Security of the highest standard
Native Security Capabilities
Manage security guardrails and operate confidently with built-in features.
Network Security
VPC Peering and PrivateLink
Secure network connectivity capabilities to avoid user-to-cluster traffic transiting the public network.
IP Allowlists
Configure specific source locations that could be used to access a cluster.
Private IPs
Protect data with only private IPs on cluster nodes, access external resources with a NAT Gateway, and access cloud storage over your cloud provider’s private connectivity
Egress perimeter controls
Control where users are allowed to send data with a cloud-agnostic virtual firewall
Identity and Access Management
Single Sign-On
Centralize authentication by integrating with common identity providers like Google, Okta, Active Directory, etc.
Single Sign-On for cluster access
Let application level SQL identities use JWT tokens to authenticate; and let cloud SQL users access their clusters with the same SSO provider you set up for the Cloud Organization
Single Sign-On with OIDC for DB Console
Centralize authentication to the DB Console by integrating with any OIDC supporting identity provider
Role-based access control (RBAC)
At the database or table level with fine-grained access control at the row and column level. Also enable RBAC for operations such as backup/restore, changefeeds and observability.
Role-based access control (RBAC) for cloud organizations
Assign fine-grained roles at the organization and cluster scopes to manage users, billing and clusters in a cloud organization.
Auto-provisioning and deprovisioning of users
Use an enterprise identity provider (like Okta) to programmatically provision and deprovision users and groups in a cloud organization, via SCIM endpoints.
Dynamic user management
Manage credentials for database users with HashiCorp Vault
Certificate authentication for SQL clients
SQL clients may authenticate to clusters using public key infrastructure security certificates, in addition to username/password or SSO
Kerberos-based authentication for SQL users
Additional secure authentication methods for SQL access to the cluster
Data Protection & Privacy
Encryption at Rest with Customer Managed Encryption Keys (CMEK)
Use a multi-key encryption method rooted in your cloud-native key to encrypt data files stored on the cluster disks and managed backups.
Encryption in Transit
Ensure data is secure in transit with TLS connections.
Data Masking
Mask or anonymize sensitive data beyond full data encryption.
Cloud provider assume-role and delegated-access controls
Create secure IAM roles in your cloud provider to access your cloud resources from CockroachDB.
Auditing and Logging
Comprehensive and configurable audit logging
Keep track of when and by whom your data is accessed for threat detection and compliance purposes, both with behavior in CockroachDB and the web console
Compliance Certifications
Meet compliance standards required of many industries.
SOC Type 2
Cockroach Labs annually certifies its systems to meet AICPA SOC 2 Type II, which audits the operational and security
processes of our service and our company.
PCI DSS
CockroachDB Dedicated has been certified against PCI-DSS SAQ-A and SAQ-D requirements, which indicate we safely handle credit card and payment data.
HIPAA
CockroachDB dedicated is HIPAA-ready to safely store PHI data, as determined by an annual third-party risk assessment that evaluates the service against HIPAA’s security and breach notification rules.
Federal Information Processing Standard (FIPS) 140-2
Address FIPS requirements with a FIPS-ready binary for CockroachDB self-hosted.
Privacy
We're committed to being transparent about our privacy practices.
Below are links to documentation about our approach.
Data Processing Addendum (DPA) Since June 4, 2021 Cockroach Labs’ DPA relies on Standard Contractual Clauses to address Privacy Shield
invalidation on July 16, 2020