Shared Responsibility

Customer

• Select the cloud provider and the region of choice.

SingleStore

• Provision the requested clusters in a private network.

• Provision all additional configurations described by users.

• Secure the infrastructure and networks using best practices.

Customer

• Create and manage customer data.

• Add user accounts and access using identities.

SingleStore

• Provide secure access and storage to customer data.

• Provide secure connectivity to the platform to ensure confidentiality, integrity, and authentication for customer data in motion.

Customer

• Configure the network connectivity, including Firewall, DNS, Private Networking, and IP allowlisting between the user and SingleStore account.

SingleStore

• Enforce network security restrictions as per configurations made by the customer.

• Provision resource for private networking.

Customer

• Configure user authentication.

• Add roles and privileges for users.

• Manage certifications and JWKS setups for clusters.

• Manage IAM roles on cloud resources to be used by SingleStore Helios.

SingleStore

• Provide Role-Based Access Control (RBAC) as part of the platform.

• Provide integration with MFA and other SSO tools.

• Provide secure identity management capabilities and access to user accounts on the platform.

• Support secure token-based authentication/authorization.

Customer

• Manage and configure API keys.

SingleStore

• Generate API keys.

• Implement API access.

Customer

• Set the TLS version to be used.

• For CMEK: Configure cloud provider KMS and key policy according to the customer’s own requirements, and then manually configure CMEK on SingleStore Helios.

SingleStore

• Enable default encryption of data at rest and in motion with cloud provider managed keys.

• Connect to the KMS and use keys for encryption at rest.

• For CMEK: Connect to the customer-specified KMS and use keys for encryption of data at rest.

Customer

• Configure audit levels and audit log destinations.

SingleStore

• Stream audit logs to external resources based on user configuration.

• Enable audit logging for the database automatically.

• Monitor the platform's audit logs.

Customer

• Configure real-time alerts and performance thresholds.

• Configure external tools for monitoring and alerting.

• Access to metrics and logs via Grafana dashboards.

SingleStore

• Configure performance analysis and monitoring capabilities.

• Monitor the platform’s performance logs and alerts.

Customer

• Ensure that the client software used to interact with the platform is up-to-date and patched.

SingleStore

• Automatically apply security patches and updates.

• Run internal vulnerability and patch management processes.

Customer

• Can create and manage own custom backups in accordance with internal backup and disaster recovery policy.

• Configure backup and recovery capabilities and provisions supported by the platform.

SingleStore

• SingleStore stores data in durable object storage for recovery in case of unexpected disaster.

• SingleStore provides self-serve recovery steps (based on the purchased edition).

• Implement automated failover and replication mechanisms.

Customer

• Validate and check user-defined functions (UDFs) and code written to interface with external functions for security issues.

• Validate the security of third-party services to leverage on SingleStore Helios computing capabilities or through integrations.

• Secure system access for users both inside and outside the customer's environment.

SingleStore

• Provide a secure operating and computing environment.

• Run incident detection and response mechanisms internally.

• Manage network egress and ingress at the network layer and control access to data.

• Validate the security of the software supply chain used by CI/CD procedures and tools.

Customer

• Ensure proper access control to secrets configured within the platform.

• Manage the lifecycle of secrets as well as their end-to-end distribution.

SingleStore

• Securely store and encrypt customer secrets.

Customer

• Configure the environment(s) to meet the requirements for the customer’s own compliance and regulatory needs.

• If the customer needs to store and manage PHI data on SingleStore Helios, a BAA must be set up with SingleStore.

SingleStore

• Maintain compliance and uphold Information Security and Data Protection standards and requirements that apply to our product and business (namely ISO27001 and SOC 2 Type II).

• Support compliance inheritance of HIPAA.

Customer

• Ensure secure deployment of Generative AI applications and the responsible use of data leveraged in AI-powered features provided by SingleStore.

• Implement human oversight in AI-enabled business workflows.

• Where selection of underlying AI models is required, it is the customer's responsibility to make and validate the choice.

SingleStore

• Provide a secure platform for enabling Generative AI applications that seamlessly integrate with SingleStore.

• Ensure compliance with data protection and regulatory standards, with continuous monitoring and adaptation as AI-related regulations evolve.

• Evaluate Generative AI technology to assess bias, security vulnerabilities, accuracy, and safety.