# Shared Responsibility

SingleStore Helios has built in security controls that make it a secure environment to run customer workloads. However the responsibility of keeping it secure is shared between the user and SingleStore. SingleStore Helios is designed with strong security by default so that there is minimal overhead on the user. The default configuration includes encryption at rest, encryption in transit, removal of public access, and deployment within strong network boundaries. Users are responsible for configuring the necessary levels of control which is based on the security posture of their organization.

## Shared Responsibility Model

The following table outlines the responsibilities of the customer and SingleStore for a SingleStore Helios deployment in Managed regions:

## Cloud Infrastructure Physical Security

| **Customer**<ul> <li>Select the cloud provider and the region of choice.</li> </ul> | **SingleStore**<ul> <li>Provision the requested clusters in a private network.</li> <li>Provision all additional configurations described by users.</li> <li>Secure the infrastructure and networks using best practices.</li> </ul> |
| ----------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |

## Customer Data, Accounts, and Identities

| **Customer**<ul> <li>Create and manage customer data.</li> <li>Add user accounts and access using identities.</li> </ul> | **SingleStore**<ul> <li>Provide secure access and storage to customer data.</li> <li>Provide secure connectivity to the platform to ensure confidentiality, integrity, and authentication for customer data in motion.</li> </ul> |
| ------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

## Network Isolation and Connectivity

| **Customer**<ul> <li>Configure the network connectivity, including Firewall, DNS, Private Networking, and IP allowlisting between the user and SingleStore account.</li> </ul> | **SingleStore**<ul> <li>Enforce network security restrictions as per configurations made by the customer.</li> <li>Provision resource for private networking.</li> </ul> |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |

## SingleStore Database Access

| **Customer**<ul> <li>Configure user authentication.</li> <li>Add roles and privileges for users.</li> <li>Manage certifications and JWKS setups for clusters.</li> <li>Manage IAM roles on cloud resources to be used by SingleStore Helios.</li> </ul> | **SingleStore**<ul> <li>Provide Role-Based Access Control (RBAC) as part of the platform.</li> <li>Provide integration with MFA and other SSO tools.</li> <li>Provide secure identity management capabilities and access to user accounts on the platform.</li> <li>Support secure token-based authentication/authorization.</li> </ul> |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

## API Controls/Access

| **Customer**<ul> <li>Manage and configure API keys.</li> </ul> | **SingleStore**<ul> <li>Generate API keys.</li> <li>Implement API access.</li> </ul> |
| -------------------------------------------------------------- | ------------------------------------------------------------------------------------ |

## Data Encryption (in Transit and at Rest)

Customer-Managed Encryption Keys (CMEK) is only supported on Managed regions.

| **Customer**<ul> <li>Set the TLS version to be used.</li> <li>For CMEK: Configure cloud provider KMS and key policy according to the customer’s own requirements, and then manually configure CMEK on SingleStore Helios.</li> </ul> | **SingleStore**<ul> <li>Enable default encryption of data at rest and in motion with cloud provider managed keys.</li> <li>Connect to the KMS and use keys for encryption at rest.</li> <li>For CMEK: Connect to the customer-specified KMS and use keys for encryption of data at rest.</li> </ul> |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

## Granular Auditing

| **Customer**<ul> <li>Configure audit levels and audit log destinations.</li> </ul> | **SingleStore**<ul> <li>Stream audit logs to external resources based on user configuration.</li> <li>Enable audit logging for the database automatically.</li> <li>Monitor the platform's audit logs.</li> </ul> |
| ---------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

## Performance Monitoring/Alerting

| **Customer**<ul> <li>Configure real-time alerts and performance thresholds.</li> <li>Configure external tools for monitoring and alerting.</li> <li>Access to metrics and logs via Grafana dashboards.</li> </ul> | **SingleStore**<ul> <li>Configure performance analysis and monitoring capabilities.</li> <li>Monitor the platform’s performance logs and alerts.</li> </ul> |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |

## Security Patches and Maintenance

| **Customer**<ul> <li>Ensure that the client software used to interact with the platform is up-to-date and patched.</li> </ul> | **SingleStore**<ul> <li>Automatically apply security patches and updates.</li> <li>Run internal vulnerability and patch management processes.</li> </ul> |
| ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |

## High Availability and Disaster Recovery

| **Customer**<ul> <li>Can create and manage own custom backups in accordance with internal backup and disaster recovery policy.</li> <li>Configure backup and recovery capabilities and provisions supported by the platform.</li> </ul> | **SingleStore**<ul> <li>SingleStore stores data in durable object storage for recovery in case of unexpected disaster.</li> <li>SingleStore provides self-serve recovery steps (based on the purchased edition).</li> <li>Implement automated failover and replication mechanisms.</li> </ul> |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

