Shared Responsibility

Customer

• Select the cloud provider and the region of choice.

SingleStore

• Provision the requested clusters in a private network.

• Provision all additional configurations described by users.

• Secure the infrastructure and networks using best practices.

Customer

• Provide a cloud account (supported by SingleStore), configure security, follow industry best practices, and use Identity and Access Management (IAM) tools to control access to their resources.

SingleStore

• Provision and manage the lifecycle of the resources required to bootstrap and manage a Helios BYOC Region (used to perform the bootstrap and updates on the instance), excluding the VPC and IAM Role managed by the customer.

Customer

• Create and manage customer data.

• Add user accounts and access using identities.

SingleStore

• Provide secure access and storage to customer data.

• Provide secure connectivity to the platform to ensure confidentiality, integrity, and authentication for customer data in motion.

Customer

• Create and manage data; ensure that SingleStore's managed buckets are secure and cannot be reached from unwanted sources.

• Access and manage the lifecycle of customer user accounts.

• Configure platform authentication method.

• Establish password policies and security measures to protect user identities and credentials.

SingleStore

• Provide secure access and communication channels to the platform that ensure confidentiality, integrity, and authentication for customer data in motion.

• Manage the cloud-hosted buckets pre-provisioned by SingleStore that store customer’s data.

• Provide integration with customer’s identity management platforms (SSO).

• Provide secure local identity management capabilities.

• Provide secure access to user accounts on the platform.

• Enable customer user account lifecycle management on the platform.

Customer

• Configure the network connectivity, including Firewall, DNS, Private Networking, and IP allowlisting between the user and SingleStore account.

SingleStore

• Enforce network security restrictions as per configurations made by the customer.

• Provision resource for private networking.

Customer

• Follow SingleStore’s requirements and guidelines to set up the VPC where the Data Plane will be deployed.

• Manage the VPC and keep it aligned with the initial guidelines and requirements.

SingleStore

• Provide guidelines and hardened network and resource configurations.

Customer

• Configure user authentication.

• Add roles and privileges for users.

• Manage certifications and JWKS setups for clusters.

• Manage IAM roles on cloud resources to be used by SingleStore Helios.

SingleStore

• Provide Role-Based Access Control (RBAC) as part of the platform.

• Provide integration with MFA and other SSO tools.

• Provide secure identity management capabilities and access to user accounts on the platform.

• Support secure token-based authentication/authorization.

Customer

• Define and configure an access control scheme on the platform, and assign roles and privileges.

SingleStore

• Provide Role-Based Access Control (RBAC) as part of the platform.

Customer

• Manage and configure API keys.

SingleStore

• Generate API keys.

• Implement API access.

N/A

N/A

Customer

• Set the TLS version to be used.

• For CMEK: Configure cloud provider KMS and key policy according to the customer’s own requirements, and then manually configure CMEK on SingleStore Helios.

SingleStore

• Enable default encryption of data at rest and in motion with cloud provider managed keys.

• Connect to the KMS and use keys for encryption at rest.

• For CMEK: Connect to the customer-specified KMS and use keys for encryption of data at rest.

Customer

• Responsible for all aspects of accessing data in motion, such as establishing secure connections to the cluster and ensuring secure client configurations.

• For CMEK: Configure cloud provider KMS and key policy according to the customer’s own requirements, and then manually configure CMEK on Helios BYOC.

SingleStore

• Manage usage of self-signed SSL/TLS certificates.

• Enable default encryption of data at rest with cloud provider-managed keys.

• For CMEK: Connect to the customer-specified KMS and use keys for encryption of data at rest.

Customer

• Configure audit levels and audit log destinations.

SingleStore

• Stream audit logs to external resources based on user configuration.

• Enable audit logging for the database automatically.

• Monitor the platform's audit logs.

Customer

• Configure audit levels and audit log destinations. Monitor audit logs for customers’ deployment(s).

• Monitor and manage audit logs from Data Plane updates and break glass interventions triggered by SingleStore.

SingleStore

• Stream logs from running applications to external data sources to enable the monitoring of the Data Plane instance.

• Automatically enable audit logging for bootstrapping and maintenance operations performed on the data cell.

• Set up and stream internal and customer-facing metrics to an external data source to monitor the plane instance and make dashboards available to the customer.

