Ship securely without compromise

ISO 27001:2013 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). The standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and give confidence to interested parties. dbt Labs received its initial ISO27001:2013 certification on December 9, 2021. dbt Labs completed its most recent surveillance audit on November 17, 2023. The certificate is available for viewing here.

ISO 27701:2019 specifies requirements and guidelines to establish and continuously improve a Privacy Information Management System (PIMS), including processing of Personally Identifiable Information (PII), and is an extension of the ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. It provides a set of additional controls and associated guidance that is intended to address public cloud PIMS and PII management requirements that aren’t addressed by the existing ISO/IEC 27002 control set, for both processors and controllers. dbt Labs is noted as a Processor. We have been assessed our conformity with the ISO/IEC 27701:2019 standard over our privacy information system and is combined with our ISO27001 certificate here.

A SOC 2 examination, performed by an independent, certified public accounting (CPA) firm, is an assessment of a service provider’s security control environment against the trust services principles and criteria set forth by the American Institute of Certified Public Accountants (AICPA). The result of the examination is a report which contains the service auditor’s opinion, a description of the system that was examined, management’s assertion regarding the description, and the testing procedures performed by the auditor. dbt Cloud completed a SOC 2 Type II examination, which means its controls were assessed based on their operating effectiveness over the reporting period of October 1, 2022 to September 30, 2023. Our SOC2 Type II is available for review under MNDA upon request.

dbt Cloud is fully GDPR compliant. dbt Cloud’s Terms of Service includes a Data Processing Addendum that enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU.

Before granting dbt Cloud access to data subject to PCI requirements, please contact support at support@getdbt.com.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. dbt Cloud has been assessed against relevant HIPAA Security criteria as part of our SOC2 Type II Report over the reporting period of October 1, 2022 to September 30, 2023. Our SOC2 Type II is available for review under MNDA upon request.