Security and Compliance

Materialize strives to follow cloud security standards to ensure connectivity and on-platform customer data remains private and secure.

On-Platform Security

Once customer data reaches Materialize, it is isolated from access using encryption at rest and single-tenant architecture at both the compute and control layers.

  • Encryption at Rest in S3

    Source data, Tables and Materialized Views are isolated by customer and encrypted at rest in S3.

  • Tenant Isolation

    Materialize Cloud isolates each customer's infrastructure using strict network access control policies and container sandboxing.

  • Audit Events

    Materialize provides a system table `mz_audit_events` which records create, alter, drop events for objects in the system catalog.

  • [In-Progress] RBAC: User-Level Privileges

    SQL RBAC (Role-Based Access Control) will allow fine-grained tuning of access privileges by user and role.

SOC 2 Type 2 Compliant

Your data is secure and compliant in Materialize. To see our SOC 2 Type 2 Compliance report, get in touch.

Streaming Connection Security

With streaming inputs like the Kafka and Postgres Sources, Materialize needs to establish a permenant two-way connection between customer infrastructure. This is done following connection patterns established by companies with similar requirements like Fivetran.

Postgres Connection Security

Postgres Sources support network-level security over SSH Tunneling + application-level security via standard TLS auth.
  • SSH Tunnel with Bastion Host

    Create a secure connection with Materialize-generated Ed25519 keys to keep your database from being exposed to the public internet.

  • TLS Encryption

    Keep network traffic encrypted between Materialize and Database with standard Postgres SSL options.

  • Secure Passwords

    The SECRET object allows you to protect a password from accidental exposure in Materialize.

  • Static IPs for IP Allowlisting

    All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.

Kafka Connection Security

Kafka supports application level TLS Authentication + Authorization over public-facing IP.
  • SSL and SASL Authentication

    Materialize currently supports SSL or SASL encrypted connections for Broker and Registry.

  • Secure Keys

    The SECRET object allows you to protect certificates, passwords and keys from accidental exposure in Materialize.

  • Static IPs for Allowlisting

    All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.

  • AWS PrivateLink

    AWS PrivateLink is available for participating enterprise customers.

Sign Up for Access

Ready to see if Materialize works for your use case? Register for access today!

Get Access Get a Demo

Our Product

Developer

Data Guides

Company

Join the Materialize Community

Join hundreds of other Materialize users and connect directly with our engineers.

Join the Community

©  2023  Materialize, Inc. Terms of Service | Privacy Policy