// Trust & Security Report
Mixpanel, Inc.
Product and web analytics platform covering event tracking, funnel analysis, retention analytics, session replay, heatmaps, A/B experiments and feature flags, metric trees, data warehouse connectors, and AI-powered product intelligence (Mixpanel AI / Agent / Headless / MCP)
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on mixpanel.com“Mixpanel maintains a native and active SOC 2 type II attestation ... The documents are available in our Trust Center.”
Verify on mixpanel.com“Mixpanel maintains a native and active SOC 2 type II attestation and is an ISO 27001 and ISO 27701 certified.”
Verify on mixpanel.com“Mixpanel maintains a native and active SOC 2 type II attestation and is an ISO 27001 and ISO 27701 certified.”
Verify on mixpanel.com“Mixpanel is committed to complying with GDPR so that our customer's and their end user's rights and obligations are met under GDPR. We created many tools and implemented new processes to ensure we can assist our customers with their compliance with GDPR requirements.”
Verify on mixpanel.com“Mixpanel participates in the U.S. Department of Commerce self-certification process and adheres to the Data Privacy Framework Principles.”
Verify on mixpanel.com“Mixpanel is prepared and able to enter into Business Associate Agreements, or BAA. To see if you qualify for a BAA, please contact a sales representative. [Enterprise plan only; no independent HIPAA certification held.]”
> Show 5 unconfirmed / not-held certifications
source: mixpanel.comOur Cloud Service Provider Google regularly undergoes independent verification ... against PCI DSS. [This is GCP's certification, not Mixpanel's own. Mixpanel does not hold a direct PCI DSS certification.]
source: cloudsecurityalliance.orgMixpanel Inc. is listed in the CSA STAR Registry as a Level 1 Self-Assessment (CAIQ) since March 24, 2020. This is a self-assessment, not a third-party certification.
source: mixpanel.comOur Cloud Service Provider Google regularly undergoes independent verification ... FedRAMP. [This is GCP's authorization, not Mixpanel's. Mixpanel has no direct FedRAMP authorization.]
source: mixpanel.comunknown / no public evidence of Mixpanel holding an ISO 27018 certification on its own domain pages
source: mixpanel.comunknown / no public evidence of Mixpanel holding an ISO 42001 certification
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US (default); EU (Netherlands data center available on all plans at no additional charge)
Mixpanel currently does not train models on customer data. Their AI compliance page states: 'Mixpanel is not engaged in such model training.' Third-party LLM providers are contractually prohibited from using customer data to train or improve models; zero-data-retention protocols apply to LLM calls. De-identified inputs and outputs may be used to improve Mixpanel's AI features (improvement, not training). AI features are enabled by default except for customers on EU or India data residency and those with BAAs. Admins can disable all AI features via org settings. Separately, under Mixpanel's Supplemental Terms (surfaced on the AI compliance page, not the main Terms of Use), Mixpanel reserves a future right to 'use your data to train artificial intelligence solely for the benefit of an individual customer', but the AI compliance page states 'at this time Mixpanel is not engaged in such model training for individual customers'.
// Security controls
Encryption in transit
TLS (HTTPS) for all API calls and websites; cipher suites configured per NIST SP 800-52 Rev 2
mixpanel.comEncryption at rest
GCP default encryption (AES-256); data broken into subfile chunks, each encrypted with individual Data Encryption Keys (DEKs) wrapped by Key Encryption Keys (KEKs)
mixpanel.comPenetration testing
Annual third-party penetration testing plus annual source code audit of production services
mixpanel.comVulnerability management
Regular automated external and internal vulnerability scans; bug bounty program via HackerOne
mixpanel.comCode review
Architecture reviews and stringent automated and manual code review throughout the development lifecycle
mixpanel.comAccess controls
Role-based access control; SAML SSO/SCIM (Enterprise); audit logs; logical data isolation between customers
mixpanel.comIncident response
Customer notification without undue delay upon discovery of a confirmed breach affecting confidentiality or integrity of personal data
mixpanel.comSubprocessors
List maintained at mixpanel.com/legal/subprocessor-list; 30-day advance notice of new subprocessors with customer objection right
mixpanel.com// Products & data scope
data: User event data from web and mobile apps (clickstreams, funnels, retention, cohorts)
Core product; available on Free, Growth, and Enterprise plans
data: Website visitor behavior, pageviews, sessions, conversion metrics
Cookieless option available; part of main platform
data: Mobile app event data (iOS and Android)
Included in core platform; Apple App Developer Guidelines compliance noted
data: Full session recordings linked to analytics events; heatmap click data
Free plan: 10K replays/month; Growth: up to 500K; Enterprise: custom
data: A/B test assignment and result data; feature flag exposure events
Enterprise plan includes advanced experimentation; HIPAA customers should review session replay data handling
data: Syncs data from Snowflake, BigQuery, Redshift, and other warehouses into Mixpanel
Allows analysis of backend and product data together
data: Analyzes customer event data to generate proactive insights, answer natural-language queries, recommend actions
Powered by third-party LLM providers (zero data retention with providers). Disabled by default for EU/India residency and BAA customers. Opt-out available for all via admin settings.
// What to watch
- HIPAA over-claim risk: Homepage and Enterprise page advertise 'HIPAA-ready' and list HIPAA alongside SOC 2 Type II and ISO 27001. In reality, HIPAA support means a BAA is available on the Enterprise plan only; Mixpanel holds no independent HIPAA certification. Procurement teams should not assume HIPAA coverage without confirming Enterprise plan and signed BAA.
- Host-cert ambiguity: Mixpanel's security overview credits Google Cloud Platform for PCI DSS, FedRAMP, ISO 27017, CSA STAR, and SOC 1/2/3. These are GCP's certifications, not Mixpanel's. Mixpanel holds SOC 2 Type II, ISO 27001, and ISO 27701 natively.
- CSA STAR Level 1 only: CSA registry shows Mixpanel at STAR Level 1 self-assessment (CAIQ, registered March 2020), not a third-party CSA STAR certification (Level 2) or management system certification (Level 3).
- AI training reservation: Mixpanel's Supplemental Terms (surfaced on the AI compliance page, not the main Terms of Use) allow Mixpanel to 'use your data to train artificial intelligence solely for the benefit of an individual customer' in the future; the AI compliance page states 'at this time Mixpanel is not engaged in such model training for individual customers'. The main Terms of Use contains no AI-training language. Customers seeking a hard contractual prohibition on any future training should negotiate explicit DPA language.
// At a glance
Pricing model
Freemium: Free tier (1M events/month, unlimited seats); Growth from $0.28 per 1K events above 1M; Enterprise custom pricing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mixpanel, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.mixpanel.com