| sidebar_label | slug | title | description |
|---|---|---|---|
Shared Responsibility Model |
/cloud/security/shared-responsibility-model |
Security Shared Responsibility Model |
Learn more about the security model of ClickHouse Cloud |
ClickHouse Cloud offers three service types: Basic, Scale and Enterprise. For more information, review our Service Types page.
The Cloud architecture consists of the control plane and the data plane. The control plane is responsible for organization creation, user management within the control plane, service management, API key management, and billing. The data plane runs tooling for orchestration and management, and houses customer services. For more information, review our ClickHouse Cloud Architecture diagram.
Bring your own cloud (BYOC) enables customers to run the data plane in their own cloud account. For more information, review our (BYOC) Bring Your Own Cloud page.
The model below generally addresses ClickHouse responsibilities and shows responsibilities that should be addressed by customers of ClickHouse Cloud and ClickHouse BYOC, respectively. For more information on our PCI shared responsibility model, please download a copy of the overview available in our Trust Center.
| Control | ClickHouse | Cloud Customer | BYOC Customer |
|---|---|---|---|
| Maintain separation of environments | ✅ | ✅ | |
| Manage network settings | ✅ | ✅ | ✅ |
| Securely manage access to ClickHouse systems | ✅ | ||
| Securely manage organizational users in control plane and databases | ✅ | ✅ | |
| User management and audit | ✅ | ✅ | ✅ |
| Encrypt data in transit and at rest | ✅ | ||
| Securely handle customer managed encryption keys | ✅ | ✅ | |
| Provide redundant infrastructure | ✅ | ✅ | |
| Backup data | ✅ | ✅ | ✅ |
| Verify backup recovery capabilities | ✅ | ✅ | ✅ |
| Implement data retention settings | ✅ | ✅ | |
| Security configuration management | ✅ | ✅ | |
| Software and infrastructure vulnerability remediation | ✅ | ||
| Perform penetration tests | ✅ | ||
| Threat detection and response | ✅ | ✅ | |
| Security incident response | ✅ | ✅ |
Network connectivity
| Setting | Status | Cloud | Service level |
|---|---|---|---|
| IP filters to restrict connections to services | Available | AWS, GCP, Azure | All |
| Private link to securely connect to services | Available | AWS, GCP, Azure | Scale or Enterprise |
Access management
| Setting | Status | Cloud | Service level |
|---|---|---|---|
| Standard role-based access in control plane | Available | AWS, GCP, Azure | All |
| Multi-factor authentication (MFA) available | Available | AWS, GCP, Azure | All |
| SAML Single Sign-On to control plane available | Preview | AWS, GCP, Azure | Enterprise |
| Granular role-based access control in databases | Available | AWS, GCP, Azure | All |
Data security
| Setting | Status | Cloud | Service level |
|---|---|---|---|
| Cloud provider and region selections | Available | AWS, GCP, Azure | All |
| Limited free daily backups | Available | AWS, GCP, Azure | All |
| Custom backup configurations available | Available | GCP, AWS, Azure | Scale or Enterprise |
| Customer managed encryption keys (CMEK) for transparent data encryption available |
Available | AWS, GCP | Enterprise |
| Field level encryption with manual key management for granular encryption | Available | GCP, AWS, Azure | All |
Data retention
| Setting | Status | Cloud | Service level |
|---|---|---|---|
| Time to live (TTL) settings to manage retention | Available | AWS, GCP, Azure | All |
| ALTER TABLE DELETE for heavy deletion actions | Available | AWS, GCP, Azure | All |
| Lightweight DELETE for measured deletion activities | Available | AWS, GCP, Azure | All |
Auditing and logging
| Setting | Status | Cloud | Service level |
|---|---|---|---|
| Audit log for control plane activities | Available | AWS, GCP, Azure | All |
| Session log for database activities | Available | AWS, GCP, Azure | All |
| Query log for database activities | Available | AWS, GCP, Azure | All |
| Framework | Status | Cloud | Service level |
|---|---|---|---|
| ISO 27001 compliance | Available | AWS, GCP, Azure | All |
| SOC 2 Type II compliance | Available | AWS, GCP, Azure | All |
| GDPR and CCPA compliance | Available | AWS, GCP, Azure | All |
| HIPAA compliance | Available | AWS, GCP | Enterprise |
| PCI compliance | Available | AWS | Enterprise |
For more information on supported compliance frameworks, please review our Security and Compliance page.