If you’re considering partnering with an IP intelligence and geolocation data provider, it’s important to gain an understanding of their practices and processes to help reduce your liability and legal risk in case of non-compliance.
We have compiled a list of eleven questions to ask any prospective data supplier, and have provided context as to why each question matters as well as the response from MaxMind to make it as easy as possible to compare data partners.
For the purposes of this article, the answers relate to MaxMind’s downloadable databases. If you’re interested in how MaxMind would answer these questions as a web service provider, please reach out to our team.Questions to ask data providers who license IP addresses or other personal data
Q: How are deletion and opt out requests applied to your product?
Why this matters: Deletion and opt-out handling affects whether you are exposed when data subjects exercise their rights. If someone opts out with the broker, how will that be flowed down to you and to data you’ve already received? This determines whether you might be processing data you are no longer entitled to use and creating direct liability for you.
MaxMind’s response: MaxMind reflects deletion and opt-out requests in most of its GeoIP services. Most other data providers choose not to reflect opt-outs at all. Deletion and opt-out requests are not applied to the data for legitimate interest use cases like fraud prevention, detecting security incidents, and protecting against malicious or illegal activity.
Q: Do you have a Data Protection Officer (DPO)?
Why this matters: A DPO is an independent expert in data protection who reports to the highest management level of a company. A DPO plays an important role in monitoring internal compliance and advising on data protection obligations. A company that has not appointed a DPO may not be taking their data protection obligations as seriously as they should be.
MaxMind’s response: MaxMind has appointed a DPO. Our DPO’s contact information can be found in our Privacy Policy.
Q: What security audits does your organization undergo and is privacy a topic included in them?
Why this matters: Security audits with privacy components tell you whether their security program addresses data protection holistically. A SOC 2 Type II with the Privacy Trust Service Criteria is more meaningful than one covering only Security. Ask for the report and review the scope.
MaxMind’s response: Yes, MaxMind performs impact assessments on all applicable processing activities. Our SOC 2 Type II report includes the controls tested around MaxMind’s impact assessment processes. To request a copy of MaxMind’s SOC report, please submit a written request to privacy@maxmind.com.
Q: In which states or under which jurisdictions are you a registered data broker?
Why this matters: Data broker registration status reveals whether a data provider is following the laws and operating legitimately in jurisdictions with data broker laws. If a data provider is not registered where required, that is a red flag about their compliance posture generally and it could create liability for you as their customer. If a data provider is not registered as a data broker in jurisdictions where such registrations are required, that may indicate broader compliance failures and could expose you to regulatory scrutiny as a customer.
MaxMind’s response: MaxMind is a registered data broker in states with data broker registries (California, Oregon, Texas, and Vermont) as of March 2026. As registration requirements change, please contact privacy@maxmind.com for an up-to-date listing of places where MaxMind is registered as a data broker.
Q: Are you a controller or a processor?
Why this matters: This answer determines the compliance burden distribution. If a data broker is a controller, they make independent decisions about data collection and bear primary responsibility for lawful basis. If the data broker is a processor, it requires you to understand the controller relationship and ensure adequate contractual flow-down. Under GDPR and other data privacy laws, a controller determines the purpose and means of processing. A processor follows the instructions of a controller. It is important to understand how a data provider will use any data you provide to them. If your data provider is going to act as your processor, you will need to carefully review the instructions in the license agreement to see how the data will be used as well as the security measures your data provider will have in place.
MaxMind’s response: For MaxMind’s GeoIP databases, MaxMind acts as an independent controller and provides the GeoIP databases to its customers as an independent controller. MaxMind’s databases are downloaded in their entirety from MaxMind’s website and hosted on our customers’ servers, so MaxMind does not see what IP addresses our customers search.
Q: What is your legal basis for processing as a controller?
Why this matters: The legal basis for processing is fundamental if a data provider is a controller. If their legal basis is invalid or poorly documented, downstream use of the data inherits that deficiency. Under GDPR, this might be legitimate interest, consent, or contractual necessity. Under California’s CCPA/CPRA, the rules differ but the principle holds: A data provider needs a defensible reason for having the data in the first place. If their legal basis is shaky, your use of that data may inherit that problem.
MaxMind’s response: In most instances, MaxMind’s lawful basis for processing personal information is for MaxMind and its customers’ legitimate interest. For more information, see MaxMind’s Privacy Policy.
Q: Are there limitations on how we can use the data in your product?
Why this matters: Use limitations are often the most practically important question. Many data products come with contractual restrictions—no use for credit decisions, employment screening, or certain marketing purposes. Violating these terms could violate your agreement and create FCRA, ECOA, or state law violations depending on your use case.
MaxMind’s response: Data purchased directly from the MaxMind website is limited by the terms set out in our End User License Agreement (EULA), which for example, prohibits the use of databases for ad-serving without explicit contractual permission. We also have in place restrictions that are designed to prevent the misuse of IP data for identifying individuals and to enforce data privacy.
Q: How quickly would we be notified of a breach affecting our data?
Why this matters: Breach notification timing has direct operational and legal implications. Most privacy laws require you to notify regulators and affected individuals within specific windows. If your vendor takes a week to tell you about a breach, you may already be in violation.
MaxMind’s response: MaxMind will notify you without undue delay. Keep in mind that as a customer of our GeoIP databases, MaxMind is the party providing personal information. Customers of our GeoIP databases only provide MaxMind with the basic user account information for their MaxMind customer portal account, so a data breach would not impact any of your customer’s information since we would never have received that data.
Q: How would a service disruption affect our services where your product is integrated?
Why this matters: Service disruption impact is pure operational risk assessment. If the data feeds into fraud detection or identity verification flows, an outage could affect your customers’ experience or your ability to meet contractual SLAs. You need to understand dependencies and plan accordingly.
MaxMind’s response: MaxMind’s GeoIP databases are hosted locally on servers that you control which do not connect back to MaxMind in any way, meaning an outage on MaxMind’s side would not impact your use of the GeoIP databases you have already downloaded.
Q: Do you have an up-to-date privacy policy posted on your website?
Why this matters: Any data vendor should have an up-to-date privacy policy posted on its website that is comprehensive and easy to understand. Data privacy laws change frequently. A company that has not updated its privacy policy in several years may be out of date with other compliance obligations.
MaxMind’s response: MaxMind reviews its privacy policy at least annually, and typically makes updates a few times per year to reflect any changes.
Q: Can you demonstrate compliance with relevant data privacy laws?
Why this matters: Being able to demonstrate compliance separates vendors who take privacy seriously from those offering assurances without substance. You want to see that the data provider has performed privacy impact assessments, data mapping, and policy documentation. Ideally, you should also review third-party validation.
MaxMind’s response: Yes, MaxMind performs impact assessments on all applicable processing activities. Our SOC 2 Type II Privacy report includes the controls tested around MaxMind’s impact assessment processes. To request a copy of MaxMind’s SOC reports, please submit a written request to privacy@maxmind.com. A copy of our SOC 3 Report can be found here.
