess include: volume and sensitivity of personal data stored in collections (which varies entirely based on application design), encryption at rest and in transit configuration, access controls and authentication mechanisms, audit logging and monitoring setup, for Atlas deployments: international data transfers and cloud provider subprocessor relationships, backup and snapshot data residency, and third party integrations accessing the database via application layer connections.
Sample consent text
This application uses MongoDB to store and process data. Your personal data may be stored in a MongoDB database hosted on cloud infrastructure. Data processing is performed in accordance with applicable data protection regulations. For more information about how your data is processed and your rights, please refer to our privacy policy.
Third-party domains contacted
cloud.mongodb.comaccount.mongodb.comwww.mongodb.comrealm.mongodb.comdata.mongodb-api.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mdb_session | authentication | Session | Maintains the authenticated session for the MongoDB Atlas web management console. |
| mdb_csrf | security | Session | CSRF protection for Atlas console operations and account management actions. |
| _ga | analytics | 2 years | Google Analytics cookie tracking visitor behaviour on the MongoDB website and Atlas console. |
| mdb_prefs | functionality | 1 year | Stores user interface preferences for the Atlas console including cluster view mode and notification settings. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
MongoDB as a database engine does not set browser cookies. However, the MongoDB Atlas web console and mongodb.com website set authentication cookies, session tokens, CSRF protection cookies, and analytics cookies (Google Analytics). When developers access the Atlas dashboard, cookies from cloud.mongodb.com and account.mongodb.com are deposited. End users of applications built on MongoDB do not receive any cookies from MongoDB itself.
Consent is not required for the database engine itself as it does not interact with end users directly. Applications built on MongoDB must implement their own consent mechanisms based on what personal data they collect and store. The Atlas web console requires cookie consent for analytics cookies under the ePrivacy Directive. Organisations should ensure their application layer handles consent appropriately for any personal data stored in MongoDB collections.
The database itself is a tool, so the legal basis depends on the application. Typical bases include contract performance (Art. 6(1)(b)) for user account data, legitimate interest (Art. 6(1)(f)) for security logging, and consent (Art. 6(1)(a)) for marketing data. For Atlas as a service, the relationship is governed by the DPA where MongoDB acts as processor. Organisations must determine and document the legal basis for each category of personal data they store in MongoDB.
For self hosted deployments, no data transfers occur to MongoDB Inc. For Atlas, MongoDB Inc. is US based, but Atlas clusters can be deployed in EU regions (Ireland, Frankfurt, Amsterdam, Paris, Stockholm) on AWS, Azure, or GCP. Management plane metadata and support interactions may involve US systems. Transfers are covered by MongoDB's DPA with SCCs. Choose an EU cluster region and document the configuration in your Records of Processing Activities.
A DPIA is recommended if your MongoDB deployment stores personal data at scale, processes sensitive or special category data, or involves systematic monitoring. The assessment should focus on the application layer: what personal data is stored, how it is secured (encryption, access controls), data retention practices, and for Atlas, the international transfer safeguards. The database schema design is critical for supporting data subject rights.
For Atlas: execute the DPA, deploy in an EU region, enable encryption at rest and in transit, configure Client Side Field Level Encryption for sensitive fields, implement RBAC, enable audit logging, and restrict network access. For self hosted: enable authentication, TLS, encryption at rest, RBAC, and auditing. For all deployments: design your schema to support data subject access and deletion requests, implement TTL indexes for data retention, and include MongoDB in your processing records.
For organisations seeking to avoid cloud managed services, self hosted MongoDB Community Edition provides full data control. Other alternatives include PostgreSQL (open source relational database), CouchDB (open source document database with built in replication), SurrealDB (open source multi model database), and InfluxDB (for time series data). For cloud managed options with EU focus, consider Scaleway Managed Databases or Hetzner Cloud with self managed MongoDB.
If your website or application uses MongoDB Atlas and embeds Atlas App Services or Realm widgets, document any cookies set by mongodb.com or realm.mongodb.com domains. For most applications, MongoDB operates at the infrastructure layer and is not directly visible to end users, so it may not need specific cookie policy mention. However, your privacy policy should describe that personal data is stored in a cloud database (naming the provider and data region) and reference the DPA and transfer safeguards.