Security Shared Responsibility Model
Service types
ClickHouse Cloud offers three service types: Basic, Scale and Enterprise. For more information, review our Service Types page.
Cloud architecture
The Cloud architecture consists of the control plane and the data plane. The control plane is responsible for organization creation, user management within the control plane, service management, API key management, and billing. The data plane runs tooling for orchestration and management, and houses customer services. For more information, review our ClickHouse Cloud Architecture diagram.
BYOC architecture
Bring your own cloud (BYOC) enables customers to run the data plane in their own cloud account. For more information, review our (BYOC) Bring Your Own Cloud page.
ClickHouse Cloud shared responsibility model
The model below generally addresses ClickHouse responsibilities and shows responsibilities that should be addressed by customers of ClickHouse Cloud and ClickHouse BYOC, respectively. For more information on our PCI shared responsibility model, please download a copy of the overview available in our Trust Center.
| Control | ClickHouse | Cloud Customer | BYOC Customer | 
|---|
| Maintain separation of environments | ✅ |  | ✅ | 
| Manage network settings | ✅ | ✅ | ✅ | 
| Securely manage access to ClickHouse systems | ✅ |  |  | 
| Securely manage organizational users in control plane and databases |  | ✅ | ✅ | 
| User management and audit | ✅ | ✅ | ✅ | 
| Encrypt data in transit and at rest | ✅ |  |  | 
| Securely handle customer managed encryption keys |  | ✅ | ✅ | 
| Provide redundant infrastructure | ✅ |  | ✅ | 
| Backup data | ✅ | ✅ | ✅ | 
| Verify backup recovery capabilities | ✅ | ✅ | ✅ | 
| Implement data retention settings |  | ✅ | ✅ | 
| Security configuration management | ✅ |  | ✅ | 
| Software and infrastructure vulnerability remediation | ✅ |  |  | 
| Perform penetration tests | ✅ |  |  | 
| Threat detection and response | ✅ |  | ✅ | 
| Security incident response | ✅ |  | ✅ | 
ClickHouse Cloud configurable security features
Network connectivity
| Setting | Status | Cloud | Service level | 
|---|
| IP filters to restrict connections to services | Available | AWS, GCP, Azure | All | 
| Private link to securely connect to services | Available | AWS, GCP, Azure | Scale or Enterprise | 
Access management
Data security
Data retention
Auditing and logging
| Setting | Status | Cloud | Service level | 
|---|
| Audit log for control plane activities | Available | AWS, GCP, Azure | All | 
| Session log for database activities | Available | AWS, GCP, Azure | All | 
| Query log for database activities | Available | AWS, GCP, Azure | All | 
ClickHouse Cloud compliance
| Framework | Status | Cloud | Service level | 
|---|
| ISO 27001 compliance | Available | AWS, GCP, Azure | All | 
| SOC 2 Type II compliance | Available | AWS, GCP, Azure | All | 
| GDPR and CCPA compliance | Available | AWS, GCP, Azure | All | 
| HIPAA compliance | Available | AWS, GCP | Enterprise | 
For more information on supported compliance frameworks, please review our Security and Compliance page.