Trust & Security

Confluent Cloud is uncompromising when it comes to data security. It secures your data through encryption at rest and in transit, and offers additional options,, including BYOK encryption and private networking connectivity.

• Encrypt data at rest with Bring Your Own Key (BYOK) options
• Data-in-motion encryption
• Secure private network connectivity

Confluent offers rich Identity and Access Management controls that helps you manage and monitor where and who accesses the data.

• Authorization with Role-Based Access Control (RBAC)
• Audit Logs

Confluent is committed to working with industry experts and security researchers to ensure our products are the most secure they can be for our customers. Please note that our bug bounty program is currently invitation-only and we do not add researchers based on undisclosed issues. If you have found a security impacting issue, we encourage you to share your findings with us at security@confluent.io. Based on the nature of the issue and the quality of the report, you could potentially be eligible to join the program.

Confluent employs a third party security firm to perform Security, Vulnerability, and Penetration testing for all our products. These are run at least annually and findings are remediated according to their criticality and prioritization. Confluent's penetration and security assessment test summaries can be requested.

SOC 1 Type 2 is a regularly refreshed report that focuses on user entities' internal control over financial reporting. We currently offer SOC 1 Type 2 reports for Confluent Cloud and Confluent Platform. Request Confluent's SOC 1 Type 2 reports.

SOC 2 Type 2 is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality. We currently offer SOC 2 Type 2 reports for Confluent Cloud and Confluent Platform. Request Confluent's SOC 2 Type 2 reports.

SOC 3 is a general use report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality. We currently offer SOC 3 reports for Confluent Cloud and Confluent Platform. Download the SOC 3 report for Confluent Cloud and Confluent Platform

The Payment Card Industry Data Security Standards (PCI DSS) is an information security standard designed to ensure that companies processing, storing, or transmitting payment card information maintain a secure environment. Customers shall not transmit cardholder or sensitive authentication data (as those terms are defined in the PCI DSS standards) unless such data is message-level encrypted by the customer. Request Confluent's Attestation of Compliance (AOC).

The Cloud Security Alliance (CSA) is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA's self-assessment tool is the Consensus Assessments Initiative Questionnaire (CAIQ).

The International Organization for Standardization 27001 Standard (ISO 27001) provides a framework for Information Security Management Systems (ISMS) to support continued confidentiality, integrity, and availability of information. These certifications run for 3 years and have annual surveillance audits. Download Confluent's ISO 27001 Certification. Request Confluent's ISO 27001 Statement of Applicability (SoA).

Confluent has carried out a cross-functional stakeholder compliance initiative to evaluate its Confluent Cloud offering in the context of EMEA Financial Services Regulations, in particular the European Banking Authority’s (EBA) Guidelines on Outsourcing Arrangements (“EBA Guidelines”) as well as other Financial Services and Insurance (“FSI”) regulatory frameworks throughout the world, and has prepared the following suite of documentation which presents its positions with regard to these:

1. Confluent Cloud - European Regulatory Positions Statement (EBA)
2. Confluent Cloud Offering Mapping - EBA Outsourcing Guidelines
3. AWS - EBA Financial Services Addendum - Summary and Customer Requests for Documentation
4. Microsoft Customer Agreement - Confluent ISV Financial Services Amendment (EBA) - Summary and Requests for Documentation
5. Confluent Cloud Services Agreement - Exit Assistance

The ENX Association supports the Trusted Information Security Assessment Exchange (TISAX) on behalf of the German Association of the Automotive Industry (VDA). The TISAX Assessments are conducted by accredited audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for the general public. The result (Scope-ID: S4PCMP; Assessment-ID: AV56AB-2) is exclusively available on request over the ENX Portal.

The HITRUST Common Security Framework (CSF) is a certifiable framework that leverages internationally accepted standards and frameworks-including ISO, NIST, HIPAA, GDPR, and PCI–to help healthcare organizations and their providers demonstrate their security and compliance. The certification is refreshed annually and focuses on implementation, for greater assurance that control requirements are in place and operating as intended.

The General Data Protection Regulation (GDPR) regulates the use and protection of personal data originating from the European Economic Area (EEA) and provides individuals rights with regard to their data. Confluent is committed to supporting our customers in their GDPR compliance efforts. See Confluent Cloud Data Processing Addendum.

The California Consumer Privacy Act (CCPA) creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. Confluent is committed to supporting its customers in their CCPA compliance efforts. Confluent's Data Processing agreement for Confluent Cloud customers addresses both GDPR and CCPA requirements.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates protecting the privacy and security of health information. Confluent can support HIPAA-related customer data after a Business Associate Agreement (BAA) has been properly executed with Confluent.

Confluent is closely monitoring the developments in the privacy sphere. Confluent's Privacy Team has gathered and replied to frequently asked questions of clients when it comes to data transfers outside of the EEA in connection to Confluent Cloud.

We believe customers deserve to understand our practices for responding to Third Party Authority Requests. The Confluent Guidelines for Law Enforcement outlines such practices, as well as inform Third Party Authorities about the process for requesting Customer Data from Confluent.

Once per year Confluent publishes the Transparency Report, which outlines the number of requests for Customer Data received by Confluent from Third-Party Authorities. Up to December 31st, 2022, Confluent has not received any Third-Party Authority Request.