Security

The entire dbt Cloud team is focused on keeping you and your data safe. We adhere to industry-leading standards to manage our network, secure our application, and set policies across our organization.

Communication & Encryption #

  • All connections to dbt Cloud are encrypted by default, in both directions using modern ciphers and cryptographic systems. We maintain an A+ rating from Qualys/SSL Labs. We encrypt in transit utilizing TLS 1.2.

  • Any attempt to connect over HTTP is redirected to HTTPS.

  • We use HSTS to ensure browsers interact with dbt Cloud only over HTTPS

  • We utilize AES-256 for all data encrypted at rest.

Penetration Testing #

  • dbt Cloud undergoes an annual penetration testing from an outside provider, and regularly installs the latest, secure versions of all underlying software.

Compliance #

  • SOC2 Type II: A SOC 2 examination, performed by an independent, certified public accounting (CPA) firm, is an assessment of a service provider’s security control environment against the trust services principles and criteria set forth by the American Institute of Certified Public Accountants (AICPA). The result of the examination is a report which contains the service auditor’s opinion, a description of the system that was examined, management’s assertion regarding the description, and the testing procedures performed by the auditor. dbt Cloud completed a SOC 2 Type II examination, which means its controls were assessed based on their operating effectiveness over the reporting period of October 1, 2021 to September 30, 2022. Our SOC2 Type II is available for review under MNDA upon request.
    SOC2 Logo

  • ISO 27001:2013 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). The standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and give confidence to interested parties. dbt Labs recieved it’s initial ISO27001:2013 certification on December 9, 2021. dbt Labs completed its surviellance audit on November 17, 2022. The certificate is available for viewing here.
    ISO27001 Schellman Logo

  • ISO 27701:2019 specifies requirements and guidelines to establish and continuously improve a Privacy Information Management System (PIMS), including processing of Personally Identifiable Information (PII), and is an extension of the ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. It provides a set of additional controls and associated guidance that is intended to address public cloud PIMS and PII management requirements that aren’t addressed by the existing ISO/IEC 27002 control set, for both processors and controllers. dbt Labs is noted as a Processor. We have been assessed our conformity with the ISO/IEC 27701:2019 standard over our privacy information system and is combined with our ISO27001 certificate here.
    ISO27701 Schellman Logo

  • GDPR: dbt Cloud is fully GDPR compliant. dbt Cloud’s Terms of Service includes a Data Processing Addendum that enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU.

  • PCI: Before granting dbt Cloud access to data subject to PCI requirements, please contact support at support@getdbt.com.

  • HIPAA: Before granting dbt Cloud access to data subject to HIPAA requirements, please contact support at support@getdbt.com.

Data Processing #

When writing interactive queries from the IDE, for example: “select * from customers limit 100,” the data from your customers table will pass through the dbt Cloud infrastructure on the way to your browser. Data does not live on our servers outside of your ephemeral session. Data is not written to disc.

Data Storage #

dbt Cloud stores the following data persistently:

  1. dbt Cloud account information including job definitions, database connection information, users, etc. Cloud account information does not include any raw data from your warehouse.
  2. Logs associated with jobs and interactive queries you’ve run.
  3. Your dbt “assets” which include things like run_results.json and manifest.json.

Logs and assets do not include raw data from the warehouse unless the code you write commands it. For example, it’s possible to write dbt code that fetches all customer data from your customer table and writes it to the logs. While that’s usually not a good idea, it is possible, and would mean that information is stored in dbt Cloud.

Asset Management #

  • Laptops are protected by full disk encryption using FileVault2, and managed by Jamf Pro MDM.

Availability, Business Continuity, & Disaster Recovery #

  • dbt Cloud is hosted in AWS, with availability in multiple AZ’s (availability zones) in a region.

  • Our retention of backups are a minimum of seven (7) days.

  • Our staff is remotely distributed across the US providing support to customers globally. Our distributed workforce allows us to provide support virtually from anywhere and reduce the impact of support interruption in a geographic location.

Security Protocols #

  • dbt Cloud’s data centers are hosted using Amazon Web Services, where they are protected by electronic security, intrusion detection systems, and 24/7/365 human staff.

  • dbt Cloud uses actively maintained, long-term-supported operating systems that are kept up to date with the latest security patches.

  • dbt Cloud uses a dedicated firewall and private network to prevent unauthorized network access.

  • We limit access to sensitive data to a few senior employees.

  • We review new features for security impact before release.

Security Recommendations #

  • Limit dbt Cloud’s access to your warehouse to strictly the datasets processed by dbt.

  • Use SSL or SSH encryption to protect your data and credentials while in transit. Choose strong passwords for your database users.

Research and Disclosure #

dbt Labs is committed to working with security experts across the world to stay up to date with the latest security techniques. If you believe you have found a security vulnerability in dbt Core or dbt Cloud, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Please review our Responsible Disclosure Policy available at https://www.getdbt.com/disclosure

If you believe you have discovered a problem or have any questions, please contact us at security@getdbt.com.