Confluent’s Cloud Security Addendum (“Security Addendum”) outlines the technical and procedural measures that Confluent undertakes to secure the Cloud Service. Confluent may update this Security Addendum from time to time and such changes will be effective when posted. Capitalized terms used but not defined in this Security Addendum have the meanings as set forth in the Confluent Cloud Services Agreement or other written or electronic terms of a cloud service or cloud subscription agreement (“Agreement”) entered into by the parties. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern.
1. Confluent Information Security Program Overview
1.1 General Overview. Confluent is committed to achieving and maintaining the trust of its customers. Integral to this mission is providing a robust security that carefully considers data security matters across the Cloud Service, including security of Content. To this end, Confluent maintains a comprehensive documented information security program to establish and maintain administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, availability, and security of the Cloud Service and Content (“Information Security Program”). Confluent is regularly audited by accredited third parties and has achieved various compliance standards and certifications covering the Information Security Program, including:
1.1.1 SSAE 21 SOC 1 Type II, SOC 2 Type II, and SOC 3;
1.1.2 HITRUST CSF Certification;
1.1.3 Payment Card Industry Data Security Standards (“PCI-DSS”) – Confluent can support PCI data that is message-level encrypted by Customer;
1.1.4 CSA Star Level 2 Attestation; and
1.1.5 ISO 27001 and 27701 Certifications.
Confluent’s Trust and Security page (/trust-and-security) provides detailed information about Confluent’s compliance certifications and a portal for requesting supporting documentation.
1.2. Maintenance and Compliance. Confluent’s Information Security Program is maintained by a security team, led by Confluent’s Chief Information Security Officer. Confluent monitors compliance with its Information Security Program and conducts ongoing education and training of personnel to ensure compliance. The Information Security Program is reviewed and updated at least annually to reflect changes to Confluent’s organization, business practices, technology, services, and applicable laws and regulations; provided, however, Confluent will not update the Information Security Program in a way that materially degrades the overall security of the Cloud Service.
2. Storage Location of Message Content
2.1 Storage Location. For Content that consists of message data produced to a Kafka topic (“Message Content”), Customer determines, via configuration in the Cloud Service, the Cloud Service region where the Message Content is stored.
3. Encryption
3.1 Encryption at Rest. The Cloud Service stores Content encrypted at rest. This is done leveraging enterprise grade encryption standards employed on the storage backend using AES-256 bit, or the equivalent or better.
3.2 Encryption in Transit. Communications between Customer’s endpoints and the Cloud Service are encrypted in-transit with appropriate encryption standards for data in motion using TLS v.1.2 or higher.
4. Systems and Network Security
4.1 Separation of Content. The Cloud Service maintains logical separation of Content between customers. Confluent has implemented controls to prevent one customer from gaining unauthorized access to another customer’s data in the Cloud Service.
4.2. Access Management
4.2.1 Access Controls. Access to the systems and infrastructure that support the Cloud Service is restricted to individuals who require such access as part of their job responsibilities and is consistent with the principle of least privilege.
4.2.2 Access Authentication. Confluent personnel access the Cloud Service via unique user IDs with authentication through an encrypted connection such as SSH, MFA, using regular-rotated SSH keys, and never only passwords. The password policy for the Cloud Service adheres to industry-standard complexity rules.
4.3 Firewall. Cloud provider firewall or firewall-equivalent controls have deny-all default policies and only enable appropriate network protocols for egress and ingress network traffic.
4.4 Vulnerability Management and Remediation
4.4.1 Vulnerability Management. Vulnerability mitigation is a part of every Confluent engineer’s responsibilities. Confluent maintains secure software development life cycle practices to protect and to address security vulnerabilities in the Cloud Service. Confluent’s security team continuously evaluates the impact of security advisories and vulnerabilities in commercial and open-source software based on Confluent-defined risk criteria, including applicability and severity.
4.4.2 Vulnerability Remediation. Confluent addresses vulnerabilities confirmed to impact confidentiality, integrity, or availability of the Cloud Service in accordance with industry standard SLAs, including using reasonable tracking mechanisms and risk management practices. Confluent will use commercially reasonable efforts to address security updates rated as “high” or “critical” within thirty (30) days of the patch release and “medium” with ninety (90) days of the patch release. To determine whether a security update is “critical”, “high” or “medium”, Confluent utilizes the National Vulnerability Database’s Common Vulnerability Scoring System (CVSS), or where applicable, the U.S.-CERT rating.
4.5 Penetration Tests. Penetration tests by independent third parties are conducted at least annually. Detailed results from external penetration tests are not distributed or shared with anyone other than Confluent employees with a need to know; provided, however, redacted summaries are available per Section 9.1.
4.6. System Administration and Patch Management. For Confluent-managed systems that access Content, Confluent creates, implements, and maintains system administration procedures that meet or exceed industry standards, including without limitation, system hardening, system and device patching (operating system and applications), and proper installation of a threat detection solution with daily signature updates.
4.7. System Event Logging. Monitoring tools and services are used to monitor systems including network, server events, availability events, resource utilization, and other security events of interest. Confluent security events of interest are reviewed for malicious or inappropriate activity. Confluent infrastructure security event logs are collected in a central system and stored using appropriate security measures designed to prevent tampering. Logs are stored for at least twelve months.
5. Administrative Controls
5.1 Personnel Screening. To the extent permitted by applicable law, Confluent personnel undergo a background check as part of the hiring process. Such background checks include, at minimum, criminal convictions check, global sanctions check, education verification, and identity check, all to the extent permitted by applicable law.
5.2 Security and Privacy Training. Confluent maintains a security and privacy awareness program for Confluent personnel, which provides initial education, ongoing awareness, and individual Confluent personnel acknowledgment of intent to comply with Confluent’s corporate security and privacy policies. All Confluent personnel are required to satisfactorily complete security and privacy training annually.