## Application Security

| **Customer**<ul> <li>Validate and check user-defined functions (UDFs) and code written to interface with external functions for security issues.</li> <li>Validate the security of third-party services to leverage on SingleStore Helios computing capabilities or through integrations.</li> <li>Secure system access for users both inside and outside the customer's environment.</li> </ul> | **SingleStore**<ul> <li>Provide a secure operating and computing environment.</li> <li>Run incident detection and response mechanisms internally.</li> <li>Manage network egress and ingress at the network layer and control access to data.</li> <li>Validate the security of the software supply chain used by CI/CD procedures and tools.</li> </ul> |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

## Secrets

| **Customer**<ul> <li>Ensure proper access control to secrets configured within the platform.</li> <li>Manage the lifecycle of secrets as well as their end-to-end distribution.</li> </ul> | **SingleStore**<ul> <li>Securely store and encrypt customer secrets.</li> </ul> |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------- |

## Compliance

| **Customer**<ul> <li>Configure the environment(s) to meet the requirements for the customer’s own compliance and regulatory needs.</li> <li>If the customer needs to store and manage PHI data on SingleStore Helios, a BAA must be set up with SingleStore.</li> </ul> | **SingleStore**<ul> <li>Maintain compliance and uphold Information Security and Data Protection standards and requirements that apply to our product and business (namely ISO27001 and SOC 2 Type II).</li> <li>Support compliance inheritance of HIPAA.</li> </ul> |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

## AI Usage

| **Customer**<ul> <li>Ensure secure deployment of Generative AI applications and the responsible use of data leveraged in AI-powered features provided by SingleStore.</li> <li>Implement human oversight in AI-enabled business workflows.</li> <li>Where selection of underlying AI models is required, it is the customer's responsibility to make and validate the choice.</li> </ul> | **SingleStore**<ul> <li>Provide a secure platform for enabling Generative AI applications that seamlessly integrate with SingleStore.</li> <li>Ensure compliance with data protection and regulatory standards, with continuous monitoring and adaptation as AI-related regulations evolve.</li> <li>Evaluate Generative AI technology to assess bias, security vulnerabilities, accuracy, and safety.</li> </ul> |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

## Responsibility Matrix

The following can be used as a quick reference to the shared responsibilities of the customer and SingleStore.

## Cloud Management

| **Action**              | **SingleStore** | **Customer** |
| ----------------------- | --------------- | ------------ |
| VPC                     | ✔               |              |
| EC2 instance management | ✔               |              |
| Kubernetes management   | ✔               |              |
| S3 buckets management   | ✔               |              |
| SingleStoreprovisioning | ✔               |              |

## Upgrades and Security

| **Action**                               | **SingleStore** | **Customer** |
| ---------------------------------------- | --------------- | ------------ |
| SingleStoreupgrades                      | ✔               |              |
| Software vulnerability remediation       | ✔               |              |
| Infrastructure vulnerability remediation | ✔               |              |
| Scaling                                  | ✔               |              |

## Networking

| **Action**          | **SingleStore** | **Customer** |
| ------------------- | --------------- | ------------ |
| External Routing    | ✔               |              |
| K8 internal Routing | ✔               |              |
| Firewall            |                 | ✔            |
| DNS                 | ✔               |              |
| Load Balancer       | ✔               |              |

## Access Control

| **Action**                  | **SingleStore** | **Customer** |
| --------------------------- | --------------- | ------------ |
| IAM role, service accounts  | ✔               |              |
| Access control and auditing | ✔               | ✔            |

## Availability

| **Action**         | **SingleStore** | **Customer** |
| ------------------ | --------------- | ------------ |
| DR                 | ✔               |              |
| Availability (SLA) | ✔               |              |

## Support

| **Action**    | **SingleStore** | **Customer** |
| ------------- | --------------- | ------------ |
| Logging       | ✔               |              |
| Audit logging | ✔               | ✔            |
| Monitoring    | ✔               |              |
| Break glass   | ✔               |              |

***

Modified at: April 22, 2026

Source: [/cloud/getting-started-with-singlestore-helios/about-singlestore-helios/shared-responsibility/](https://docs.singlestore.com/cloud/getting-started-with-singlestore-helios/about-singlestore-helios/shared-responsibility/)

(An index of the documentation is available at /llms.txt)