EU Data Protection

mLab recognizes that a large number of our customers operate in Europe and that many of these customers need to comply with European data protection laws.

We are and have always been committed to customer trust and to customer success. In this document we hope to keep you updated on where we are in terms of compliance with current European data protection standards and law.

You can email with follow-up questions or concerns.


In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR became effective May 25, 2018 and introduced significant changes in European data protection laws relative to the prior data protection provisions of the EU Data Protection Directive (also known as Directive 95/46/EC).

mLab has implemented the necessary practices and documentation to address the requirements of GDPR. As part of our compliance efforts, we have created additional internal processes and procedures, further strengthened our organizational security measures, and updated our Privacy Policy. Additionally, as per GDPR requirements, we now have a Data Processing Addendum (DPA) available for our customers relative to our role as a Data Processor.

Cross-Border Data Transfer (EU – U.S.)

The European Union (EU) has determined that certain countries outside of the EU, including the U.S., are considered “inadequate” for the purposes of protecting personal information moving outside the EU without additional legal and organizational safeguards.

To ensure that data crossing into the U.S. from the EU has an adequate level of protection for EU compliance, mLab is certified under the Privacy Shield Framework (see next section), and has for many years utilized the “Standard Contractual Clauses” wording as prescribed by the EU to protect cross-border data transfer to the U.S. GDPR has explicitly stated (Chapter V - Articles 44-50) that Standard Contractual Clauses is an accepted method of compliance for cross-border data transfer.

We currently include the Standard Contractual Clauses as part of our DPA.

Privacy Shield Framework

mLab complies with the requirements of the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce and the Federal Trade Commission, regarding the collection, use and retention of person information from the European Union and Switzerland to the United States. mLab has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. These Principles collectively mean the 7 privacy principles and the 16 supplemental principles described in the Privacy Shield Framework.

It is important to note that the Privacy Shield Framework, by itself, is not a substitute for compliance with GDPR. To learn more about the Privacy Shield program, and to view mLab’s certification, please visit

Frequently Asked Questions (FAQ)

Q. Can we execute a Data Processing Addendum (DPA) with mLab?

Yes. Email to request our DPA.

Q. How long do you retain customer data?

We ensure that your data is deleted according to our data deletion policy.