Security and Compliance

Materialize strives to follow cloud security standards to ensure connectivity and on-platform customer data remains private and secure.

On-Platform Security

Once customer data reaches Materialize, it is isolated from access using encryption at rest and single-tenant architecture at both the compute and control layers.

  • Encryption at Rest in S3

    Source data, Tables and Materialized Views are isolated by customer and encrypted at rest in S3.

  • Tenant Isolation

    Materialize Cloud isolates each customer's infrastructure using strict network access control policies and container sandboxing.

  • Audit Events

    Materialize provides a system table `mz_audit_events` which records create, alter, drop events for objects in the system catalog.

  • RBAC: User-Level Privileges

    SQL RBAC (Role-Based Access Control) allows fine-grained tuning of access privileges by user and role.

SOC 2 Type 2 Compliant

Your data is secure and compliant in Materialize. To see our SOC 2 Type 2 Compliance report, get in touch.

Streaming Connection Security

With streaming inputs like the Kafka and Postgres Sources, Materialize needs to establish a permenant two-way connection between customer infrastructure. This is done following connection patterns established by companies with similar requirements like Fivetran.

Postgres Connection Security

Postgres Sources support network-level security over SSH Tunneling + application-level security via standard TLS auth.

  • SSH Tunnel with Bastion Host

    Create a secure connection with Materialize-generated Ed25519 keys to keep your database from being exposed to the public internet.

  • TLS Encryption

    Keep network traffic encrypted between Materialize and Database with standard Postgres SSL options.

  • Secure Passwords

    The SECRET object allows you to protect a password from accidental exposure in Materialize.

  • Static IPs for IP Allowlisting

    All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.

Kafka Connection Security

Kafka supports application level TLS Authentication + Authorization over public-facing IP.

  • SSL and SASL Authentication

    Materialize currently supports SSL or SASL encrypted connections for Broker and Registry.

  • Secure Keys

    The SECRET object allows you to protect certificates, passwords and keys from accidental exposure in Materialize.

  • Static IPs for Allowlisting

    All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.

  • AWS PrivateLink

    AWS PrivateLink is available for participating enterprise customers.

Try Materialize Free

Get hands-on with Materialize in a 14-day Free Trial. Bring your own data, or use data sources we provide.

Get Started Get a Demo