• Security
  • Data Encryption Policies

Data Encryption Policies

This page outlines how Rockset encrypts and protects your data.

#Data Encryption in Flight

Data in flight from customers to Rockset and from Rockset back to customers is encrypted through Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates, which are created and managed by AWS Certificate Manager. An AWS application load balancer terminates SSL connections to our API endpoint.

Within Rockset’s Virtual Private Cloud (VPC), data is transmitted unencrypted between Rockset’s internal services. Unencrypted data will never be sent outside of Rockset’s VPC.

#Data Encryption at Rest

Data is persisted in three places within Rockset:

  1. In a log buffer service on encrypted AWS EBS volumes. Rockset uses this log buffer as transient storage to independently scale data indexing (writes) and data serving (reads).
  2. On Rockset's servers, which have local solid state drives which are encrypted through dm-crypt. The configuration is based on this article.
  3. In AWS S3, where all stored objects are encrypted.

In all cases, the encryption keys are managed by AWS Key Management Service (KMS). The master keys never leave the KMS hardware, so they are never exposed to anyone, including Rockset.

#SOC 2 Compliance

Rockset is a SOC 2 compliant company. We are proud to be SOC 2 Type II certified by the American Institute of Certified Public Accountants (AICPA) as a part of our ongoing commitment to protect customer data. To request a copy of our SOC 2 Type II audit report, please contact support@rockset.com.