Security and Compliance

Materialize is built with security as a first priority to ensure customer data remains private, secure and available.

On-Platform Security

Customer data is encrypted while in transit to the platform and at rest and fully isolated at both the compute and control layers in dedicated partitioned per-customer environments.

undefined

  • Data at Rest

    Source data, Tables and Materialized Views are isolated by customer and encrypted at rest throughout the service.

  • Tenant Isolation

    Materialize Cloud isolates each customer's infrastructure using strict network access control policies and container sandboxing.

  • Audit Events

    Materialize provides a system table `mz_audit_events` which records create, alter, drop events for objects in the system catalog.

  • RBAC: User-Level Privileges

    SQL RBAC (Role-Based Access Control) allows fine-grained tuning of access privileges by user and role.

undefined

SOC 2 Type 2 Compliant

Our data protection controls are assessed by external auditors. To see our SOC 2 Type 2 Compliance report, get in touch.

Streaming Connection Security

With streaming inputs like Kafka and Postgres Sources, Materialize establishes durable, secure two-way connections with customer infrastructure. This is done using proven connection patterns established by companies with similar requirements like Fivetran.

undefined

Postgres Connection Security

Postgres Sources support network-level security over SSH Tunneling + application-level security via standard TLS auth.

  • SSH Tunnel with Bastion Host

    Create a secure connection with Materialize-generated Ed25519 keys to keep your database from being exposed to the public internet.

  • TLS Encryption

    Keep network traffic encrypted between Materialize and Database with standard Postgres SSL options.

  • Secure Passwords

    The SECRET object allows you to protect a password from accidental exposure in Materialize.

  • Static IPs for IP Allowlisting

    All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.

undefined

Kafka Connection Security

Kafka supports application level TLS Authentication + Authorization over public-facing IP.

  • SSL and SASL Authentication

    Materialize currently supports SSL or SASL encrypted connections for Broker and Registry.

  • Secure Keys

    The SECRET object allows you to protect certificates, passwords and keys from accidental exposure in Materialize.

  • Static IPs for Allowlisting

    All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.

  • AWS PrivateLink

    AWS PrivateLink is available for participating enterprise customers.

undefined

Webhook Connection Security

Authenticate webhooks at ingest

Shared Responsibility Model

Materialize is a modern cloud platform designed with shared controls to provide customers with the ability to manage their environments and data. The following are available for customers.

undefined

  • Account management

    Tenant accounts and account permissions are set by the customer using native RBAC. 2FA, SSO, and password requirements are configurable and highly recommended.

  • Data accuracy

    Materialize is the processor and our customers are the data controllers. Data accuracy and completeness is fully controlled by platform users.

  • Data governance

    Materialize customers have full responsibility for responding to customer data privacy and governance requests. For details see our Privacy Policy.

Try Materialize Free

Get hands-on with a Free Trial. Bring your own data, or use data sources we provide.
Get Started Get a Demo