// Trust & Security Report

    Mixpanel, Inc. logo

    Mixpanel, Inc.

    Product and web analytics platform covering event tracking, funnel analysis, retention analytics, session replay, heatmaps, A/B experiments and feature flags, metric trees, data warehouse connectors, and AI-powered product intelligence (Mixpanel AI / Agent / Headless / MCP)

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Mixpanel maintains a native and active SOC 2 type II attestation ... The documents are available in our Trust Center.

    Verify on mixpanel.com
    ISO 27001
    HELD

    Mixpanel maintains a native and active SOC 2 type II attestation and is an ISO 27001 and ISO 27701 certified.

    Verify on mixpanel.com
    ISO 27701
    HELD

    Mixpanel maintains a native and active SOC 2 type II attestation and is an ISO 27001 and ISO 27701 certified.

    Verify on mixpanel.com
    GDPR
    HELD

    Mixpanel is committed to complying with GDPR so that our customer's and their end user's rights and obligations are met under GDPR. We created many tools and implemented new processes to ensure we can assist our customers with their compliance with GDPR requirements.

    Verify on mixpanel.com
    EU-US Data Privacy Framework
    HELD

    Mixpanel participates in the U.S. Department of Commerce self-certification process and adheres to the Data Privacy Framework Principles.

    Verify on mixpanel.com
    HIPAA (BAA)
    HELD

    Mixpanel is prepared and able to enter into Business Associate Agreements, or BAA. To see if you qualify for a BAA, please contact a sales representative. [Enterprise plan only; no independent HIPAA certification held.]

    Verify on mixpanel.com
    > Show 5 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    Our Cloud Service Provider Google regularly undergoes independent verification ... against PCI DSS. [This is GCP's certification, not Mixpanel's own. Mixpanel does not hold a direct PCI DSS certification.]

    source: mixpanel.com
    CSA STAR
    NOT CONFIRMED

    Mixpanel Inc. is listed in the CSA STAR Registry as a Level 1 Self-Assessment (CAIQ) since March 24, 2020. This is a self-assessment, not a third-party certification.

    source: cloudsecurityalliance.org
    FedRAMP
    NOT CONFIRMED

    Our Cloud Service Provider Google regularly undergoes independent verification ... FedRAMP. [This is GCP's authorization, not Mixpanel's. Mixpanel has no direct FedRAMP authorization.]

    source: mixpanel.com
    ISO 27018
    NOT CONFIRMED

    unknown / no public evidence of Mixpanel holding an ISO 27018 certification on its own domain pages

    source: mixpanel.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    unknown / no public evidence of Mixpanel holding an ISO 42001 certification

    source: mixpanel.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US (default); EU (Netherlands data center available on all plans at no additional charge)

    Mixpanel currently does not train models on customer data. Their AI compliance page states: 'Mixpanel is not engaged in such model training.' Third-party LLM providers are contractually prohibited from using customer data to train or improve models; zero-data-retention protocols apply to LLM calls. De-identified inputs and outputs may be used to improve Mixpanel's AI features (improvement, not training). AI features are enabled by default except for customers on EU or India data residency and those with BAAs. Admins can disable all AI features via org settings. Separately, under Mixpanel's Supplemental Terms (surfaced on the AI compliance page, not the main Terms of Use), Mixpanel reserves a future right to 'use your data to train artificial intelligence solely for the benefit of an individual customer', but the AI compliance page states 'at this time Mixpanel is not engaged in such model training for individual customers'.

