Skip to main content

GDPR considerations

In this topic, we collected features of Identity Cloud that help you with GDPR compliance.


This is not a legal document, rather a map of things to keep in mind when handling your GDPR compliance.

User consent is a requirement for successful registration.

To make sure all users are well-informed beforehand, add your Terms of Service URL, Privacy Policy URL, and Support page URL under Signup/Login > Branding.


These documents are referenced on relevant screens of the signup/login flow, so the users meet these important documents right at the beginning.

Terms of Service, Privacy PolicySupport page

User signup can be admin-initiated or user-initiated. Regardless of the method, the user is giving consent to the Terms of Service URL of your application with the act of signing up. For each user, we store this timestamp as proof of the consent.

Minimum amount of data

From each user, we ask the minimum amount of data necessary for user management.

This principle is implemented throughout the different login methods.

In case of signup with Email, the only barrier to access is the email address and the password.

Under Signup/Login > Social login, we ask the smallest scope of information from social identity providers.

User data abstraction

We assign a randomly generated, unique ID to each user. Using this ID, we mask user identity in the logs.

Logs are kept for no longer than 180 days, and database backups are kept for no longer than 60 days.

Protecting user data with secure login

You can set up password policies of different stregth levels to ensure your users create more complex passwords. Social login options delegate the responsibility of login security to social identity providers.

Standard password policy

Using automatic account linking, we join login methods with the same Email. So, whenever the user logs in with a new method, we do not reveal if the account already exists, we just let them log in seamlessly.

We also check for frequent login attempts in a short amount of time either for the same user, or for different users from the same IP address. We lock affected users for 15 minutes to protect users from attackers.