Cockroach Labs
Security and Trust Center

Your data. Our top priority.

We recognize that data is the beating heart of your business — and that security and compliance are paramount when adopting or maintaining any new technology.

CockroachDB’s native enterprise security capabilities and integrations allow you to safeguard your data with industry best practices. We implement a range of infrastructure security and data governance controls to adhere to stringent regional and industry compliance requirements.

Security of the highest standard

Native Security Capabilities

Manage security guardrails and operate confidently with built-in features.

Network Security

VPC Peering and PrivateLink

Secure network connectivity capabilities to avoid user-to-cluster traffic transiting the public network.

IP Allowlists

Configure specific source locations that could be used to access a cluster.

Private IPs

Protect data with only private IPs on cluster nodes, access external resources with a NAT Gateway, and access cloud storage over your cloud provider’s private connectivity

Egress perimeter controls

Control where users are allowed to send data with a cloud-agnostic virtual firewall

Identity and Access Management

Single Sign-On

Centralize authentication by integrating with common identity providers like Google, Okta, Active Directory, etc.

Single Sign-On for cluster access

Let application level SQL identities use JWT tokens to authenticate; and let cloud SQL users access their clusters with the same SSO provider you set up for the Cloud Organization

Single Sign-On with OIDC for DB Console

Centralize authentication to the DB Console by integrating with any OIDC supporting identity provider

Role-based access control (RBAC)

At the database or table level with fine-grained access control at the row and column level. Also enable RBAC for operations such as backup/restore, changefeeds and observability.

Role-based access control (RBAC) for cloud organizations

Assign fine-grained roles at the organization and cluster scopes to manage users, billing and clusters in a cloud organization.

Auto-provisioning and deprovisioning of users

Use an enterprise identity provider (like Okta) to programmatically provision and deprovision users and groups in a cloud organization, via SCIM endpoints.

Dynamic user management

Manage credentials for database users with HashiCorp Vault

Certificate authentication for SQL clients

SQL clients may authenticate to clusters using public key infrastructure security certificates, in addition to username/password or SSO

Kerberos-based authentication for SQL users

Additional secure authentication methods for SQL access to the cluster

Data Protection & Privacy

Encryption at Rest with Customer Managed Encryption Keys (CMEK)

Use a multi-key encryption method rooted in your cloud-native key to encrypt data files stored on the cluster disks and managed backups.

Encryption in Transit

Ensure data is secure in transit with TLS connections.

Data Masking

Mask or anonymize sensitive data beyond full data encryption.

Cloud provider assume-role and delegated-access controls

Create secure IAM roles in your cloud provider to access your cloud resources from CockroachDB.

Auditing and Logging

Comprehensive and configurable audit logging

Keep track of when and by whom your data is accessed for threat detection and compliance purposes, both with behavior in CockroachDB and the web console

Compliance Certifications

Meet compliance standards required of many industries.

SOC Type 2

Cockroach Labs annually certifies its systems to meet AICPA SOC 2 Type II, which audits the operational and security
processes of our service and our company.

soc type 2


CockroachDB Dedicated has been certified against PCI-DSS SAQ-A and SAQ-D requirements, which indicate we safely handle credit card and payment data.


CockroachDB dedicated is HIPAA-ready to safely store PHI data, as determined by an annual third-party risk assessment that evaluates the service against HIPAA’s security and breach notification rules.

Federal Information Processing Standard (FIPS) 140-2

Address FIPS requirements with a FIPS-ready binary for CockroachDB self-hosted.

ISO 27001 & 27017

Cockroach Labs is certified ISO 27001 & 27017 compliant and is dedicated to securing customers' valuable information.


We're committed to being transparent about our privacy practices.
Below are links to documentation about our approach.

Data Processing Addendum (DPA) Since June 4, 2021 Cockroach Labs’ DPA relies on Standard Contractual Clauses to address Privacy Shield
invalidation on July 16, 2020