Ship securely without compromise
Your data security matters, which is why we’ve designed our systems, applications, and processes to safeguard your data as if it were our own. dbt Cloud has been engineered at every level to handle your most sensitive data.
Deliver data quality with high security
Maintain your data security posture with the strongest encryption standards. dbt Cloud maintains an A+ rating from Qualys/SSL and requires communications to use the strongest encryption protocols so you can ship high-quality data with low risk. We have continuous monitoring and development to identify possible issues and keep our systems up to date.
Run your code fast on our secure infrastructure
Keep your data protected on a platform that’s proven safe and secure. Our processes are continually tested and maintained to the highest standards, and we partner with top experts to stay up to date with the latest security techniques. This includes third party providers that continuously challenge our systems with rigorous penetration testing to find weak points before they can be exploited.
Compliance
ISO 27001:2013
ISO 27001:2013 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). The standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and give confidence to interested parties. dbt Labs received its initial ISO27001:2013 certification on December 9, 2021. dbt Labs completed its most recent surveillance audit on November 17, 2023. The certificate is available for viewing here.
ISO 27701:2019
ISO 27701:2019 specifies requirements and guidelines to establish and continuously improve a Privacy Information Management System (PIMS), including processing of Personally Identifiable Information (PII), and is an extension of the ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. It provides a set of additional controls and associated guidance that is intended to address public cloud PIMS and PII management requirements that aren’t addressed by the existing ISO/IEC 27002 control set, for both processors and controllers. dbt Labs is noted as a Processor. We have been assessed our conformity with the ISO/IEC 27701:2019 standard over our privacy information system and is combined with our ISO27001 certificate here.
SOC2 Type II
A SOC 2 examination, performed by an independent, certified public accounting (CPA) firm, is an assessment of a service provider’s security control environment against the trust services principles and criteria set forth by the American Institute of Certified Public Accountants (AICPA). The result of the examination is a report which contains the service auditor’s opinion, a description of the system that was examined, management’s assertion regarding the description, and the testing procedures performed by the auditor. dbt Cloud completed a SOC 2 Type II examination, which means its controls were assessed based on their operating effectiveness over the reporting period of October 1, 2022 to September 30, 2023. Our SOC2 Type II is available for review under MNDA upon request.
GDPR
dbt Cloud is fully GDPR compliant. dbt Cloud’s Terms of Service includes a Data Processing Addendum that enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU.
PCI
Before granting dbt Cloud access to data subject to PCI requirements, please contact support at support@getdbt.com.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. dbt Cloud has been assessed against relevant HIPAA Security criteria as part of our SOC2 Type II Report over the reporting period of October 1, 2022 to September 30, 2023. Our SOC2 Type II is available for review under MNDA upon request.
Security Highlights
The entire dbt Cloud team is focused on keeping you and your data safe. We use industry standards including OWASP, NIST, ISO 27001, and ISO 27701 to guide our security program and engineering practices
dbt Labs has implemented a number of access controls to ensure the confidentiality, integrity and availability of dbt. All access is provisioned by role and the principle of least privilege. Our controls include multi-factor authentication requirements, strong passwords, an identity provider, Zero Network Trust Access tooling for production environments, mobile device management and quarterly access reviews to name a few.
- dbt Labs has established configuration standards across all of its managed endpoints to ensure assets are configured securely and identically.
- Laptops are protected by full disk encryption using FileVault2, and managed by Jamf Pro MDM.
- A tool is in place to enforce the use of standard production images for production servers.
- dbt Cloud is primarily hosted in AWS, and deployed across multiple AZ’s (availability zones) in a region.
- Our retention of backups are a minimum of seven (7) days.
- Our staff is remotely distributed across the US providing support to customers globally. Our distributed workforce allows us to provide support virtually from anywhere and reduce the impact of support interruption in a geographic location.
- Our Business Continuity, Disaster Recovery, and Incident Response Plans are tested annually via tabletop exercises.
