Databend Security Design
Security
Role Based Access Control (RBAC) + Discretionary Access Control (DAC)
Databend incorporates both Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) models for its access control functionality.
Masking Policy
A masking policy refers to rules and settings that control the display or access to sensitive data in a way that safeguards confidentiality while allowing authorized users to interact with the data.
Network Policy
Network policy in Databend is a configuration mechanism designed to manage and enforce network access control for users within the system. It allows you to define sets of rules governing the allowed and blocked IP address ranges for specific users, effectively controlling their network-level access.
Password Policy
Databend includes a password policy to strengthen system security and make user account management smoother. This policy sets rules for creating or changing passwords, covering aspects like length, types of characters, age restrictions, retry limits, lockout durations, and password history.
AWS PrivateLink
PrivateLink provides enhanced network security by connecting to databend cloud cluster over VPC peering. Customers can initiate the connection to the desired service using a VPC endpoint, which can be further configured with security groups to create trust boundaries and control access to the endpoint. Currently, this feature is only available on AWS.
Encryption
TLS 1.2
We provide end-to-end encryption for all communication. All customer data-flow are solely over HTTPS. Connections encrypted using TLS 1.2 from clients through to the Databend API gateway.
Storage Encryption
Databend Enterprise supports server-side encryption in OSS. This feature enables you to enhance data security and privacy by activating server-side encryption for data stored in OSS. You can choose the encryption method that best suits your needs.
Complicance
SOC 2 Type II
An independent third-party has thoroughly conducted a SOC 2 Type II assessment, affirming the robustness and effectiveness of our operational controls. Emphasizing our commitment to security and excellence, we continuously monitor and enhance our operational controls and defenses against vulnerabilities. Our dedicated team ensures these standards are upheld without compromise.
GDPR
Our GDPR compliance hinges on strict data privacy enforcement, robust encryption, and regular privacy audits to shield personal data from unauthorized access. We enforce stringent access controls, permitting only a select group of trained security personnel to access and monitor our infrastructure and operational logs, ensuring the highest levels of data protection and compliance.