Skip to main content

Security & Trust Center

Your data security is our priority

 

 

Trust

Our trusted platform is built by embedding security throughout the software development and delivery lifecycle. We follow rigorous operational security practices such as penetration testing, vulnerability assessments and strong internal access controls. We believe transparency is the key to winning trust — we publicly share how we operate, and work closely with our customers and partners to address their security needs. We have offerings for PCI-DSS, HIPAA and FedRAMP compliance, and we are ISO 27001, ISO 27017, ISO 27018 and SOC 2 Type II compliant.

Contractual commitment

Beyond the documentation and best practices that you will find in our Security and Trust Center, we also provide a contractual commitment to security written in plain language to all our customers. This commitment is captured in the Security Addendum of our customer agreement, which describes the security measures and practices that we follow to keep your data safe.

Vulnerability management

Detecting and quickly fixing vulnerable software that you rely on is among the most important responsibilities of any software or service provider. We take this responsibility seriously and share our remediation timeline commitments in our Security Addendum.

Internally, we have automated vulnerability management to effectively track, prioritize, coordinate and remediate vulnerabilities in our environment. We perform daily authenticated vulnerability scans of Databricks and third-party/open-source packages used by Databricks, along with static and dynamic code analysis (SAST and DAST) using trusted security scanning tools, before we promote new code or images to production. Databricks also employs third-party experts to analyze our public-facing sites and report potential risks.

Databricks has funded a Vulnerability Response Program for monitoring emerging vulnerabilities before they’re reported to us by our scanning vendors. We accomplish this using internal tools, social media, mailing lists and threat intelligence sources (e.g., US-CERT and other government, industry and open-source feeds). Databricks monitors open vulnerability platforms, such as Open CVDB. We have an established process for responding to these so we can quickly identify the impact on our company, product or customers. This program allows us to quickly reproduce reported vulnerabilities and resolve zero-day vulnerabilities.

Our Vulnerability Management Program is committed to treating Severity-0 vulnerabilities, such as zero days, with the highest urgency, prioritizing their fix above other rollouts.

Penetration testing and bug bounty

We perform penetration testing through a combination of our in-house offensive security team, qualified third-party penetration testers and a year-round public bug bounty program. We use a mixture of fuzzing, secure code review and dynamic application testing to evaluate the integrity of our platform and the security of our application. We conduct penetration tests on major releases, new services and security-sensitive features. The offensive security team works with our incident response team and security champions within engineering to resolve findings and infuse learnings throughout the company.

We typically perform 8-10 external third-party penetration tests and 15-20 internal penetration tests per year, and all material findings must be addressed before a test can be marked as passed. As part of our commitment to transparency, we publicly share our platform-wide third-party test report in our due diligence package.

Security investigations and incident response

We use Databricks as our SIEM and XDR platform to process over 9 terabytes of data per day for detection and security investigations. We ingest and process logs and security signals from cloud infrastructure, devices, identity management systems, and SaaS applications. We use structured streaming pipelines and Delta Live Tables to identify the most relevant security events using a data-driven approach and statistical ML models to generate novel alerts, or to correlate, de-duplicate and prioritize existing alerts from known security products. We model our runbooks on adversary tactics, techniques and procedures (TTP) tracked using the MITRE ATT&CK framework. Our security investigations team uses collaborative Databricks notebooks to create repeatable investigation processes, continually evolve incident investigation playbooks, and perform threat hunting against more than 2 petabytes of historic event logs handling complex searches over unstructured and semi-structured data.

Our incident response team stays up to date and helps Databricks prepare for incident management scenarios by:

  • Participating in industry-reputed courses from vendors like SANS and attending security conferences like fwd:cloudsec, Black Hat, BSides, RSA
  • Performing regular tabletop exercises with executive leadership and internal teams to practice security response scenarios relevant to Databricks products and corporate infrastructure
  • Collaborating with engineering teams to prioritize platform observability to allow effective security detection and response
  • Regularly updating hiring and training strategies based on an evolving incident response skills and capabilities matrix

Internal access

We apply strict policies and controls to internal employee access to our production systems, customer environments and customer data.

Secure software development lifecycle

Databricks has a software development lifecycle (SDLC) that builds security into all design, development and production steps — from feature requests to production monitoring — supported by tooling designed to trace a feature through the lifecycle. We have automatic security scanning and automated vulnerability tracking of systems, libraries and code.

Security Policy and Communication Details

Databricks follows RFC 9116, ISO/IEC 30111:2019(E), and ISO/IEC 29147:2018(E) standards for security vulnerability handling and communications. For details on our secure communications and PGP signature, please refer to our security.txt file.