Materialize Cloud Security and Compliance

Materialize Cloud is built with security as a first priority to ensure customer data remains private, secure, and available.

On-Platform Security

In Materialize Cloud, customer data is encrypted while in transit to the platform and at rest. Each customer’s environment is fully isolated at both the compute and control layers within dedicated, partitioned environments.

undefined

  • Data at Rest

    Source data, Tables and Materialized Views are isolated by customer and encrypted at rest throughout the service.

  • Tenant Isolation

    Materialize Cloud isolates each customer's infrastructure using strict network access control policies and container sandboxing.

  • Audit Events

    Materialize provides a system table `mz_audit_events` which records create, alter, drop events for objects in the system catalog.

  • RBAC: User-Level Privileges

    SQL RBAC (Role-Based Access Control) allows fine-grained tuning of access privileges by user and role.

undefined

SOC 2 Type 2 Compliant

Our data protection controls are assessed by external auditors. To see our SOC 2 Type 2 Compliance report, get in touch.

Streaming Connection Security

With streaming inputs like Kafka and Postgres Sources, Materialize establishes durable, secure two-way connections with customer infrastructure. This is done using proven connection patterns established by companies with similar requirements like Fivetran.

undefined

Postgres Connection Security

Postgres Sources support network-level security over SSH Tunneling + application-level security via standard TLS auth.

  • SSH Tunnel with Bastion Host

    Create a secure connection with Materialize-generated Ed25519 keys to keep your database from being exposed to the public internet.

  • TLS Encryption

    Keep network traffic encrypted between Materialize and Database with standard Postgres SSL options.

  • Secure Passwords

    The SECRET object allows you to protect a password from accidental exposure in Materialize.

  • Static IPs for IP Allowlisting

    All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.

undefined

Kafka Connection Security

Kafka supports application level TLS Authentication + Authorization over public-facing IP.

  • SSL and SASL Authentication

    Materialize currently supports SSL or SASL encrypted connections for Broker and Registry.

  • Secure Keys

    The SECRET object allows you to protect certificates, passwords and keys from accidental exposure in Materialize.

  • Static IPs for Allowlisting

    All outbound traffic from Materialize Cloud originates from a fixed set of IPs that you can allowlist in your environment.

  • AWS PrivateLink

    AWS PrivateLink is available for participating enterprise customers.

undefined

Webhook Connection Security

Authenticate webhooks at ingest

Shared Responsibility Model

Materialize is a modern cloud platform designed with shared controls to provide customers with the ability to manage their environments and data. The following are available for customers.

undefined

  • Account management

    Tenant accounts and account permissions are set by the customer using native RBAC. 2FA, SSO, and password requirements are configurable and highly recommended.

  • Data accuracy

    Materialize is the processor and our customers are the data controllers. Data accuracy and completeness is fully controlled by platform users.

  • Data governance

    Materialize customers have full responsibility for responding to customer data privacy and governance requests. For details see our Privacy Policy.

Get Started with Materialize

Get hands-on with a Free Trial. Materialize can be run as a service or you can self-manage anywhere.
Get Started Try it free