- All connections to dbt Cloud are encrypted by default, in both directions using modern ciphers and cryptographic systems. We maintain an A+ rating from Qualys/SSL Labs. We encrypt in transit utilizing TLS 1.2.
- Any attempt to connect over HTTP is redirected to HTTPS.
- We use HSTS to ensure browsers interact with dbt Cloud only over HTTPS
- We utilize AES-256 for all data encrypted at rest.
- For additional information about dbt Cloud Architecture, please visit https://docs.getdbt.com/docs/cloud/about-cloud/architecture
Data remains in your data warehouse – we don’t upload or download it. Your query is created on the frontend of our tool in your browser (it is not cached by dbt Labs), behind your firewalls and VPN, and is not accessed by any of our employees unless you screen share with our support team. Even if you use a preview pane, that is also under your control or that of the data warehouse and is not accessible from our systems. Once written or as scheduled, the query runs through the IDE’s backend. dbt Labs has set up the backend to be fully automated and is not accessible by dbt Labs personnel unless a problem occurs to the tool, and then only the personnel capable of diagnosing and fixing a problem would have access.
For development purposes, analysts can write queries from the IDE against development data, for example: “select * from customers limit 100,” the data from your development customers table will pass through the dbt Cloud infrastructure on the way to your browser. Data does not live on our servers outside of your ephemeral session. dbt Labs employees are not able to access those sessions. Data is not written to disc. Upon request for Enterprise accounts, this IDE Preview functionality can be disabled.
dbt Cloud stores the following data persistently:
- dbt Cloud account information including job definitions, database connection information, users, etc. Cloud account information does not include any raw data from your warehouse.
- Logs associated with jobs and interactive queries you’ve run.
- Your dbt “assets” which include things like run_results.json and manifest.json.
Logs and assets do not include raw data from the warehouse unless the code you write commands it. For example, it’s possible to write dbt code that fetches all customer data from your customer table and writes it to the logs. While that’s usually not a good idea, it is possible, and would mean that information is stored in dbt Cloud.
For more information about the data we collect, how we use it or how to remove it from our systems, please refer to our Privacy Policy.
dbt Cloud is hosted in multiple regions and will always connect to your data platform or git provider from the IP addresses found here. Be sure to allow traffic from these IPs in your firewall, and include them in any database grants.
dbt Cloud Enterprise plans can choose to have their account hosted in any of the regions found here. Organizations must choose a single region per dbt Cloud account. If you need to run dbt Cloud in multiple regions, we recommend using multiple dbt Cloud accounts.
For more information, please visit this link.
dbt Cloud undergoes an annual penetration testing from an outside provider, and regularly installs the latest, secure versions of all underlying software.
dbt Labs is committed to working with security researchers across the world to keep our systems secure. If you believe you have found a security vulnerability in dbt Core, dbt Cloud, or another dbt Labs product, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Please review our Security Bug Bounty Program at www.getdbt.com/security/disclosure.
If you believe you have discovered a problem or have any questions, please contact us at bug-bounty@dbtlabs.com.
-
dbt Cloud’s data centers are hosted using Amazon Web Services, where they are protected by electronic security, intrusion detection systems, and 24/7/365 human staff.
-
dbt Cloud uses actively maintained, long-term-supported operating systems that are kept up to date with the latest security patches.
-
dbt Cloud uses a dedicated firewall and private network to prevent unauthorized network access.
-
We limit access to sensitive data to those with a business reason for access.
- dbt Labs follows a shift left security model to ensure security is engaged early and often throughout development.
- Our engineers are required to complete secure code training at least annually and they follow OWASP guidelines per our Security Development Lifecycle.
- All code must be peer reviewed before production, as part of our Change Management Policy.
- A security and privacy data protection impact assessment must be completed for all product feature requests and product feature changes.
New vulnerabilities or new patches are detected from the various monitoring and scanning dbt Labs has in place. Many vulnerabilities will be addressed within 24 hours by automated update processes, at which time the vulnerability is closed out. Engineering tracks any vulnerabilities not addressable through automation through resolution.