    // Security controls

    Encryption in transit

    TLS (HTTPS) for all API calls and websites; cipher suites configured per NIST SP 800-52 Rev 2

    mixpanel.com

    Encryption at rest

    GCP default encryption (AES-256); data broken into subfile chunks, each encrypted with individual Data Encryption Keys (DEKs) wrapped by Key Encryption Keys (KEKs)

    mixpanel.com

    Password storage

    PBKDF2 algorithm with SHA-256 hash

    mixpanel.com

    Penetration testing

    Annual third-party penetration testing plus annual source code audit of production services

    mixpanel.com

    Vulnerability management

    Regular automated external and internal vulnerability scans; bug bounty program via HackerOne

    mixpanel.com

    Code review

    Architecture reviews and stringent automated and manual code review throughout the development lifecycle

    mixpanel.com

    Access controls

    Role-based access control; SAML SSO/SCIM (Enterprise); audit logs; logical data isolation between customers

    mixpanel.com

    Incident response

    Customer notification without undue delay upon discovery of a confirmed breach affecting confidentiality or integrity of personal data

    mixpanel.com

    Subprocessors

    List maintained at mixpanel.com/legal/subprocessor-list; 30-day advance notice of new subprocessors with customer objection right

    mixpanel.com

    // Products & data scope

    Product AnalyticsAnalytics

    data: User event data from web and mobile apps (clickstreams, funnels, retention, cohorts)

    Core product; available on Free, Growth, and Enterprise plans

    Web AnalyticsAnalytics

    data: Website visitor behavior, pageviews, sessions, conversion metrics

    Cookieless option available; part of main platform

    Mobile AnalyticsAnalytics

    data: Mobile app event data (iOS and Android)

    Included in core platform; Apple App Developer Guidelines compliance noted

    Session Replay and HeatmapsSession Intelligence

    data: Full session recordings linked to analytics events; heatmap click data

    Free plan: 10K replays/month; Growth: up to 500K; Enterprise: custom

    Experiments and Feature FlagsExperimentation

    data: A/B test assignment and result data; feature flag exposure events

    Enterprise plan includes advanced experimentation; HIPAA customers should review session replay data handling

    Data Warehouse ConnectorsData Integration

    data: Syncs data from Snowflake, BigQuery, Redshift, and other warehouses into Mixpanel

    Allows analysis of backend and product data together

    Mixpanel AI (Agent, Headless, MCP)AI Product Intelligence

    data: Analyzes customer event data to generate proactive insights, answer natural-language queries, recommend actions

    Powered by third-party LLM providers (zero data retention with providers). Disabled by default for EU/India residency and BAA customers. Opt-out available for all via admin settings.

    // What to watch

    • HIPAA over-claim risk: Homepage and Enterprise page advertise 'HIPAA-ready' and list HIPAA alongside SOC 2 Type II and ISO 27001. In reality, HIPAA support means a BAA is available on the Enterprise plan only; Mixpanel holds no independent HIPAA certification. Procurement teams should not assume HIPAA coverage without confirming Enterprise plan and signed BAA.
    • Host-cert ambiguity: Mixpanel's security overview credits Google Cloud Platform for PCI DSS, FedRAMP, ISO 27017, CSA STAR, and SOC 1/2/3. These are GCP's certifications, not Mixpanel's. Mixpanel holds SOC 2 Type II, ISO 27001, and ISO 27701 natively.
    • CSA STAR Level 1 only: CSA registry shows Mixpanel at STAR Level 1 self-assessment (CAIQ, registered March 2020), not a third-party CSA STAR certification (Level 2) or management system certification (Level 3).
    • AI training reservation: Mixpanel's Supplemental Terms (surfaced on the AI compliance page, not the main Terms of Use) allow Mixpanel to 'use your data to train artificial intelligence solely for the benefit of an individual customer' in the future; the AI compliance page states 'at this time Mixpanel is not engaged in such model training for individual customers'. The main Terms of Use contains no AI-training language. Customers seeking a hard contractual prohibition on any future training should negotiate explicit DPA language.

    // At a glance

    Pricing model

    Freemium: Free tier (1M events/month, unlimited seats); Growth from $0.28 per 1K events above 1M; Enterprise custom pricing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mixpanel, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.mixpanel.com

    > Browse all vendor trust reports