Last updated: April 9, 2024
Databend Cloud leverages the security features of mainstream cloud providers and setup least-privilege access policies to ensure data security for our customers.
Databend Cloud is currently deployed on GCP and AWS hosted kubernetes cluster with all servers located across the globe, including the United States. We use isolated, stateless pods to visit internal storage with ephemeral caches.
We have strict data access isolation among tenants. There is no long-term access key stored on databend cloud. In order to minimize data leakage risks, we would rotate our data access key regularly with least-privilege permission requirement
We use data-encryption and identity authentication services provided by cloud providers. It can provide a service with an automatically rotated Token (for example, automatically expires in half an hour), and establish an identity association with the IAM Role through the STS service of the cloud vendor, and then restrict the access rights of the service through IAM rules to achieve fine-grained access control.
In Databend Cloud, each tenant is assigned a dedicated IAM Role and a dedicated encrypted bucket for data storage.
The IAM policies are configured to restrict each tenant's access to specific storage location. This eliminates the need for long-lived access keys, making access to cloud resources such as S3 more secure and reliable.
All data stored on Databend Cloud is encrypted by default using server side encryption with dedicated KMS. Additionally, users can also leverage the Assume Role mechanism in Databend Cloud to mount their own S3 buckets from their AWS accounts for analysis purposes. Databend only supports decrypting and encrypting data in memory on dedicated warehouse.
We provide end-to-end encryption for all communication. All customer data-flow are solely over HTTPS. Connections encrypted using TLS 1.2 from clients through to the Databend API gateway.
PrivateLink provides enhanced network security by connecting to databend cloud cluster over VPC peering. Customers can initiate the connection to the desired service using a VPC endpoint, which can be further configured with security groups to create trust boundaries and control access to the endpoint. Currently, this feature is only available on AWS. If your team has special concern about other cloud providers, please reach out to our support team.
Databend supports users to configure network IP allow lists and blocked lists in network policy.
It allows you to define sets of rules governing the allowed and blocked IP address ranges for specific users, effectively controlling their network-level access.
Databend offers a range of privileges that allow you to exercise fine-grained control over your database objects.
Customers controls RBAC completely, meanwhile, DAC(Discretionary Access Control) also apply to the role customer created that owns the object.
For details on the privileges for each database object, please take a look at our document
Databend allows users to config column-wise data visibility by creating data masking policies. Data masking policy would transform data and rewrite or hide given columns based on current analyzer's role dynamically.
Databend currently collaborates with Vanta to meet compliance standards including SOC-2 Type-2 and GDPR.
Our compliance efforts for Databend Cloud include: