Confluent's Commitment to Data Privacy: Announcing ISO 27701 Certification

At Confluent, we are dedicated to fostering a privacy-first culture. We are committed to safeguarding the confidentiality and integrity of our users' personal information, adhering to regulatory requirements, and implementing robust privacy measures. Now more than ever, with the adoption of the adequacy decision for the EU-US Data Privacy Framework, we affirm these commitments daily. Through continuous improvement and transparency, we strive to earn and maintain our customers’ trust, ensuring their data remains secure and their privacy is respected at all times.

That is why we are proud to announce that we have earned our ISO 27701:2019 certification (Processor and Controller) (ISO 27701). The certification covers Confluent Platform and Confluent Cloud, as well as all of Confluent’s assets, technologies, and processes employed by Confluent for processing, management, and delivery of services to its customers. The third party audit conducted as part of the certification process found no nonconformities or opportunities for improvement in these areas. The net result of this certification is assurance to Confluent’s customers that a third party auditor independently reviewed and verified that Confluent’s privacy program meets global privacy standards aligned with privacy laws such as the General Data Protection Regulation (GDPR).

What is ISO 27701? 

The ISO 27701 standard provides an international framework for managing privacy information in relation to the processing of personal data. This certification demonstrates that Confluent has implemented and maintains a privacy information management system (PIMS) that meets the requirements of ISO 27701. It is an extension to ISO 27001, the international standard for information security management systems (ISMS).

The ISO 27701 standard sets out a PIMS that includes controls for the protection of personal data including 135 separate controls/requirements in conjunction with all ISO 27001 controls. It is a global certification designed to help organizations comply with international privacy laws and regulations, including the GDPR. The ISO 27701 standard contains an Annex D that gives an indicative mapping between provisions of ISO 27701 and Articles 5 to 49 of the GDPR, excluding Article 43 (certification bodies), showing how compliance with ISO 27701's requirements and controls can help fulfill GDPR obligations. The net result is that ISO 27701 provides Confluent with externally audited compliance with many material requirements of the GDPR. 

Author’s note: Confluent cannot provide the exact controls covered by ISO 27701 because all content on ISO Online and all ISO publications are copyright protected. The copyright is owned by ISO. More information about the ISO 27701 standard may be found here: https://www.iso.org/standard/71670.html. 

How did Confluent obtain the ISO 27701 certification?

ISO certifications are provided by independent third-party certification bodies that are accredited by International Accreditation Forum (IAF) or other similar accreditation bodies. These certification bodies are responsible for auditing a company's management system and verifying its compliance with the requirements of a particular ISO standard. In this case, Moss Adams was the certification body that audited Confluent and provided its resulting certification.

In order to obtain the ISO 27701 certification, Confluent underwent a rigorous audit process, including the certification body’s review of the company's privacy management system, policies, procedures, and controls to ensure they meet the requirements of the ISO 27701 standard. The planning process spanned multiple years and the audit process itself took several months requiring a significant investment of time and resources from the entire company. 

How does our ISO 27701 certification benefit our customers?

Confluent's ISO 27701 certification demonstrates our commitment to protecting our customers' privacy and complying with relevant privacy laws for several reasons:

1. Comprehensive PIMS: Our PIMS is designed to identify, assess, and manage privacy risks, ensuring that our customers' data is protected at all times. Our PIMS is regularly audited and reviewed to ensure that it continues to meet the highest standards of privacy protection.

2. Strong security measures: We have implemented strong security measures, such as data encryption, access controls, and regular vulnerability assessments, to prevent unauthorized access to our customers' data. These measures help to protect our customers' data from external threats and cyber attacks.

3. Compliance with privacy laws: With the increasing number of privacy laws, compliance has become a top concern for many organizations. Our ISO 27701 certification demonstrates that we are committed to complying (and therefore helping our customers to comply) with material requirements of relevant legislation, such as GDPR, California Consumer Privacy Act (CCPA), Brazilian Lei Geral Proteção de Dados Pessoais (LGPD), Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and Health Insurance Portability and Accountability Act (HIPAA). 

4. Building customer trust: By obtaining the ISO 27701 certification, we are demonstrating our commitment to protecting our customers' privacy. Our certification can help our customers meet their own regulatory requirements by providing evidence of our commitment to protecting their data, assisting our customers in conducting their own Data Protection Impact Assessments, Transfer Impact Assessments, and Privacy Impact Assessments. This helps our customers avoid potential fines and penalties for non-compliance with data privacy regulations.

In addition to our ISO 27701 certification, Confluent Cloud’s numerous privacy-focused controls and features help companies meet their own internal privacy standards. These controls and features include:

• Data encryption: All data is encrypted at rest in Confluent Cloud clusters by default with support for self-managed encryption keys.

• Role-based access controls: We provide granular access controls to ensure that only authorized users can access customer data including integrations with popular identity and access management systems to provide secure authentication and authorization.

• Infinite storage: We allow our customers control over retention settings by decoupling their storage and compute costs.

• Guaranteed resiliency: With 99.99% uptime SLA, customers can offload operations to keep Kafka up and running with one of the industry’s best SLAs. 

• Stream governance: Establishes trust in the data streams moving throughout customers’ cloud environments by tracking: Where did data come from? Where is it going? And where, when, and how was it transformed?

• Multizone replication: Protects against single-zone failures with synchronous replication across three zones.

• Cluster Linking: Simplifies geo-replication and multi-cloud data movement to increase availability and reliability.

• High durability: Avoids data corruption issues with proactive and robust real-time auditing services.

Confluent's ISO 27701 certification sets us apart in demonstrating our commitment to identify, assess, and manage privacy risks, helping to protect your data at all times. To see more about ISO 27701 certification, visit our Trust and Security Page. Contact your Confluent account team to learn more about how we can help you with your privacy concerns or reach out to our Privacy Team directly at privacy@confluent.io.