New connectors, cluster shrink, & more within our Q1 Cloud Launch | Read the blog

Trust & Security

Confluent's product offerings are designed to support the needs of our enterprise customers for security, compliance, and privacy. Our customers operate in many highly regulated industries including financial services, healthcare, government, energy, and high-tech. We support security platforms at major financial institutions for information security use cases including security event management and fraud detection and response. Our customers include many of the largest institutions throughout the United States, Asia, and Europe.

Security Controls

Confluent implements layered security controls designed to protect and secure Confluent Cloud customer data. We incorporate multiple logical and physical security controls including access management, least privilege, strong authentication, logging and monitoring, vulnerability management, bug bounty programs, and many others. To learn more about our Confluent Cloud security controls, please see the Security Whitepaper here.



SOC 1 Type 2 is a regularly refreshed report that focuses on user entities' internal control over financial reporting. We currently offer SOC 1 Type 2 reports for Confluent Cloud and Confluent Platform. Request Confluent’s SOC 1 Type 2 reports here.


SOC 2 Type 2 is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality. We currently offer SOC 2 Type 2 reports for Confluent Cloud and Confluent Platform. Request Confluent’s SOC 2 Type 2 reports here.


SOC 3 is a general use report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality. We currently offer SOC 3 reports for Confluent Cloud and Confluent Platform. Click here to download the SOC 3 report for Confluent Cloud and click here for Confluent Platform


The Payment Card Industry Data Security Standards (PCI DSS) is an information security standard designed to ensure that companies processing, storing, or transmitting payment card information maintain a secure environment. Customers shall not transmit cardholder or sensitive authentication data (as those terms are defined in the PCI DSS standards) unless such data is message-level encrypted by the customer. Request Confluent’s Attestation of Compliance (AOC) here.

CSA Star Level 1

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA’s self-assessment tool is the Consensus Assessments Initiative Questionnaire (CAIQ). Confluent’s CAIQ can be found here.

ISO 27001

The International Organization for Standardization 27001 Standard (ISO 27001) provides a framework for Information Security Management Systems (ISMS) to support continued confidentiality, integrity, and availability of information. These certifications run for 3 years and have annual surveillance audits. Download Confluent’s ISO 27001 Certification. Request Confluent’s ISO 27001 Statement of Applicability (SoA) here.

European Financial Services Regulation (EBA)

Confluent has completed a cross-functional compliance initiative to evaluate Confluent Cloud in the context of the European Banking Authority’s (EBA) Guidelines on Outsourcing Arrangements (“EBA Guidelines), and has prepared the following documentation which presents its positions with regard to these:
  1. European Financial Services Regulatory Positions Statement
  2. EBA Outsourcing Guidelines - Confluent Cloud Offering Mapping
  3. EBA Financial Services Addendum (AWS) - Customer Requests for Documentation
  4. Confluent Cloud Services Agreement - Exit Assistance


The ENX Association supports the Trusted Information Security Assessment Exchange (TISAX) on behalf of the German Association of the Automotive Industry (VDA). The TISAX Assessments are conducted by accredited audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for the general public. The result (Scope-ID: S4PCMP; Assessment-ID: AV56AB-2) is exclusively available on request over the ENX Portal here.


Confluent is committed to being transparent about the data we handle and how we handle it. Confluent’s Privacy Policy can be found here.

GDPR Readiness

The General Data Protection Regulation (GDPR) regulates the use and protection of personal data originating from the European Economic Area (EEA) and provides individuals rights with regard to their data. Confluent is committed to supporting our customers in their GDPR compliance efforts. Confluent’s Data Processing Addendum for Confluent Cloud customers can be found here.

CCPA Readiness

The California Consumer Privacy Act (CCPA) creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. Confluent is committed to supporting its customers in their CCPA compliance efforts. Confluent's Data Processing agreement for Confluent Cloud customers addresses both GDPR and CCPA requirements and can be found here.

HIPAA Readiness

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates protecting the privacy and security of health information. Confluent can support HIPAA-related customer data after a Business Associate Agreement (BAA) has been properly executed with Confluent.

FAQs - Data Transfers in Connection to Confluent Cloud

Confluent is closely monitoring the developments in the privacy sphere. Confluent’s Privacy Team has gathered and replied to frequently asked questions of clients when it comes to data transfers outside of the EEA in connection to Confluent Cloud.

Business Continuity and Disaster Recovery

Confluent Cloud runs on infrastructure with a high level of availability and a resilient IT architecture. Confluent Cloud was designed to handle system and hardware failures with minimal or no customer impact. For additional information, request our Business Continuity and Disaster Recovery plan and client summary here.

Penetration Testing

Confluent employs a third party security firm to perform Security, Vulnerability, and Penetration testing for all our products. These are run at least annually and findings are remediated according to their criticality and prioritization. Confluent’s penetration and security assessment test summaries can be requested here

Bug Bounty

Confluent is committed to working with industry experts and security researchers to ensure our products are the most secure they can be for our customers. Confluent partners with HackerOne in order to continuously improve our security posture. If you would like to be invited into our bug bounty program, please send a request to

System Status

For high level availability information for the Confluent Cloud managed service visit our status page

Request Documentation

Show all
  • Show all
  • Confluent Cloud SOC 1 Type 2 Report
  • Confluent Platform SOC 1 Type 2 Report
  • Confluent Cloud SOC 2 Type 2 Report
  • Confluent Platform SOC 2 Type 2 Report
  • Confluent ISO 27001 SoA
  • Confluent PCI-DSS AOC
  • BCP/DR Tabletop Exercise Summary
  • BCP/DR Plan Client Summary
  • Confluent Cloud - Penetration Test - Customer Letter
  • Confluent Platform - Penetration Test - Customer Letter
  • Confluent Corporate Network - Penetration Test - Customer Letter
Please add to your trusted senders list to ensure you receive emails from us.
Some ad/script blockers may not play nice with the request form. You may need to disable them to ensure your request is successfully processed.
Only one document can be requested at a time. If you need to request multiple documents, please refresh the page.