Skip to main content
Edit this page

Security Shared Responsibility Model

Service types

ClickHouse Cloud offers three service types. For more information, review our Service Types page.

  • Development: Best for small workloads and dev environments
  • Production: Medium-sized workloads and customer-facing applications
  • Dedicated: Applications with strict latency and isolation requirements

Cloud architecture

The Cloud architecture consists of the control plane and the data plane. The control plane is responsible for organization creation, user management within the control plane, service management, API key management, and billing. The data plane runs tooling for orchestration and management, and houses customer services. For more information, review our ClickHouse Cloud Architecture diagram.

BYOC architecture

Bring your own cloud (BYOC) enables customers to run the data plane in their own cloud account. For more information, review our (BYOC) Bring Your Own Cloud page.

ClickHouse Cloud shared responsibility model

ControlClickHouse CloudCustomer - CloudCustomer - BYOC
Maintain separation of environments✔️✔️
Manage network settings✔️✔️✔️
Securely manage access to ClickHouse systems✔️
Securely manage organizational users in control plane and databases✔️✔️
User management and audit✔️✔️✔️
Encrypt data in transit and at rest✔️
Securely handle customer managed encryption keys✔️✔️
Provide redundant infrastructure✔️✔️
Backup data✔️
Verify backup recovery capabilities✔️
Implement data retention settings✔️✔️
Security configuration management✔️✔️
Software and infrastructure vulnerability remediation✔️
Perform penetration tests✔️
Threat detection and response✔️✔️
Security incident response✔️✔️

ClickHouse Cloud configurable security features

Network connectivity
SettingStatusCloudService level
IP filters to restrict connections to servicesAvailableAWS, GCP, AzureAll
Private link to securely connect to servicesAvailableAWS, GCP, AzureProduction or Dedicated
Access management
SettingStatusCloudService level
Standard role-based access in control planeAvailableAWS, GCP, AzureAll
Multi-factor authentication (MFA) availableAvailableAWS, GCP, AzureAll
SAML Single Sign-On to control plane availablePreviewAWS, GCP, AzureQualified Customers
Granular role-based access control in databasesAvailableAWS, GCP, AzureAll
Data security
SettingStatusCloudService level
Cloud provider and region selectionsAvailableAWS, GCP, AzureAll
Limited free daily backupsAvailableAWS, GCP, AzureAll
Custom backup configurations availableAvailableGCP, AWS, AzureProduction or Dedicated
Customer managed encryption keys (CMEK) for transparent
data encryption available
AvailableAWSProduction or Dedicated
Field level encryption with manual key management for granular encryptionAvailablleGCP, AWS, AzureAll
Data retention
SettingStatusCloudService level
Time to live (TTL) settings to manage retentionAvailableAWS, GCP, AzureAll
ALTER TABLE DELETE for heavy deletion actionsAvailableAWS, GCP, AzureAll
Lightweight DELETE for measured deletion activitiesAvailableAWS, GCP, AzureAll
Auditing and logging
SettingStatusCloudService level
Audit log for control plane activitiesAvailableAWS, GCP, AzureAll
Session log for database activitiesAvailableAWS, GCP, AzureAll
Query log for database activitiesAvailableAWS, GCP, AzureAll

ClickHouse Cloud compliance

FrameworkStatusCloudService level
ISO 27001 complianceAvailableAWS, GCP, AzureAll
SOC 2 Type II complianceAvailableAWS, GCP, AzureAll
GDPR and CCPA complianceAvailableAWS, GCP, AzureAll
HIPAA complianceBetaGCP, AWS coming soonDedicated

For more information on supported compliance frameworks, please review our Security and Compliance page.