Cockroach Labs
Security and Trust Center

VPC Peering and PrivateLink

Secure network connectivity capabilities to avoid user-to-cluster traffic transiting the public network.

IP Allowlists

Configure specific source locations that could be used to access a cluster.

Private IPs

Protect data with only private IPs on cluster nodes, access external resources with a NAT Gateway, and access cloud storage over your cloud provider’s private connectivity

Egress perimeter controls

Control where users are allowed to send data with a cloud-agnostic virtual firewall

Single Sign-On

Centralize authentication by integrating with common identity providers like Google, Okta, Active Directory, etc.

Single Sign-On for cluster access

Let application level SQL identities use JWT tokens to authenticate; and let cloud SQL users access their clusters with the same SSO provider you set up for the Cloud Organization

Single Sign-On with OIDC for DB Console

Centralize authentication to the DB Console by integrating with any OIDC supporting identity provider

Role-based access control (RBAC)

At the database or table level with fine-grained access control at the row and column level. Also enable RBAC for operations such as backup/restore, changefeeds and observability.

Role-based access control (RBAC) for cloud organizations

Assign fine-grained roles at the organization and cluster scopes to manage users, billing and clusters in a cloud organization.

Auto-provisioning and deprovisioning of users

Use an enterprise identity provider (like Okta) to programmatically provision and deprovision users and groups in a cloud organization, via SCIM endpoints.

Dynamic user management

Manage credentials for database users with HashiCorp Vault

Certificate authentication for SQL clients

SQL clients may authenticate to clusters using public key infrastructure security certificates, in addition to username/password or SSO

Kerberos-based authentication for SQL users

Additional secure authentication methods for SQL access to the cluster

Encryption at Rest with Customer Managed Encryption Keys (CMEK)

Use a multi-key encryption method rooted in your cloud-native key to encrypt data files stored on the cluster disks and managed backups.

Encryption in Transit

Ensure data is secure in transit with TLS connections.

Data Masking

Mask or anonymize sensitive data beyond full data encryption.

Cloud provider assume-role and delegated-access controls

Create secure IAM roles in your cloud provider to access your cloud resources from CockroachDB.

Comprehensive and configurable audit logging

Keep track of when and by whom your data is accessed for threat detection and compliance purposes, both with behavior in CockroachDB and the web console

Cockroach Labs annually certifies its systems to meet AICPA SOC 2 Type II, which audits the operational and security
processes of our service and our company.

CockroachDB Dedicated has been certified against PCI-DSS SAQ-A and SAQ-D requirements, which indicate we safely handle credit card and payment data.

CockroachDB dedicated is HIPAA-ready to safely store PHI data, as determined by an annual third-party risk assessment that evaluates the service against HIPAA’s security and breach notification rules.

Address FIPS requirements with a FIPS-ready binary for CockroachDB self-hosted.

Cockroach Labs is certified ISO 27001 & 27017 compliant and is dedicated to securing customers' valuable information.