ClickHouse · Blargian · Jun 11, 2026 · Jun 13, 2026
@@ -0,0 +1,26 @@
+---
+title: 'Security shared responsibility model'
+slug: /cloud/reference/byoc/reference/security-shared-responsibility
+sidebar_label: 'Security shared responsibility'
+keywords: ['BYOC', 'security', 'shared responsibility', 'IAM', 'compliance', 'GDPR', 'CCPA', 'encryption', 'network security', 'disaster recovery']
+description: 'Breakdown of security responsibilities between ClickHouse, the customer, and cloud providers in a BYOC deployment.'
+doc_type: 'reference'
+---
+
+BYOC deploys ClickHouse services within your cloud account, distributing security responsibilities across three parties: ClickHouse, you, and your cloud service provider.
+The table below breaks down who owns what across eight security domains.
+
+For more information on specific features and settings to meet your security requirements, visit [trust.clickhouse.com](https://trust.clickhouse.com).
+
+## Shared responsibilities {#shared-responsibilities}
+
+| Domain                  | ClickHouse                                                                                                                                                                                                                                                                                          | Customer                                                                                                                                                                                                                                                               | Cloud provider                                                                                                                                                                                                                                                              |
+|-------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **IAM**                 | Enforce unique usernames, strong passwords, and MFA.<br /><br />Restrict access to customer environments based on least privilege.<br /><br />Secure remote connections using strong cryptography.<br /><br />Manage IAM holistically, including oversight of Auth0 accounts BYOC customers create. | Configure SSO for console users and enforce MFA within the identity provider.<br /><br />Use strong passwords and configure roles based on least privilege for database users.<br /><br />Securely manage the default user password and relevant API keys and secrets. | Protect the identity and access management infrastructure.                                                                                                                                                                                                                  |
+| **Data security**       | Encrypt data in transit using TLS 1.2+.<br /><br />Encrypt data at rest using AES-256+.<br /><br />Securely manage, deploy, and rotate encryption keys.<br /><br />Delete service data and backups within seven days of service termination.                                                        | Implement [customer-managed encryption keys (CMEK)](/cloud/security/cmek), as available.<br /><br />Use time-to-live settings to enforce data retention.                                                                                                               | Manage encryption hardware and services.<br /><br />Encrypt data in transit and at rest, where configured.                                                                                                                                                                  |
+| **Network**             | Deploy security groups and network controls to enable secure communication while isolating customer environments.<br /><br />Enable secure defaults for network access controls and security groups.                                                                                                | Configure [IP filters](/cloud/security/setting-ip-filters) to restrict connections to the database.<br /><br />Maintain secure network configurations after initial deployment.                                                                                        | Manage physical and logical security of the cloud networking infrastructure.<br /><br />Maintain secure communications for cloud infrastructure, including APIs.                                                                                                            |
+| **Security monitoring** | Deploy security event detection capabilities.<br /><br />Generate audit logs and retain for one year.<br /><br />Investigate and respond to potential security events.<br /><br />Report security breaches affecting you in accordance with the ClickHouse Information Security Addendum.           | Configure and manage cloud security monitoring.<br /><br />Monitor session and query logs within the service.<br /><br />Investigate and respond to potential security events.                                                                                         | Configure and manage security monitoring for underlying cloud services.<br /><br />Investigate and respond to potential security events related to underlying cloud services.<br /><br />Report security breaches affecting you in accordance with contractual obligations. |
+| **Disaster recovery**   | Protect against database failures using multiple replicas.<br /><br />Use multi-availability zone configurations in each region.<br /><br />Provide backup capabilities to enable data recovery from localized incidents.<br /><br />Regularly test backups to ensure recoverability.               | Configure backup policies and perform restoration.                                                                                                                                                                                                                     | Provide data centers with high-availability features.<br /><br />Provide geographically isolated data centers in each region.                                                                                                                                               |
+| **Platform**            | Securely configure, deploy, and terminate ClickHouse systems.<br /><br />Use hardened base images to deploy services.<br /><br />Maintain a public bug bounty program.                                                                                                                              | Secure the service landing zone, including account setup, configuration, and management.                                                                                                                                                                               | Provide and maintain physical and environmental protections.<br /><br />Securely configure, patch, and maintain hardware, firmware, and operating system software.                                                                                                          |
+| **Best practices**      | Maintain a technical vulnerability management program.<br /><br />Conduct third-party penetration tests at least annually.<br /><br />Employ an in-house information security team.                                                                                                                 | Configure ClickHouse and cloud security controls based on organizational requirements.<br /><br />Follow security best practices for cloud-based systems.                                                                                                              | Maintain a technical vulnerability management program.<br /><br />Conduct third-party penetration tests at least annually.<br /><br />Employ an in-house information security team.                                                                                         |
+| **Compliance**          | Maintain independent third-party audits, standards, and certifications.<br /><br />Provide tools and configurations that enable compliance with applicable laws, such as GDPR and CCPA.                                                                                                             | Evaluate and implement relevant ClickHouse security configurations to meet applicable compliance requirements for the type of data processed.<br /><br />Use ClickHouse services in compliance with relevant export control and data privacy laws.                     | Maintain relevant independent third-party audits, standards, and certifications.                                                                                                                                                                                            |