Security Shared Responsibility Model
Service types
ClickHouse Cloud offers three service types. For more information, review our Service Types page.
- Development: Best for small workloads
- Production: Medium-sized workloads and customer-facing applications
- Dedicated: Applications with strict latency and isolation requirements
Cloud architecture
Cloud architecture consists of the control plane and the data plane. The control plane is responsible for organization creation, user management within the control plane, service management, API key management, and billing. The data plane runs tooling for orchestration and management, and houses customer services. For more information, review our ClickHouse Cloud Architecture diagram.
BYOC architecture
Bring your own cloud (BYOC) enables customers to run the data plane in their own cloud account. For more information, review our (BYOC) Bring Your Own Cloud page.
ClickHouse Cloud shared responsibility model
Control | ClickHouse Cloud | Customer - Cloud | Customer - BYOC |
---|---|---|---|
Maintain separation of environments | ✔️ | ✔️ | |
Manage network settings | ✔️ | ✔️ | ✔️ |
Securely manage access to ClickHouse systems | ✔️ | ||
Securely manage organizational users in control plane and databases | ✔️ | ✔️ | |
User management and audit | ✔️ | ✔️ | ✔️ |
Encrypt data in transit and at rest | ✔️ | ||
Securely handle customer managed encryption keys | ✔️ | ✔️ | |
Provide redundant infrastructure | ✔️ | ✔️ | |
Backup data | ✔️ | ||
Verify backup recovery capabilities | ✔️ | ||
Implement data retention settings | ✔️ | ✔️ | |
Security configuration management | ✔️ | ✔️ | |
Software and infrastructure vulnerability remediation | ✔️ | ||
Perform penetration tests | ✔️ | ||
Threat detection and response | ✔️ | ✔️ | |
Security incident response | ✔️ | ✔️ |
ClickHouse Cloud security features
Network connectivity
Setting | Status | Cloud | Service level |
---|---|---|---|
IP filters to restrict connections to services | Available | AWS, GCP, Azure | All |
Private link to securely connect to services | Available | AWS, GCP, Azure | Production or Dedicated |
Access management
Setting | Status | Cloud | Service level |
---|---|---|---|
Standard role-based access in control plane | Available | AWS, GCP, Azure | All |
Multi-factor authentication (MFA) available | Available | AWS, GCP, Azure | All |
SAML Single Sign-On to control plane available | Preview | AWS, GCP, Azure | Qualified Customers |
Granular role-based access control in databases | Available | AWS, GCP, Azure | All |
Data security
Setting | Status | Cloud | Service level |
---|---|---|---|
Cloud provider and region selections | Available | AWS, GCP, Azure | All |
Limited free daily backups | Available | AWS, GCP, Azure | All |
Custom backup configurations available | Available | GCP, AWS, Azure | Production or Dedicated |
Customer managed encryption keys (CMEK) for transparent data encryption available | Available | AWS | Production or Dedicated |
Field level encryption with manual key management for granular encryption | Availablle | GCP, AWS, Azure | All |
Data retention
Setting | Status | Cloud | Service level |
---|---|---|---|
Time to live (TTL) settings to manage retention | Available | AWS, GCP, Azure | All |
ALTER TABLE DELETE for heavy deletion actions | Available | AWS, GCP, Azure | All |
Lightweight DELETE for measured deletion activities | Available | AWS, GCP, Azure | All |
Auditing and logging
Setting | Status | Cloud | Service level |
---|---|---|---|
Audit log for control plane activities | Available | AWS, GCP, Azure | All |
Session log for database activities | Available | AWS, GCP, Azure | All |
Query log for database activities | Available | AWS, GCP, Azure | All |
Compliance
Framework | Status | Cloud | Service level |
---|---|---|---|
ISO 27001 compliance | Available | AWS, GCP, Azure | All |
SOC 2 Type II compliance | Available | AWS, GCP, Azure | All |
GDPR and CCPA compliance | Available | AWS, GCP, Azure | All |
HIPAA compliance | Private Beta | GCP, AWS coming soon | Dedicated |
For more information on supported compliance frameworks, please review our Security and Compliance page.