Trust & Security

Confluent Cloud is uncompromising when it comes to data security. It secures your data through encryption at rest and in transit, and offers additional options,, including BYOK encryption and private networking connectivity.

• Encrypt data at rest with Bring Your Own Key (BYOK) options
• Data-in-motion encryption
• Secure private network connectivity

Confluent offers rich Identity and Access Management controls that helps you manage and monitor where and who accesses the data.

• Authorization with Role-Based Access Control (RBAC)
• Audit Logs

Confluent is committed to working with industry experts and security researchers to ensure our products are the most secure they can be for our customers. Please note that our bug bounty program is currently invitation-only and we do not add researchers based on undisclosed issues. If you have found a security impacting issue, we encourage you to share your findings with us at security@confluent.io. Based on the nature of the issue and the quality of the report, you could potentially be eligible to join the program.

Confluent employs a third party security firm to perform Security, Vulnerability, and Penetration testing for all our products. These are run at least annually and findings are remediated according to their criticality and prioritization. Confluent's penetration and security assessment test summaries can be requested.

SOC 1 Type 2 is a regularly refreshed report that focuses on user entities' internal control over financial reporting. We currently offer SOC 1 Type 2 reports for Confluent Cloud and Confluent Platform. Request Confluent's SOC 1 Type 2 reports.

SOC 2 Type 2 is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality. We currently offer SOC 2 Type 2 reports for Confluent Cloud and Confluent Platform. Request Confluent's SOC 2 Type 2 reports.

SOC 3 is a general use report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality. We currently offer SOC 3 reports for Confluent Cloud and Confluent Platform. Download the SOC 3 report for Confluent Cloud and Confluent Platform

The Payment Card Industry Data Security Standards (PCI DSS) is an information security standard designed to ensure that companies processing, storing, or transmitting payment card information maintain a secure environment. Customers shall not transmit cardholder or sensitive authentication data (as those terms are defined in the PCI DSS standards) unless such data is message-level encrypted by the customer. Request Confluent's Attestation of Compliance (AOC).

The Cloud Security Alliance (CSA) is the world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA's self-assessment tool is the Consensus Assessments Initiative Questionnaire (CAIQ).

The International Organization for Standardization 27001 Standard (ISO 27001) provides a framework for Information Security Management Systems (ISMS) to support continued confidentiality, integrity, and availability of information. These certifications run for 3 years and have annual surveillance audits. Download Confluent's ISO 27001 certificate and Statement of Applicability (SoA)..

To assist our regulated Financial Services customers to understand how they can use Confluent Cloud in compliance with their regulatory obligations and how Confluent meets minimum contracting requirements, in particular under the Digital Operational Resilience Act (DORA) and other Financial Services regulatory frameworks throughout the world, Confluent and has prepared the following suite resources.

1. Confluent Cloud - European Regulatory Positions Statement (EBA)
2. Confluent Cloud Offering Mapping - EBA Outsourcing Guidelines
3. AWS - EBA Financial Services Addendum - Summary and Customer Requests for Documentation
4. Microsoft Customer Agreement - Confluent ISV Financial Services Amendment (EBA) - Summary and Requests for Documentation
5. Confluent Cloud Services Agreement - Exit Assistance
6. Digital Operational Resilience Act (DORA) Confluent Cloud Offering Mapping

The ENX Association supports the Trusted Information Security Assessment Exchange (TISAX) on behalf of the German Association of the Automotive Industry (VDA). The TISAX Assessments are conducted by accredited audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for the general public. The result (Scope-ID: SR5PY9; Assessment-ID: AV29AS-1) is exclusively available on request over the ENX Portal.

The HITRUST Common Security Framework (CSF) is a certifiable framework that leverages internationally accepted standards and frameworks-including ISO, NIST, HIPAA, GDPR, and PCI–to help healthcare organizations and their providers demonstrate their security and compliance. The certification is refreshed annually and focuses on implementation, for greater assurance that control requirements are in place and operating as intended.

Confluent is committed to supporting our customers in their GDPR compliance efforts. Learn more.

Confluent is committed to supporting its customers in their CCPA compliance efforts. Learn more.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates protecting the privacy and security of health information. Confluent can support HIPAA-related customer data after a Business Associate Agreement (BAA) has been properly executed with Confluent.

Confluent is committed to supporting its customers in their LGPD compliance efforts. Learn more.

Customers deserve to understand our practices for responding to Third Party Authority Requests. Learn more.

Confluent publishes a report which outlines the number of requests for Customer Data received by Confluent from Third-Party Authorities. Learn more.