Security Shared Responsibility Model

Service types

ClickHouse Cloud offers three service types. For more information, review our Service Types page.

Development: Best for small workloads
Production: Medium-sized workloads and customer-facing applications
Dedicated: Applications with strict latency and isolation requirements

Cloud architecture

Cloud architecture consists of the control plane and the data plane. The control plane is responsible for organization creation, user management within the control plane, service management, API key management, and billing. The data plane runs tooling for orchestration and management, and houses customer services. For more information, review our ClickHouse Cloud Architecture diagram.

BYOC architecture

Bring your own cloud (BYOC) enables customers to run the data plane in their own cloud account. For more information, review our (BYOC) Bring Your Own Cloud page.

ClickHouse Cloud shared responsibility model

Control	ClickHouse Cloud	Customer - Cloud	Customer - BYOC
Maintain separation of environments	✔️		✔️
Manage network settings	✔️	✔️	✔️
Securely manage access to ClickHouse systems	✔️
Securely manage organizational users in control plane and databases		✔️	✔️
User management and audit	✔️	✔️	✔️
Encrypt data in transit and at rest	✔️
Securely handle customer managed encryption keys		✔️	✔️
Provide redundant infrastructure	✔️		✔️
Backup data	✔️
Verify backup recovery capabilities	✔️
Implement data retention settings		✔️	✔️
Security configuration management	✔️		✔️
Software and infrastructure vulnerability remediation	✔️
Perform penetration tests	✔️
Threat detection and response	✔️		✔️
Security incident response	✔️		✔️

ClickHouse Cloud configurable security features

Network connectivity

Setting	Status	Cloud	Service level
IP filters to restrict connections to services	Available	AWS, GCP, Azure	All
Private link to securely connect to services	Available	AWS, GCP, Azure	Production or Dedicated

Access management

Setting	Status	Cloud	Service level
Standard role-based access in control plane	Available	AWS, GCP, Azure	All
Multi-factor authentication (MFA) available	Available	AWS, GCP, Azure	All
SAML Single Sign-On to control plane available	Preview	AWS, GCP, Azure	Qualified Customers
Granular role-based access control in databases	Available	AWS, GCP, Azure	All

Data security

Setting	Status	Cloud	Service level
Cloud provider and region selections	Available	AWS, GCP, Azure	All
Limited free daily backups	Available	AWS, GCP, Azure	All
Custom backup configurations available	Available	GCP, AWS, Azure	Production or Dedicated
Customer managed encryption keys (CMEK) for transparent data encryption available	Available	AWS	Production or Dedicated
Field level encryption with manual key management for granular encryption	Availablle	GCP, AWS, Azure	All

Data retention

Setting	Status	Cloud	Service level
Time to live (TTL) settings to manage retention	Available	AWS, GCP, Azure	All
ALTER TABLE DELETE for heavy deletion actions	Available	AWS, GCP, Azure	All
Lightweight DELETE for measured deletion activities	Available	AWS, GCP, Azure	All

Auditing and logging

Setting	Status	Cloud	Service level
Audit log for control plane activities	Available	AWS, GCP, Azure	All
Session log for database activities	Available	AWS, GCP, Azure	All
Query log for database activities	Available	AWS, GCP, Azure	All

ClickHouse Cloud compliance

Framework	Status	Cloud	Service level
ISO 27001 compliance	Available	AWS, GCP, Azure	All
SOC 2 Type II compliance	Available	AWS, GCP, Azure	All
GDPR and CCPA compliance	Available	AWS, GCP, Azure	All
HIPAA compliance	Private Beta	GCP, `AWS coming soon`	Dedicated

For more information on supported compliance frameworks, please review our Security and Compliance page.

Service types​

Cloud architecture​

BYOC architecture​

ClickHouse Cloud shared responsibility model​

ClickHouse Cloud configurable security features​

ClickHouse Cloud compliance​