Yugabyte Compliance Certifications and Authorizations

Yugabyte continues to demonstrate the company’s commitment to enterprise customers running business-critical workloads by meeting the strict requirements for a number of critical ISO certifications and authorizations. To date, YugabyteDB has received the following:

• ISO 27001: We received our ISO 27001 certification in January 2023. ISO/IEC 27001 defines the requirements for an information security management system (ISMS) and includes best practices for data protection and cyber resilience.
• ISO 22301: We received our ISO 22301 certification in July 2023. ISO 22301 defines the requirements for establishing and maintaining a business continuity management system (BCMS) and includes best practices for minimizing the impact of disruptive events.
• ISO 9001: We received our ISO 9001 certification in July 2023. ISO 9001 defines the requirements for establishing and maintaining a quality management system (QMS) and includes best practices for meeting and exceeding customer expectations.

Interested parties can request our ISO certificates by emailing us at compliance@yugabyte.com.

Yugabyte is continuing to work towards receiving additional industry-standard certifications and authorizations, and will update this list as we achieve different certifications and authorizations.

• SOC 1 Type 2: We became SOC 1 Type 2 compliant as of November 16, 2023. Yugabyte has implemented a system of internal controls over financial reporting that was assessed by a reputable and independent accounting and auditing firm. Please contact our team at compliance@yugabyte.com if you would like a copy of the detailed SOC 1 Type 2 report.
• SOC 2 Type 2 and SOC 3: We became SOC 2 Type 2 compliant as of September 30, 2022. Yugabyte was assessed by a reputable and independent accounting and auditing firm and has achieved compliance with the following Trust Services Categories: Security, Availability and Confidentiality. Download the published SOC 3 report today or contact our team at compliance@yugabyte.com if you would like a copy of the detailed SOC 2 Type 2 report.

YugabyteDB has achieved PCI DSS Level 1 compliance for its fully managed DBaaS offering of YugabyteDB. Level 1 is PCI’s highest level of assurance, affirming Yugabyte’s commitment to delivering strong performance while maintaining and securing highly sensitive data. To achieve this level of compliance, YugabyteDB’s security controls were tested by an independent Qualified Security Assessor (QSA), which included a review of YugabyteDB’s technical controls as well as company policies and procedures.

Please contact our team at compliance@yugabyte.com if you would like a copy of our most recent attestation of compliance (AOC).

Built upon existing Cloud Security Alliance programs, the Trusted Cloud Provider program allows organizations to demonstrate their commitment to holistic security and services.

• Trusted Cloud Provider: Yugabyte was awarded CSA’s Trusted Cloud Provider trustmark in April 2023. This designation demonstrates our commitment to implementing industry-recognized best practices in securing our cloud computing environments. Our Level One assessment can be accessed via the CSA STAR registry.

While Yugabyte products cannot meet every regulatory requirement, Yugabyte has embedded capabilities into its products that can help customers work in accordance with the following compliance requirements:

• GDPR: Yugabyte features can help our customers meet their own GDPR compliance requirements. You can learn more about using YugabyteDB to help you achieve compliance with GDPR here.

The Center for Internet Security (CIS) developed, validated and published a security benchmark for YugabyteDB in collaboration with the Yugabyte security team. CIS benchmarks provide globally recognized best practices to guide security practitioners in effectively configuring, implementing and managing their cybersecurity defenses. Yugabyte was the first distributed SQL vendor to complete the benchmark for a database.

The benchmark can be downloaded via the CIS Benchmark catalog.

• Subprocessors. We maintain a current list of companies authorized to process Customer Personal Information for YugabyteDB Managed, including the Subprocessor’s address, description of services provided and the lawful transfer mechanism.
• Data Processing Addendum. We incorporate a Data Processing Addendum into our YugabyteDB Managed Terms of Service that describes our technical and organizational measures meant to meet applicable data protection obligations.