Docs Menu
Docs Home
/
MongoDB Atlas
/
Atlas Architecture Center
/
Security

Features for Compliance with External Standards

On this page

Use the following Atlas features to address compliance requirements.

Certifications and Compliance with Regulations

To help you address security and privacy requirements, MongoDB Atlas aims to deliver the highest levels of standards conformance and regulatory compliance.

Atlas data platform undergoes rigorous independent audits to verify its security, privacy, and organizational controls. These audits help ensure that the platform meets compliance and regulatory requirements, including those specific to highly-regulated industries.

Atlas has ISO/IEC 27001 and 9001, PCI DSS, HIPAA, GDPR, FedRAMP, and several other certifications. The full list of certifications is included in this section.

These certifications mean you can configure Atlas to comply with a particular standard. Be sure to follow the recommended settings for the standard to ensure compliance.

Atlas maintains the following certifications:

  • ISO/IEC 27001:2022: Global standard for information security management systems.

  • ISO/IEC 27017:2015: Global standard for cloud-specific security controls.

  • ISO/IEC 27018:2019: Global standard for protecting sensitive data (PII) on the cloud.

  • ISO 9001:2015: Globally recognized standard for Quality Management.

  • PCI DSS: Requirements for processing and accessing credit card data.

  • HIPAA: U.S. privacy regulation safeguarding health information.

  • GDPR: General Data Protection Regulation in the EU and EEA.

  • IRAP: Australian government cybersecurity assessment framework.

  • TX-RAMP: Texas Risk and Authorization Management Program.

  • TISAX: Trusted Information Security Assessment Exchange for automotive industries.

  • HDS: French standard for hosting health data (Hébergeur de Données de Santé).

To learn more, visit the Atlas Trust Center, a comprehensive compliance and trust program for MongoDB Atlas.

Encryption

You can implement encryption to ensure data security and compliance across all stages of data handling. Encryption is one of the most common requirements for ensuring compliance with certain standards and Atlas offers a robust set of encryption options to satisfy the requirements.

  • By default, Atlas encrypts data in transit. To ensure data privacy and regulatory compliance, Atlas requires TLS/SSL to encrypt the connections to your databases.

  • By default, Atlas encrypts all data at rest using cloud provider disk encryption. When using Atlas cloud backups, Atlas uses AES-256 encryption to encrypt all data stored in S3 buckets in your Atlas clusters. In addition, Atlas supports using AWS KMS, AKV, and GCP to encrypt storage engines and cloud provider backups. To learn more, see Encryption at Rest using your Key Management.

  • You can use Queryable Encryption to secure queries on encrypted data on select, sensitive fields in a document stored on MongoDB. With Queryable Encryption, sensitive information remains protected even when users run queries on data.

    Use well-researched non-deterministic encryption schemes to maintain a balance between security and functionality.

    With Queryable Encryption, you can perform the following tasks:

    • Encrypt sensitive data fields from the client-side.

    • Store sensitive data fields as fully randomized encrypted data on the database cluster-side, run with Atlas.

    • Run expressive queries on the encrypted data.

    MongoDB completes these tasks without the server having knowledge of the data it's processing.

    When using Queryable Encryption, sensitive data is encrypted throughout its lifecycle: in transit, at rest, in use, in logs, and backups. The data is only ever decrypted on the client-side, since only you have access to the encryption keys.

    You can set up Queryable Encryption using the following mechanisms:

    • Automatic Encryption enables you to perform encrypted read and write operations without having to add explicit calls to encrypt and decrypt fields. We recommend automatic encryption in most situations, as it streamlines the process of writing your client application. With automatic encryption, MongoDB automatically encrypts and decrypts fields in read and write operations.

    • Explicit Encryption enables you to perform encrypted read and write operations through your MongoDB driver's encryption library. You must specify the logic for encryption with this library throughout your application. Explicit encryption provides fine-grained control over security, at the cost of increased complexity when configuring collections and writing code for MongoDB Drivers. With explicit encryption, you specify how to encrypt fields in your document for each operation you perform on the database, and you include this logic throughout your application.

      To learn more, see Use Explicit Encryption.

Data Sovereignty

Atlas supports over 110+ regions across AWS, Azure, and GCP. This global distribution of supported locations ensures that you can provision clusters and store data that complies with your data sovereignty and compliance requirements. Understanding the data sovereignty requirements for any application being built on Atlas is necessary to ensure you stay compliant with proper governance. Additionally, Atlas simplifies data sovereignty compliance through global clusters with zoned sharding.

You can use global clusters to control data storage locations. You can partition and store data in your database into distinct zones, each situated in a different geographical location. For example, you can store European customer data in Europe, while storing U.S. customer data in the U.S. This allows you to comply with data sovereignty regulations and reduces latency for users accessing data from their respective regions. To learn more, see Global Clusters.

Backup Snapshot Distribution

You can distribute backup snapshots and oplog data across multiple regions. For example, you can satisfy compliance requirements and store backups in different geographical locations to ensure disaster recovery in case of regional outages. To learn more, see Snapshot Distribution.

Backup Compliance Policy

You can use Backup Compliance Policy in Atlas to secure business-critical data. You can prevent all backup snapshots and oplog data stored in Atlas from being modified or deleted for a predefined retention period by any user, regardless of their Atlas role.

This guarantees that your backups are fully WORM (Write Once Read Many)-compliant. Only a designated, authorized user can turn off this protection after completing a verification process with MongoDB support and legal. This adds a mandatory manual delay and cooldown period so that an attacker cannot change the backup policy and export the data. To learn more, see Configure a Backup Compliance Policy.

Back

Data Encryption

Next

Auditing and Logging