EU Data Protection

mLab recognizes that a large number of our customers operate in Europe and that many of these customers need to comply with European data protection laws.

We are and have always been committed to customer trust and to customer success. In this document we hope to keep you updated on where we are in terms of compliance with current European data protection standards and law.

You can email with follow-up questions or concerns.


In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR became effective May 25, 2018 and introduced significant changes in European data protection laws relative to the prior data protection provisions of the EU Data Protection Directive (also known as Directive 95/46/EC).

mLab has implemented the necessary practices and documentation to address the requirements of GDPR. As part of our compliance efforts, we have created additional internal processes and procedures, further strengthened our organizational security measures, and updated our Privacy Policy. Additionally, as per GDPR requirements, we now have a Data Processing Addendum (DPA) available for our customers relative to our role as a Data Processor.

Cross-Border Data Transfer (EU – U.S.)

The European Union (EU) has determined that certain countries outside of the EU, including the U.S., are considered “inadequate” for the purposes of protecting personal information moving outside the EU without additional legal and organizational safeguards.

To ensure that data crossing into the U.S. from the EU has an adequate level of protection for EU compliance, mLab has for many years utilized the “Standard Contractual Clauses” wording as prescribed by the EU to protect cross-border data transfer to the U.S. GDPR has explicitly stated (Chapter V - Articles 44-50) that Standard Contractual Clauses is an accepted method of compliance for cross-border data transfer.

We currently include the Standard Contractual Clauses as part of our DPA until such time that we receive certification under the Privacy Shield Framework (see next section).

Privacy Shield Framework

Another method to comply with the cross-border data adequacy provisions is through certification under the Privacy Shield Framework. The EU-U.S. Privacy Shield Framework, designed by the U.S. Department of Commerce and the European Commission, is intended to guarantee the personal information of EU citizens the same privacy protection when processing in the U.S. as it would receive at home. On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law.

Privacy Shield requires that U.S. businesses wishing to process EU citizen’s personal information self-certify that they will comply with seven major privacy principles and sixteen privacy sub-principles. It is important to note that the Privacy Shield Framework, by itself, is not a substitute for compliance with GDPR. For more information visit the Privacy Shield Program Overview.

mLab is in the process of certifying under the Privacy Shield Framework and expects certification by Summer 2018.

Frequently Asked Questions (FAQ)

Q. Can we execute a Data Processing Addendum (DPA) with mLab?

Yes. Email to request our DPA.

Q. How long do you retain customer data?

We ensure that your data is deleted according to our data deletion policy.