Customer

• Configure real-time alerts and performance thresholds.

• Configure external tools for monitoring and alerting.

• Access to metrics and logs via Grafana dashboards.

SingleStore

• Configure performance analysis and monitoring capabilities.

• Monitor the platform’s performance logs and alerts.

Customer

• Configure real-time alerts via their SMTP service and register them to the monitoring infrastructure of the BYOC cell.

• Access to customer metrics and logs via Grafana dashboards.

SingleStore

• Configure performance and monitoring capabilities.

• Monitor the platform’s performance logs and alerts.

Customer

• Ensure that the client software used to interact with the platform is up-to-date and patched.

SingleStore

• Automatically apply security patches and updates.

• Run internal vulnerability and patch management processes.

Customer

• Ensure that the client software used to interact with the platform and clusters is up-to-date and patched.

• Ensure that BYOC’s host cloud account is updated with the latest security and configuration best practices.

SingleStore

• Apply security patches and updates on infrastructure and resources managed by SingleStore.

• Run internal vulnerability and patch management processes on infrastructure and resources managed by SingleStore.

Customer

• Can create and manage own custom backups in accordance with internal backup and disaster recovery policy.

• Configure backup and recovery capabilities and provisions supported by the platform.

SingleStore

• SingleStore stores data in durable object storage for recovery in case of unexpected disaster.

• SingleStore provides self-serve recovery steps (based on the purchased edition).

• Implement automated failover and replication mechanisms.

Customer

• Follow customer’s backup, business continuity, and/or disaster recovery policies and plans to create and manage custom backups.

• Configure backup and recovery capabilities and provisions supported by the platform.

SingleStore

• Persist data to durable object storage for recovery from disaster.

Customer

• Validate and check user-defined functions (UDFs) and code written to interface with external functions for security issues.

• Validate the security of third-party services to leverage on SingleStore Helios computing capabilities or through integrations.

• Secure system access for users both inside and outside the customer's environment.

SingleStore

• Provide a secure operating and computing environment.

• Run incident detection and response mechanisms internally.

• Manage network egress and ingress at the network layer and control access to data.

• Validate the security of the software supply chain used by CI/CD procedures and tools.

Customer

• Validate and check user-defined functions (UDFs) and code written to interface with external functions for security issues.

• Validate the security of third-party services to leverage on SingleStore Helios computing capabilities or through integrations.

• Secure system access for users both inside and outside the customer's environment.

SingleStore

• Operate with the assumption that everything is Private. No public IPs or ports are exposed at any point.

• Detect incidents raised by internal alerts or via customer support tickets. Resolution is either performed directly by SingleStore in the case of simple infrastructure troubleshooting/updates or jointly with the customer for scenarios that require elevated permissions to the cloud environment (with SingleStore assuming a supportive role).

• No network management; operate on the level that only private load-balancers can be created.

• Validate the security of the software supply chain used by CI/CD procedures and tools.

Customer

• Ensure proper access control to secrets configured within the platform.

• Manage the lifecycle of secrets as well as their end-to-end distribution.

SingleStore

• Securely store and encrypt customer secrets.

Customer

• Ensure proper access control to secrets configured within the platform.

• Manage the lifecycle of secrets as well as their end-to-end distribution.

SingleStore

• No access to any customer secrets.

Customer

• Configure the environment(s) to meet the requirements for the customer’s own compliance and regulatory needs.

• If the customer needs to store and manage PHI data on SingleStore Helios, a BAA must be set up with SingleStore.

SingleStore

• Maintain compliance and uphold Information Security and Data Protection standards and requirements that apply to our product and business (namely ISO27001 and SOC 2 Type II).

• Support compliance inheritance of HIPAA.

Customer

• Configure the environment(s) to meet the requirements for the customer’s own compliance and regulatory needs.

• If the customer needs to store and manage PHI data on SingleStore Helios, a BAA must be set up with SingleStore.

• Note: The data sovereignty in BYOC Regions is on the customer side and while SingleStore does provide the guidelines and requirements to secure data on the customer’s environment, the ultimate responsibility of securing the cloud environment where customer data resides relies on the customer.

SingleStore

• Maintain compliance and uphold Information Security and Data Protection standards and requirements that apply to our product and business (namely ISO 27001 and SOC 2 Type II).

• Support compliance inheritance of HIPAA.