Mastodon Security and Privacy: GDPR, DSA, and Keeping Your Instance Safe

Mastodon Security and Privacy: GDPR, DSA, and Keeping Your Instance Safe

A practical guide to Mastodon security, privacy compliance (GDPR, DSA), and instance safety practices in 2026.

Published: April 07, 2026

Last updated: April 07, 2026

Mastodon Fediverse ActivityPub

Running a Mastodon instance — or even just using one — involves real security and privacy considerations. From GDPR compliance to instance hardening, this guide covers what you need to know to keep your fediverse presence safe and legally sound in 2026.

What You’ll Know by the End

  • Key security practices for Mastodon instances
  • GDPR and DSA obligations for instance operators
  • Privacy settings every Mastodon user should understand
  • How federation affects data privacy
  • Incident response basics for instance admins

Security Fundamentals for Instance Admins

If you operate a Mastodon instance, these security practices are non-negotiable:

Keep Software Updated

Mastodon’s development team releases security patches regularly. Running outdated software is the single largest security risk for any instance.

  • Subscribe to Mastodon’s release announcements
  • Apply security patches within days, not weeks
  • Test updates on a staging environment when possible
  • Automate dependency updates for the underlying OS

Secure Your Server

SSH hardening:

  • Disable password authentication; use key-based auth only
  • Change the default SSH port (defense in depth)
  • Use fail2ban to block brute-force attempts

Firewall configuration:

  • Allow only necessary ports (HTTP, HTTPS, SSH)
  • Block all other inbound traffic by default

TLS everywhere:

  • Enforce HTTPS with strong cipher suites
  • Enable HSTS headers
  • Redirect all HTTP traffic to HTTPS
  • Automate certificate renewal with Let’s Encrypt

Database Security

  • Use strong passwords for PostgreSQL
  • Restrict database connections to localhost or trusted networks
  • Enable SSL for database connections if remote
  • Implement regular automated backups
  • Test backup restoration periodically

Secret Management

Mastodon uses several secrets (secret_key_base, OTP secret, VAPID keys):

  • Store these securely (not in version control)
  • Rotate if you suspect compromise
  • Use different secrets for staging and production environments

GDPR Compliance for Instance Operators

If your instance serves users in the European Union (or you are based there), GDPR applies. Key obligations:

Data Processing

  • You are a data controller for user data on your instance
  • Maintain a record of processing activities
  • Have a clear privacy policy explaining what data you collect and why
  • Ensure you have a lawful basis for processing (typically consent or legitimate interest)

User Rights

GDPR grants users specific rights that you must support:

  • Right of access: Users can request a copy of their data (Mastodon’s data export feature covers this)
  • Right to erasure: Users can request account deletion (Mastodon supports self-service deletion)
  • Right to portability: Users can export their data in a machine-readable format
  • Right to rectification: Users can edit their information

Data Retention

  • Define how long you retain user data after account deletion
  • Configure Mastodon’s cleanup jobs for deleted account data
  • Document your retention policy in your privacy policy
  • Clean up old media and logs according to your policy

Federation Considerations

Federation complicates GDPR:

  • When a user’s post federates to another instance, you cannot control that instance’s data handling
  • Your privacy policy should explain that public posts may be stored by other instances
  • Content deletion propagates via ActivityPub, but you cannot guarantee other servers honor it

DSA (Digital Services Act) Obligations

The EU’s Digital Services Act imposes additional requirements on platforms:

Content Moderation

  • Maintain clear terms of service
  • Implement a reporting mechanism (Mastodon has built-in reporting)
  • Act on reports in a timely manner
  • Maintain transparency about moderation decisions

Illegal Content

  • Establish a process for handling reports of illegal content
  • Respond to law enforcement requests according to your jurisdiction’s requirements
  • Document your response procedures

Transparency

  • Publish moderation reports (many instances do this voluntarily)
  • Be transparent about your community rules and enforcement

Privacy Settings for Users

Every Mastodon user should understand these settings:

Post Visibility

  • Public: Visible to everyone, appears in timelines and search
  • Unlisted: Visible on your profile but not in timelines or search
  • Followers-only: Only visible to your followers
  • Direct/Mentioned: Only visible to mentioned users (note: this is NOT encrypted end-to-end)

Profile Settings

  • Discoverable flag: Controls whether your profile appears in directories and search
  • Indexable flag: Controls whether your posts can be indexed by search features
  • Locked account: Requires follow approval

Important Privacy Limitations

Understanding what Mastodon does NOT protect:

  • DMs are not encrypted: Instance admins can technically read direct messages. Do not share sensitive information via Mastodon DMs.
  • Public posts are truly public: Anyone (including non-Mastodon users) can see your public posts via your profile URL.
  • Deleted posts may persist: Other instances may have cached your post before deletion. Federation propagates deletes, but compliance is not guaranteed.

Federation and Data Privacy

The fediverse’s federated nature creates unique privacy dynamics:

Your public content lives on many servers: When you post publicly, your content is sent to every instance that has a user following you. Each of those instances stores a copy.

Instance admins have access: Admins of any federating instance can access public content from your server and any DMs that transit through their server.

Defederation does not erase history: If your admin defederates from another instance, existing content from that instance remains unless explicitly purged.

Metadata is visible: Federation logs show what instances communicate with each other, when, and about what (at a metadata level).

Incident Response

Prepare for security incidents before they happen:

Common Incidents

  • Account compromise: A user’s account is taken over (usually due to weak passwords)
  • Spam/bot invasion: Automated signups flood your instance with spam
  • DDoS: Your instance is targeted with volumetric traffic attacks
  • Data breach: Unauthorized access to your database or server

Response Playbook

  1. Detect: Monitor logs and user reports for suspicious activity
  2. Contain: Disable compromised accounts, block spam sources, enable rate limiting
  3. Investigate: Determine scope and method of the incident
  4. Remediate: Patch vulnerabilities, reset credentials, clean up damage
  5. Communicate: Inform affected users transparently
  6. Review: Document lessons learned and update procedures

See our developer notes for technical monitoring approaches.

Common Mistakes

  • Assuming “small instance” means “no security needed”: Every internet-facing server is a target
  • Not encrypting backups: Encrypted backups protect against data theft even if backup storage is compromised
  • Ignoring GDPR because “it is just a hobby server”: GDPR applies based on who uses your server, not your intent
  • Treating DMs as private: They are not end-to-end encrypted; use a proper encrypted messenger for sensitive communications
  • Not having an incident response plan: When something goes wrong, you will not have time to figure out the process

Frequently Asked Questions

Do I need a privacy policy for my Mastodon instance? Yes, if you have any users (including just yourself, technically). A clear privacy policy is good practice and legally required under GDPR if you serve EU users.

Can instance admins read my DMs? Technically, yes. DMs on Mastodon are not end-to-end encrypted. They are stored in the database in a readable form. Use dedicated encrypted messaging for sensitive communications.

What happens to my data if my instance shuts down? Your data on that instance is lost unless you have exported it. Mastodon’s account migration and data export features help, but they require action before the instance goes offline. Our FAQ covers migration in more detail.

Is Mastodon GDPR compliant out of the box? Mastodon provides tools that help with GDPR compliance (data export, account deletion, consent flows), but compliance ultimately depends on how you configure and operate your instance.

How do I report a security vulnerability in Mastodon? Mastodon has a responsible disclosure process. Check the project’s security policy for the current reporting procedure.

Does the DSA apply to all Mastodon instances? The DSA applies to services available to EU users. The specific obligations depend on your instance’s size and reach. Small instances have fewer obligations than large platforms, but basic content moderation requirements still apply. See our articles hub for regulatory updates.