Security and Compliance
Materialize strives to follow cloud security standards to ensure connectivity and on-platform customer data remains private and secure.
On-Platform Security
Once customer data reaches Materialize, it is isolated from access using encryption at rest and single-tenant architecture at both the compute and control layers.
-
Encryption at Rest in S3
Source data, Tables and Materialized Views are isolated by customer and encrypted at rest in S3.
-
Tenant Isolation
Materialize Cloud isolates each customer's infrastructure using strict network access control policies and container sandboxing.
-
Audit Events
Materialize provides a system table `mz_audit_events` which records create, alter, drop events for objects in the system catalog.
-
[In-Progress] RBAC: User-Level Privileges
SQL RBAC (Role-Based Access Control) will allow fine-grained tuning of access privileges by user and role.

SOC 2 Type 2 Compliant
Streaming Connection Security
With streaming inputs like the Kafka and Postgres Sources, Materialize needs to establish a permenant two-way connection between customer infrastructure. This is done following connection patterns established by companies with similar requirements like Fivetran.
Postgres Connection Security
-
SSH Tunnel with Bastion Host
Create a secure connection with Materialize-generated Ed25519 keys to keep your database from being exposed to the public internet.
-
TLS Encryption
Keep network traffic encrypted between Materialize and Database with standard Postgres SSL options.
-
Secure Passwords
The SECRET object allows you to protect a password from accidental exposure in Materialize.
-
Static IPs for IP Allowlisting
All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.
Kafka Connection Security
-
SSL and SASL Authentication
Materialize currently supports SSL or SASL encrypted connections for Broker and Registry.
-
Secure Keys
The SECRET object allows you to protect certificates, passwords and keys from accidental exposure in Materialize.
-
Static IPs for Allowlisting
All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.
-
AWS PrivateLink
AWS PrivateLink is available for participating enterprise customers.