What kind of PII data is logged in Auth0

aaronctmr · August 3, 2020, 8:11am

Hi there,
We’re looking at external logging applications and the implications of what kind of data is stored in Auth0 logs, and what could potentially be exported to external logging applications. Specifically, we’re concerned about PII (personally identifiable identification) - not specific to, but perhaps sharing similar concerns as the GDPR topic (we do not have EU users).

I’ve been searching through Auth0 documentation and hunting around on google but I was unable to find anything specific. What I would like to know is what kind of PII data is stored in Auth0 logs, what about metadata or URLs etc. From a privacy point of view and from the point of view of the security paranoid, what does auth0 log and what should be be wary of?

Thanks,
Aaron

karen1 · August 6, 2020, 3:01pm

Good morning,

The amount and type of data can cary based on configuration.

To limit the amount of personal information in the Auth0 user profile, you can:

Minimize (or avoid) saving personal information in the metadata section of the user profile
If you use enterprise directories, configure them to return only the minimum information needed
If you use social providers, configure them to return only the minimum information needed
Blacklist the user attributes that you do not want to persist in the Auth0 databases

You can read more here: GDPR: Data Minimization
In addition, there’s this article: Security, Privacy & Compliance - Auth0

Thanks!

aaronctmr · August 6, 2020, 11:20pm

Morning Karen,
Thanks for your reply. When it comes to metadata, how much of metadata is logged and when does that occur? e.g. During managment API updates, etc.

Thanks,
Aaron