5.3 Access Review. Confluent personnel access to the systems and infrastructure that support the Cloud Service is reviewed quarterly. Access privileges of terminated Confluent personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.
5.4 Storage of Content. Confluent maintains a policy of not storing Content on local desktops, laptops, mobile devices, shared drives, removable media, as well as on public facing systems that do not fall under the administrative control or compliance monitoring processes of Confluent.
5.5 Reporting. All Confluent personnel acknowledge they are responsible for reporting actual or suspected concerns, thefts, breaches, losses, and unauthorized disclosures of or access to Message Content.
5.6 Risk Management. Confluent maintains a risk management program based on industry standards. Confluent conducts risk assessments of various scope throughout the year, including self and third party assessments and tests, automated scans, and manual reviews. Results of assessments, including formal reports, as relevant, are reported to the head of the Confluent Security Committee (“Security Committee''). The Security Committee meets biannually to review reports, to identify control deficiencies and material changes in the threat environment, and to make recommendations for new or improved controls and threat mitigation strategies to executive management. Changes to controls and threat mitigation strategies are evaluated and prioritized for implementation on a risk-adjusted basis. Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.
5.7 Third Party Risk Assessment. Confluent maintains and implements a third party risk management assessment program (“TPRM”) for Subprocessors, as defined in the DPA. Confluent’s TPRM assesses these Subprocessors to appropriately measure and manage risk. Confluent has entered into written agreements with its Subprocessors containing privacy, data protection and data security obligations that provide a level of protection appropriate to the processing activities provided by them. Compliance with such obligations are subject to regular reviews.
6. Physical and Environmental Controls
6.1 Cloud Service Provider Data Centers. As further described in the DPA and Documentation, the Cloud Service is hosted in AWS, GCP, Azure, and other public clouds. Therefore, all physical security controls are managed by the applicable public cloud provider. Annually, Confluent reviews the applicable security and compliance reports of the public cloud providers it uses to ensure appropriate physical security controls, including:
6.1.1 Visitor management including tracking and monitoring physical access;
6.1.2 Physical access point to server locations are managed by electronic access control devices;
6.1.3 Monitor and alarm response procedures;
6.1.4 Use of CCTV cameras at facilities;
6.1.5 Video capturing devices in data centers with ninety days of image retention;
6.1.6 Environmental and power management controls; and
6.1.7 Removal and destruction of physical media including drives.
Information about security and privacy-related audits and certifications received by AWS, GCP and Azure, including information on ISO 27001 and 27701 certifications and Service Organization Control (SOC) reports, is available as follows: For AWS, AWS Security Website and the AWS Compliance Website; for GCP, GCP Security Website and GCP Compliance Website; and for Azure, Azure Security Website and Azure Compliance Website
6.2 Confluent Corporate Offices. Confluent has implemented administrative, physical, and technical safeguards for Confluent-managed corporate offices. These include, but are not limited to, the following:
6.2.1 Physical access to Confluent-managed corporate offices are controlled at office ingress points;
6.2.2 Visitors are required to sign in and wear an identification badge;
6.2.3 Tagging and inventory of Confluent-issued laptops and network assets; and
6.2.4 Confluent corporate offices, including LAN and Wi-Fi networks in those offices, require successful authentication in addition to authentication to public cloud provider accounts for access.
7. Business Continuity and Disaster Recovery
7.1 Business Continuity and Disaster Recovery Plan. Confluent maintains a business continuity and disaster recovery plan (“BCDR Plan”) for the Cloud Service. The BCDR Plan is tested at least annually. Customer is responsible for ensuring that it implements a service level that corresponds with Customer’s business continuity and disaster recovery strategy. Each of the cloud platform providers, such as AWS, Azure, and GCP, offers inbuilt disaster recovery solutions, which Customer is responsible for employing as part of Customer’s disaster recovery strategy.
8. Notification of Security Breach and Response
8.1 Security Breach Notification. Confluent will notify Customer in writing without undue delay, but no later than seventy-two (72) hours, of confirmed accidental or unlawful destruction, loss, or alteration, or unauthorized disclosure of, or access to, Message Content as a result of a breach of Confluent’s security (“Security Breach”).
8.2 Communication and Cooperation. The Security Breach notification will summarize the known details of the Security Breach and the status of Confluent’s investigation. Where reasonably possible, Confluent will update Customer of the Security Breach with information regarding evaluation of the root cause, potential impact, remediation actions taken, and actions planned to prevent a future
similar event.
8.3 Investigation and Mitigation. Confluent will take appropriate actions to contain, investigate, and mitigate any such Security Breach.
9. Shared Customer Responsibilities
9.1 Customer User Credentials. Customer controls access to the Cloud Service via unique user IDs and passwords (“User Credentials”) or an integration with Customer’s Identity Provider (“IDP”). Customer is responsible for managing and securing User Credential(s) within the Cloud Service and for protecting its own resources used to send Content to the Cloud Service. Customer will immediately notify Confluent if a User Credential has been compromised or if Customer suspects possible suspicious activities that could negatively impact the security of the Cloud Service or Customer’s account.
9.2 Encryption. Customer is responsible for appropriately using the Cloud Service to ensure a level of data protection commensurate with the sensitivity of the Message Content it uploads to the Cloud Service including, without limitation, an appropriate level of message-level encryption.
9.3 Retention of Message Content. Message Content is replicated by Confluent and retained per Customer’s specified retention periods set by Customer in the Cloud Service. Customers are expected to consume Message Content regularly and store Message Content in their data stores of choice for storage beyond the retention policy specified.
9.4 Backup of Message Content. Customer is responsible for managing a backup strategy regarding Message Content.