Security and Compliance
Materialize strives to follow cloud security standards to ensure connectivity and on-platform customer data remains private and secure.
On-Platform Security
Once customer data reaches Materialize, it is isolated from access using encryption at rest and single-tenant architecture at both the compute and control layers.
-
Encryption at Rest in S3
Source data, Tables and Materialized Views are isolated by customer and encrypted at rest in S3.
-
Tenant Isolation
Materialize Cloud isolates each customer's infrastructure using strict network access control policies and container sandboxing.
-
Audit Events
Materialize provides a system table `mz_audit_events` which records create, alter, drop events for objects in the system catalog.
-
RBAC: User-Level Privileges
SQL RBAC (Role-Based Access Control) allows fine-grained tuning of access privileges by user and role.

SOC 2 Type 2 Compliant
Your data is secure and compliant in Materialize. To see our SOC 2 Type 2 Compliance report, get in touch.
Streaming Connection Security
Postgres Connection Security
Postgres Sources support network-level security over SSH Tunneling + application-level security via standard TLS auth.
-
SSH Tunnel with Bastion Host
Create a secure connection with Materialize-generated Ed25519 keys to keep your database from being exposed to the public internet.
-
TLS Encryption
Keep network traffic encrypted between Materialize and Database with standard Postgres SSL options.
-
Secure Passwords
The SECRET object allows you to protect a password from accidental exposure in Materialize.
-
Static IPs for IP Allowlisting
All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.
Kafka Connection Security
Kafka supports application level TLS Authentication + Authorization over public-facing IP.
-
SSL and SASL Authentication
Materialize currently supports SSL or SASL encrypted connections for Broker and Registry.
-
Secure Keys
The SECRET object allows you to protect certificates, passwords and keys from accidental exposure in Materialize.
-
Static IPs for Allowlisting
All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.
-
AWS PrivateLink
AWS PrivateLink is available for participating enterprise customers.